System and method for detection and mitigation of distributed denial of service attacks

US 20070011740A1
Filed: 07/07/2005
Published: 01/11/2007
Est. Priority Date: 07/07/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and mitigating denial of service attacks, comprising:

initiating a small computer communication session on a communication network;

executing in a router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router, said permit rules including a default rule for discarding all packets with respect to said small computer in traffic not pertaining to sessions initiated by said user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A router includes a relatively low bandwidth communication connection to a small computer, a relatively high bandwidth communication connection to a communication network; and a processing unit for executing in the router a set of permit rules for permitting flow of communication packets with respect to the connections for user initiated sessions, the permit rules including a default rule for discarding all packets with respect to the small computer in traffic not pertaining to sessions initiated by the small computer.

53 Citations

View as Search Results

24 Claims

1. A method for detecting and mitigating denial of service attacks, comprising:
- initiating a small computer communication session on a communication network;
  
  executing in a router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router, said permit rules including a default rule for discarding all packets with respect to said small computer in traffic not pertaining to sessions initiated by said user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising operating router as a next hop router connected through an edge router to an Internet service provider network.
  - 3. The method of claim 2, including establishing a relatively low bandwidth connection between said small computer and said next hop router, and a relatively high bandwidth connection between said next hop router and said edge router.
  - 4. The method of claim 3, including timing out permit rules permitting communication with said small computer after termination of a transaction session.
  - 5. The method of claim 4, further including:
    - establishing a sequence of exotic port numbers for identifying at least one trusted computer for communication with said small computer irrespective of said default rules.
  - 6. The method of claim 3, further comprising:
    - operating a plurality of small computers on relatively slow bandwidth connections to said next hop router; and
      
      recording origination of each session in said next hop router for preventing spoofing of source of traffic directed to said small computers by other computers.
  - 7. The method of claim 1, further comprising:
    - responsive to initiation of an outbound session by said small computer, operating said next hop router to extract session header information including source address and destination address provided by said small computer;
      
      responsive to said session header information, said next hop router establishing at least one permit rule; and
      
      responsive to said session terminating, deleting said permit rule.
  - 8. The method of claim 7, further comprising:
    - maintaining an important list of destination devices critical to a selected user computer;
      
      monitoring attack level experienced at said next hop router with respect to said selected user computer;
      
      responsive to detecting an increasing attack level directed to said selected user computer, executing said important list to drop all existing permit rules with respect to said selected user computer and allow only important rules preestablished for said selected user computer.
  - 9. The method of claim 7, further comprising:
    - determining if a physical port on an incoming packet matches an allocated source address, and if not, blocking said incoming packet;
      
      if said incoming packet is not blocked, determining if a permit rule exists for said incoming packet, and if not, executing a synchronization algorithm to establish a permit rule based on source address, destination address, and destination port of said user computer; and
      
      if a permit rule exists for an incoming packet which is a finish packet, executing a finish algorithm to remove said permit rule and allow said packet through said next hop router.

10. A router for detecting and mitigating denial of service attacks on a small computer, comprising:
- a relatively low bandwidth communication connection to said small computer;
  
  a relatively high bandwidth communication connection to a communication network;
  
  a processing unit for executing in said router a set of permit rules for permitting flow of communication packets with respect to said connections for user initiated sessions, said permit rules including a default rule for discarding all packets with respect to said small computer in traffic not pertaining to sessions initiated by said user.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The router of claim 10, further including:
    - a store of exotic port numbers establishing a sequence for identifying at least one trusted computer for communication with said small computer irrespective of said default rules.
  - 12. The router of claim 10, further comprising:
    - relatively slow bandwidth connections to a plurality of small computers; and
      
      a register for recording origination of each session in s said router for preventing spoofing of source of traffic directed to said small computers by other computers.
  - 13. The router of claim 10, said processing unit further responsive to initiation of an outbound session by said small computer, for extracting session header information including source address and destination address provided by said small computer;
    - responsive to said session header information, for establishing at least one permit rule; and
      
      responsive to said session terminating, for deleting said permit rule.
  - 14. The router of claim 13, further comprising:
    - a store of an important list of destination devices critical to a selected user computer;
      
