Detecting network denial of service attacks
First Claim
1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
- receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
determining if the packet counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the packet counter has exceeded the threshold value.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting a suspicious packet flow in a packet-switched network comprises the computer-implemented step of receiving a first packet in which the SYN bit but not the ACK or RST bit of the packet'"'"'s TCP header is set. If a specified first time has elapsed, a packet counter associated with the destination address of the flow is incremented. A determination as to whether the packet counter is greater than a specified threshold values is made. If the packet counter is greater than the threshold value, a notification message is generated. In one embodiment, information identifying a packet flow is aggregated to an aggregation cache based on the destination address of the flow.
-
Citations
45 Claims
-
1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
determining if the packet counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the packet counter has exceeded the threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
receiving a second packet of the flow in which a RST bit of the TCP header is set;
determining a time difference between when the first packet was received and when the second packet was received;
incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
determining if the flow counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the flow counter has exceeded the threshold value. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
incrementing a packet counter stored at the router and associated with a destination address of the flow if a specified first time has elapsed;
determining if the packet counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the packet counter has exceeded the threshold value. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 38)
-
-
32. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
receiving, at the router, a second packet of the flow in which a RST bit of the TCP header is set;
determining a time difference between when the first packet was received and when the second packet was received;
incrementing a flow counter stored at the router and associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
determining if the flow counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the flow counter has exceeded the threshold value. - View Dependent Claims (33, 34, 35, 36, 37)
-
-
39. An apparatus for detecting a suspicious packet flow in a packet-switched network, comprising:
-
means for receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
means for incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
means for determining if the packet counter associated with the destination address is greater than a specified threshold value; and
means for generating a notification message when the packet counter has exceeded the threshold value.
-
-
40. An apparatus for detecting a suspicious packet flow in a packet-switched network, comprising:
-
means for receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
means for receiving a second packet of the flow in which a RST bit of the TCP header is set;
means for determining a time difference between when the first packet was received and when the second packet was received;
means for incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
means for determining if the flow counter associated with the destination address is greater than a specified threshold value; and
means for generating a notification message when the flow counter has exceeded the threshold value.
-
-
41. An apparatus for detecting a suspicious packet flow in a packet-switched network, comprising:
-
a processor;
one or more stored sequences of instructions that are accessible to the processor and which, when executed by the processor, cause the processor to carry out the steps of;
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
determining if the packet counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the packet counter has exceeded the threshold value.
-
-
42. An apparatus of detecting a suspicious packet flow in a packet-switched network, comprising:
-
a processor;
one or more stored sequences of instructions that are accessible to the processor and which, when executed by the processor, cause the processor to carry out the steps of;
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
receiving a second packet of the flow in which a RST bit of the TCP header is set;
determining a time difference between when the first packet was received and when the second packet was received;
incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
determining if the flow counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the flow counter has exceeded the threshold value. - View Dependent Claims (43)
-
-
44. A computer-readable medium carrying one or more sequences of instructions for detecting a suspicious packet flow in a packet-switched network, wherein the execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
determining if the packet counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the packet counter has exceeded the threshold value.
-
-
45. A computer-readable medium carrying one or more sequences of instructions for detecting a suspicious packet flow in a packet-switched network, wherein the execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
receiving a second packet of the flow in which a RST bit of the TCP header is set;
determining a time difference between when the first packet was received and when the second packet was received;
incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
determining if the flow counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the flow counter has exceeded the threshold value.
-
Specification