Method and apparatus for rate based denial of service attack detection and prevention
First Claim
1. An apparatus capable of detecting and preventing a plurality of rate based and non rate based denial of service attacks, said apparatus comprising:
- a media access controller (MAC) interface;
a classification means operatively coupled to said MAC interface for classifying data packets received from said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax;
a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached;
a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface; and
an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics.
3 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method and apparatus for detecting and preventing a plurality of denial of service (DOS) and distributed denial of service (DDOS) attacks. The apparatus includes classifiers for parsing packets; meters storing statistics for the classified packets and detecting flood thresholds; an Ager for maintaining timeouts; a decision multiplexer for multiplexing inputs from various meters and determines whether to allow or deny the packet; and a threshold estimation means for estimating thresholds based on past data from meters, baselines, trends and seasonality. The apparatus includes a PCI interface through which a host can interact, learn continuously and set thresholds in a continuous and adaptive manner so as to prevent rate based DOS and DDOS attacks. The apparatus includes a mechanism to track culprit sources at layer 2 and layer 3 through a multiplicative increment method.
160 Citations
20 Claims
-
1. An apparatus capable of detecting and preventing a plurality of rate based and non rate based denial of service attacks, said apparatus comprising:
-
a media access controller (MAC) interface;
a classification means operatively coupled to said MAC interface for classifying data packets received from said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax;
a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached;
a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface; and
an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for detecting and preventing rate based and non rate based denial of service attacks, said system comprising:
-
a host having a threshold estimation mechanism for estimating traffic thresholds based on past traffic, baseline, trend, and seasonality; and
an intrusion prevention apparatus operatively coupled to said host, said intrusion prevention apparatus comprising;
an intrusion prevention logic; and
computer executable instructions controlling said intrusion prevention logic, wherein said intrusion prevention logic comprises;
a media access controller (MAC) interface;
a classification means operatively coupled to said MAC interface for classifying data packets received from said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax;
a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached;
a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface; and
an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification