Method and system for preventing denial of service attacks in a network
First Claim
1. A method, comprising:
- step for measuring a flow rate of packets corresponding to one or more of a plurality of monitored streams of a group of hosts of a network, said packets having common characteristics relating their corresponding streams to one another;
step for comparing the measured flow rate to a predetermined threshold associated with the common characteristics; and
step for discarding packets from streams for which the packet flow rate exceeds the corresponding predetermined threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Leaky bucket state machines police packets and throttle packets of a stream or streams that are flowing from hosts towards the processor of a switch or router of a network. The throttling is performed by measuring and analyzing the actual flow rate(s) of the streams'"'"' packets. The actual flow rate(s) is compared to a predetermined threshold, which may be based on historical or estimated normal traffic patterns. If the actual flow rate exceeds the threshold associated with characteristics that relate packets to certain streams, packets are discarded from the streams having excessive flow rates. By discarding excessive packets having characteristics that correspond to packet information that typically causes a switch/router'"'"'s processor to execute operations, the effects of a DoS attack are minimized while also minimizing the discarding of legitimate traffic packets.
80 Citations
21 Claims
-
1. A method, comprising:
-
step for measuring a flow rate of packets corresponding to one or more of a plurality of monitored streams of a group of hosts of a network, said packets having common characteristics relating their corresponding streams to one another;
step for comparing the measured flow rate to a predetermined threshold associated with the common characteristics; and
step for discarding packets from streams for which the packet flow rate exceeds the corresponding predetermined threshold. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
step for measuring an aggregate flow rate of packets corresponding to one or more of a plurality of monitored streams of a plurality of groups of hosts of a network, said packets having common characteristics similarly relating their corresponding streams to one another;
step for comparing the measured aggregate flow rate to a predetermined aggregate threshold associated with the common characteristics; and
step for discarding packets from similarly related streams for which the aggregate flow rate exceeds the corresponding aggregate predetermined threshold. - View Dependent Claims (8, 9, 10)
-
-
11. A system, comprising:
-
means for measuring a flow rate of packets corresponding to one or more of a plurality of monitored streams of a group of hosts of a network, said packets having common characteristics relating their corresponding streams to one another;
means for comparing the measured flow rate to a predetermined threshold associated with the common characteristics; and
means for discarding packets from streams for which the packet flow rate exceeds the corresponding predetermined threshold. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
Specification