Method and system for preventing denial of service attacks in a network

US 20050195840A1
Filed: 03/02/2005
Published: 09/08/2005
Est. Priority Date: 03/02/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method, comprising:

step for measuring a flow rate of packets corresponding to one or more of a plurality of monitored streams of a group of hosts of a network, said packets having common characteristics relating their corresponding streams to one another;

step for comparing the measured flow rate to a predetermined threshold associated with the common characteristics; and

step for discarding packets from streams for which the packet flow rate exceeds the corresponding predetermined threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Leaky bucket state machines police packets and throttle packets of a stream or streams that are flowing from hosts towards the processor of a switch or router of a network. The throttling is performed by measuring and analyzing the actual flow rate(s) of the streams'"'"' packets. The actual flow rate(s) is compared to a predetermined threshold, which may be based on historical or estimated normal traffic patterns. If the actual flow rate exceeds the threshold associated with characteristics that relate packets to certain streams, packets are discarded from the streams having excessive flow rates. By discarding excessive packets having characteristics that correspond to packet information that typically causes a switch/router'"'"'s processor to execute operations, the effects of a DoS attack are minimized while also minimizing the discarding of legitimate traffic packets.

80 Citations

View as Search Results

21 Claims

1. A method, comprising:
- step for measuring a flow rate of packets corresponding to one or more of a plurality of monitored streams of a group of hosts of a network, said packets having common characteristics relating their corresponding streams to one another;
  
  step for comparing the measured flow rate to a predetermined threshold associated with the common characteristics; and
  
  step for discarding packets from streams for which the packet flow rate exceeds the corresponding predetermined threshold.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the group of hosts comprises a single host.
  - 3. The method of claim 1 applied at a first stage wherein the common characteristics uniquely relate packets composing a stream such that each stream is distinguished from every other stream.
  - 4. The method of claim 1 applied at a second stage wherein the common characteristics similarly relate packets composing multiple streams such that:
    - the step for measuring includes measuring an aggregate flow rate for the similarly related streams;
      
      the step for comparing includes comparing the measured aggregate flow rate to an predetermined aggregate threshold; and
      
      the step for discarding includes discarding packets from streams for which the aggregate packet flow rate exceeds the corresponding predetermined aggregate threshold.
  - 5. The method of claim 4 wherein streams are similarly related based on whether the packets of a stream are destined to a central device or to a network device other than a central device.
  - 6. The method of claim 1 wherein the common characteristics may include characteristics selected from the group consisting of protocol types, range of layer 4 ports, range of layer 2 MAC addresses, range of IP addresses, layer 5 identifiers and service identifiers.

7. A method, comprising:
- step for measuring an aggregate flow rate of packets corresponding to one or more of a plurality of monitored streams of a plurality of groups of hosts of a network, said packets having common characteristics similarly relating their corresponding streams to one another;
  
  step for comparing the measured aggregate flow rate to a predetermined aggregate threshold associated with the common characteristics; and
  
  step for discarding packets from similarly related streams for which the aggregate flow rate exceeds the corresponding aggregate predetermined threshold.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7 wherein one or more of the groups of hosts comprises a single host.
  - 9. The method of claim 7 applied at a third stage wherein the common characteristics may include characteristics selected from the group consisting of protocol types, range of layer 4 ports, range of layer 2 MAC addresses, range of IP addresses, layer 5 identifiers and service identifiers.
  - 10. The method of claim 7 applied at a fourth stage wherein the common characteristics relate streams based on whether the packets of a stream are destined to a central device or to a network device other than a central device.

11. A system, comprising:
- means for measuring a flow rate of packets corresponding to one or more of a plurality of monitored streams of a group of hosts of a network, said packets having common characteristics relating their corresponding streams to one another;
  
  means for comparing the measured flow rate to a predetermined threshold associated with the common characteristics; and
  
  means for discarding packets from streams for which the packet flow rate exceeds the corresponding predetermined threshold.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system of claim 11 wherein the group of hosts comprises a single host.
  - 13. The system of claim 11 applied at a first stage wherein the common characteristics uniquely relate packets composing a stream such that each stream is distinguished from every other stream.
  - 14. The system of claim 11 applied at a second stage wherein the common characteristics similarly relate packets composing multiple streams such that:
    - the step for measuring includes measuring an aggregate flow rate for the similarly related streams;
      
      the step for comparing includes comparing the measured aggregate flow rate to an predetermined aggregate threshold; and
      
      the step for discarding includes discarding packets from streams for which the aggregate packet flow rate exceeds the corresponding predetermined aggregate threshold.
  - 15. The system of claim 14 wherein streams are similarly related based on whether the packets of a stream are destined to a central device or to a network device other than a central device.
  - 16. The system of claim 11 wherein the common characteristics may include characteristics selected from the group consisting of protocol types, range of layer 4 ports, range of layer 2 MAC addresses, range of IP addresses, layer 5 identifiers and service identifiers.
  - 17. The system of claim 11 wherein a leaky bucket state machine comprises the means for measuring, comparing and discarding.
  - 18. The system of claim 17 wherein the leaky bucket state machine is implemented in a CMTS blade, wherein said CMTS blade includes a circuit board and field programmable gate array circuitry.
  - 19. The system of claim 17 wherein the leaky bucket state machine is implemented as computer software code stored on a computer-readable medium.
  - 20. The system of claim 19 wherein the computer readable-medium is a compact disc.
  - 21. The system of claim 17 wherein the leaky bucket state machine is implemented as executable computer software code loaded into a computer memory of a CMTS computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arris International, Inc. (CommScope Holding Company, Inc.)
Original Assignee
Arris International, Inc. (CommScope Holding Company, Inc.)
Inventors
Hickey, Dan, Cloonan, Thomas, Krapp, Steven, Doiron, Tim

Application Number

US11/070,374
Publication Number

US 20050195840A1
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 43/026   using flow identification

H04L 43/0894   Packet rate

H04L 43/16   Threshold monitoring

H04L 47/2475   for supporting traffic char...

H04L 63/1458   Denial of Service

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

Method and system for preventing denial of service attacks in a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for preventing denial of service attacks in a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links