System and process for managing network traffic

US 20050249214A1
Filed: 05/07/2004
Published: 11/10/2005
Est. Priority Date: 05/07/2004
Status: Abandoned Application

First Claim

Patent Images

1. A process for managing traffic in a communications network, including:

determining the source address of a received network packet; and

comparing said source address with stored source address data for network packets received in a previous time period.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A traffic management system for use in a communications network, including a detection module for determining the source addresses of received network packets, and for comparing the source addresses with stored source address data for network packets received in a previous time period. The system monitors increases in the number of new source IP addresses of received packets to detect a network traffic anomaly such as a distributed denial of service (DDoS) attack or a flash crowd. If a traffic anomaly is detected, a filtering module performs history-based filtering to block a received packet unless one or more legitimate packets with the same source address have been previously received in a predetermined time period.

201 Citations

28 Claims

1. A process for managing traffic in a communications network, including:
- determining the source address of a received network packet; and
  
  comparing said source address with stored source address data for network packets received in a previous time period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 23, 24)
- - 2. A process as claimed in claim 1, wherein said step of determining includes determining the source addresses of a plurality of received network packets, and the process includes determining the number of new source addresses of said received network packets that are not included in said stored source address data.
  - 3. A process as claimed in claim 2, including detecting a surge in network traffic on the basis of said number of new source addresses.
  - 4. A process as claimed in claim 2, including detecting at least one of a distributed denial of service attack and a flash crowd event on the basis of the number of new source addresses.
  - 5. A process as claimed in claim 2, wherein the numbers of new source addresses of received network packets are determined over successive time intervals, and the process includes detecting a surge in network traffic on the basis of the numbers of new source addresses over said successive time intervals.
  - 6. A process as claimed in claim 5, including generating cumulative sums of said numbers of new source addresses, and wherein said step of detecting includes detecting a surge in network traffic on the basis of the cumulative sums.
  - 7. A process as claimed in claim 5, including normalizing numbers of new source addresses;
    - and generating cumulative sums of the normalized numbers of new source addresses, and wherein said step of detecting includes detecting a surge in network traffic is detected on the basis of the cumulative sums.
  - 8. A process as claimed in claim 7, wherein the surge in network traffic is detected if a cumulative sum exceeds a predetermined value.
  - 9. A process as claimed in claim 1, including blocking said received network packet if said stored source address data does not include data corresponding to said source address.
  - 10. A process as claimed in claim 1, including determining whether to block said received network packet on the basis of stored address data corresponding to a source address of said packet.
  - 11. A process as claimed in claim 10, wherein said determining includes determining whether to block said received network packet on the basis of the number of previously received packets including said source address.
  - 12. A process as claimed in claim 10, including determining whether to reject said received network packet on the basis of a fraction of said previous time period in which packets having said source address were received.
  - 13. A process as claimed in claim 12, including determining whether to reject said received network packet on the basis of the number of days that packets having said source address were received in said previous time period.
  - 14. A process as claimed in claim 12, including:
    - selecting legitimate network packets from received network packets;
      
      generating source address data from said legitimate network packets; and
      
      storing the generated source address data with said stored source address data.
  - 15. A process as claimed in claim 14, wherein the source address data for each source address includes a number of received packets with said source address, and a timestamp of said received packets.
  - 16. A process as claimed in claim 12, including issuing a challenge to a source address of a received network packet, and determining whether said network packet is legitimate on the basis of a received response to said challenge.
  - 17. A process as claimed in claim 12, including determining whether said network packet is legitimate on the basis of a number of received packets with said source address.
  - 18. A process as claimed in claim 2, including:
    - determining, for each of said source addresses, a packet count representing the number of received network packets including the source address; and
      
      detecting a surge in network traffic on the basis of said number of new source addresses and the number of said packet counts that exceed a predetermined value.
  - 23. A system having components for executing the steps of any one of claims 1 to 22.
  - 24. A computer readable storage medium having stored thereon program code for executing the steps of any one of claims 1 to 22.

19. A process for managing traffic in a communications network, including:
- determining the source addresses of received network packets;
  
  comparing said source address with stored source address data for network packets received in a previous time period to determine a number of new source addresses; and
  
  detecting a surge in network traffic on the basis of the number of new source addresses.
- View Dependent Claims (20)
- - 20. A process as claimed in claim 19, including filtering each of said received network packets on the basis of previously received network packets including the source address of the packet.

21. A process for detecting anomalous traffic in a communications network, including:
- determining source addresses of received network packets;
  
  comparing said source addresses with stored source address data for network packets received in a previous time period to determine the number of new source addresses for which data is not included in said stored source address data; and
  
  detecting at least one of a distributed denial of service attack and a flash crowd event on the basis of the number of new source addresses.

22. A filtering process, including:
- determining the source address of a received network packet;
  
  determining at least one of the number of packets with said source address received in a previous time period and a fraction of said previous time period in which packets with said source address were received; and
  
  determining whether to block said received network packet on the basis of at least one of said number and said fraction.

25. A traffic management system for use in a communications network, including:
- a source address detection module for determining the source addresses of received network packets; and
  
  a decision module for detecting a surge in network traffic on the basis of a comparison of said source addresses with stored source address data for network packets received in a previous time period.
- View Dependent Claims (26, 27, 28)
- - 26. A traffic management system as claimed in claim 25, including a flow rate module for determining the flow rates of received packets including each of said source address;
    - and wherein said decision module is adapted to detect a surge in network traffic on the basis of said flow rates and a comparison of said source addresses with stored source address data for network packets received in a previous time period.
  - 27. A traffic management system as claimed in claim 25, including a learning module for performing one or more legitimacy tests on received network packets to determine whether to stored data for the received network packets with said stored source address data.
  - 28. A traffic management system as claimed in claim 27, wherein said learning module is adapted to issue a challenge to a source address of a received network packet, and to determine whether said network packet is legitimate on the basis of a received response to said challenge.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intelliguard I.T. Pty., Ltd.
Original Assignee
Intelliguard I.T. Pty., Ltd.
Inventors
Peng, Tao

Application Number

US10/841,381
Publication Number

US 20050249214A1
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 2463/146   Tracing the source of attacks

H04L 63/1458   Denial of Service

System and process for managing network traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

201 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and process for managing network traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

201 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links