Detection of nonconforming network traffic flow aggregates for mitigating distributed denial of service attacks
First Claim
1. A method for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the method comprising:
- assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
dropping a plurality of said first packets from each of said traffic flow aggregates at a packet dropping rate set in accordance with a predetermined drop signature;
identifying a noncompliant aggregate as one of said traffic flow aggregates having said second packets received at an arrival rate noncompliant with the communication network protocol as conditioned by said packet dropping rate; and
identifying an attacked node in the communication network from said portion of said address of the common destination node common among said traffic flows of said noncompliant aggregate.
1 Assignment
0 Petitions
Accused Products
Abstract
An estimate of a portion of network traffic that is nonconforming to a communication transmission control protocol is used to signal that a distributed denial of service attack may be occurring. Traffic flows are aggregated and packets are intentionally dropped from the flow aggregate in accordance with an assigned perturbation signature. The flow aggregates are observed to determine if the rate of arrival of packets that have a one-to-one transmission correspondence with the dropped packets are similarly responsive to the perturbation signature. By assigning orthogonal perturbation signatures to different routers, multiple routers may perform the test on the aggregate and the results of the test will be correctly ascertained at each router. Nonconforming aggregates may be redefined to finer granularity to determine the node on the network that is under attack, which may then take mitigating action.
162 Citations
20 Claims
-
1. A method for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the method comprising:
-
assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
dropping a plurality of said first packets from each of said traffic flow aggregates at a packet dropping rate set in accordance with a predetermined drop signature;
identifying a noncompliant aggregate as one of said traffic flow aggregates having said second packets received at an arrival rate noncompliant with the communication network protocol as conditioned by said packet dropping rate; and
identifying an attacked node in the communication network from said portion of said address of the common destination node common among said traffic flows of said noncompliant aggregate. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the communication network having a plurality of switching nodes for routing information packets between a plurality of source nodes and a plurality of destination nodes, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the method comprising:
-
assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
dropping a plurality of said first packets from each of said traffic flow aggregates at each of a plurality of routing nodes, said first packets being dropped at a packet dropping rate set in accordance with a predetermined drop signature, said drop signature being orthogonal to said drop signature at other routing nodes;
identifying at said routing node a noncompliant aggregate as one of said traffic flow aggregates having said second packets received at an arrival rate noncompliant with the communication network protocol as conditioned by said packet dropping rate; and
identifying an attacked node in the communication network from said portion of the address of the common destination node common to said traffic flows of said noncompliant aggregate. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the system comprising:
-
an aggregate classifier assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
a perturbation signature generator generating a drop signature having characteristics that are orthogonal to other drop signatures at other nodes in the communication network;
a packet dropper coupled to said perturbation signature generator and dropping a plurality of said first packets from each of said traffic flow aggregates at a packet dropping rate defined by said drop signature;
a conformance estimator coupled to said aggregate classifier and identifying a noncompliant aggregate as one of said traffic flow aggregates having said second packets received thereat noncompliant with the communication network protocol as conditioned by said dropped packet rate; and
a target identifier coupled to said conformance estimator and identifying an attacked node in the communication network from said portion of the address of the common destination node common to said traffic flows of said noncompliant aggregate. - View Dependent Claims (19, 20)
-
Specification