      said processing unit further for monitoring attack level experienced at said next hop router with respect to said selected user computer, and responsive to detecting an increasing attack level directed to said selected user computer, for executing said important list to drop all existing permit rules with respect to said selected user computer and allow only important rules preestablished for said selected user computer.
  - 15. The router of claim 13, said processing unit further for determining if a physical port on an incoming packet matches an allocated source address, and if not, blocking said incoming packet;
    - if said incoming packet is not blocked, for determining if a permit rule exists for said incoming packet, and if not, executing a synchronization algorithm to establish a permit rule based on source address, destination address, and destination port of said user computer; and
      
      if a permit rule exists for an incoming packet which is a finish packet, for executing a finish algorithm to remove said permit rule and allow said packet through said next hop router.

16. A computer program product for detecting and mitigating denial of service attacks, said computer program product comprising:
- a computer readable medium;
  
  first program instructions to a initiate a small computer communication session through a router on a communication network; and
  
  second program instructions to execute in said router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router, said permit rules including a default rule for discarding all packets with respect to said small computer in traffic not pertaining to sessions initiated by said user; and
  
  wherein said first and second program instructions are recorded on said medium.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24)
- - 17. The computer program product of claim 16, further comprising third program instructions to operate said router as a next hop router connected through an edge router to an Internet service provider network;
    - and wherein said third program instructions are recorded on said medium.
  - 18. The computer program product of claim 17, further including fourth program instructions to establish a relatively low bandwidth connection between said small computer and said next hop router, and a relatively high bandwidth connection between said next hop router and said edge router;
    - and wherein said fourth program instructions are recorded on said medium.
  - 19. The computer program product of claim 18, further including fifth program instructions to time out permit rules permitting communication with said small computer after termination of a transaction session;
    - and wherein said fifth program instructions are recorded on said medium.
  - 20. The computer program product of claim 19, further including sixth program instructions to establish a sequence of exotic port numbers for identifying at least one trusted computer for communication with said small computer irrespective of said default rules;
    - and wherein said sixth program instructions are recorded on said medium.
  - 21. The computer program product of claim 18, further comprising:
    - fifth program instructions to operate a plurality of small computers on relatively slow bandwidth connections to said next hop router; and
      
      sixth program instructions to record origination of each session in said next hop router for preventing spoofing of source of traffic directed to said small computers by other computers; and
      
      wherein said fifth and sixth program instructions are recorded on said medium.
  - 22. The computer program product of claim 16, further comprising:
    - third program instructions, responsive to initiation of an outbound session by said small computer, to operate said next hop router to extract session header information including source address and destination address provided by said small computer;
      
      fourth program instructions, responsive to said session header information, to establish at next hop router at least one permit rule; and
      
      fifth program instructions, responsive to said session terminating, to delete said permit rule; and
      
      wherein said third, fourth, and fifth program instructions are recorded on said medium.
  - 23. The computer program product of claim 22, further comprising:
    - sixth program instructions to maintain an important list of destination devices critical to a selected user computer;
      
      seventh program instructions to monitor attack level experienced at said next hop router with respect to said selected user computer; and
      
      eighth program instructions, responsive to detecting an increasing attack level directed to said selected user computer, to execute said important list to drop all existing permit rules with respect to said selected user computer and allow only important rules preestablished for said selected user computer; and
      
      wherein said sixth, seventh, and eighth program instructions are recorded on said medium.
  - 24. The computer program product of claim 22, further comprising:
    - sixth program instructions to determine if a physical port on an incoming packet matches an allocated source address, and if not, blocking said incoming packet;
      
      seventh program instructions, if said incoming packet is not blocked, to determine if a permit rule exists for said incoming packet, and if not, executing a synchronization algorithm to establish a permit rule based on source address, destination address, and destination port of said user computer; and
      
      eighth program instructions, if a permit rule exists for an incoming packet which is a finish packet, to execute a finish algorithm to remove said permit rule and allow said packet through said next hop router; and
      
      wherein said sixth, seventh, and eighth program instructions are recorded on said medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Peyravian, Mohammad, Himberger, Kevin, Jeffries, Clark, Davis, John

Granted Patent

US 7,930,740 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1458   Denial of Service

System and method for detection and mitigation of distributed denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection and mitigation of distributed denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links