Detection of nonconforming network traffic flow aggregates for mitigating distributed denial of service attacks

US 20070064610A1
Filed: 09/19/2006
Published: 03/22/2007
Est. Priority Date: 09/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the method comprising:

assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;

dropping a plurality of said first packets from each of said traffic flow aggregates at a packet dropping rate set in accordance with a predetermined drop signature;

identifying a noncompliant aggregate as one of said traffic flow aggregates having said second packets received at an arrival rate noncompliant with the communication network protocol as conditioned by said packet dropping rate; and

identifying an attacked node in the communication network from said portion of said address of the common destination node common among said traffic flows of said noncompliant aggregate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An estimate of a portion of network traffic that is nonconforming to a communication transmission control protocol is used to signal that a distributed denial of service attack may be occurring. Traffic flows are aggregated and packets are intentionally dropped from the flow aggregate in accordance with an assigned perturbation signature. The flow aggregates are observed to determine if the rate of arrival of packets that have a one-to-one transmission correspondence with the dropped packets are similarly responsive to the perturbation signature. By assigning orthogonal perturbation signatures to different routers, multiple routers may perform the test on the aggregate and the results of the test will be correctly ascertained at each router. Nonconforming aggregates may be redefined to finer granularity to determine the node on the network that is under attack, which may then take mitigating action.

162 Citations

20 Claims

1. A method for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the method comprising:
- assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
  
  dropping a plurality of said first packets from each of said traffic flow aggregates at a packet dropping rate set in accordance with a predetermined drop signature;
  
  identifying a noncompliant aggregate as one of said traffic flow aggregates having said second packets received at an arrival rate noncompliant with the communication network protocol as conditioned by said packet dropping rate; and
  
  identifying an attacked node in the communication network from said portion of said address of the common destination node common among said traffic flows of said noncompliant aggregate.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method for detecting protocol noncompliant communication network traffic as recited in claim 1 including selecting packets formatted for transmitting substantive data from a source node as said first packets and selecting as said second packets said substantive data packets as retransmitted from said source node responsive to said first packets being dropped.
  - 3. The method for detecting protocol noncompliant communication network traffic as recited in claim 1 including selecting as said first packets transmission control protocol compliant synchronization packets and selecting as said second packets transmission control protocol compliant acknowledge packets.
  - 4. The method for detecting protocol noncompliant communication network traffic as recited in claim 1 including:
    - determining a nominal arrival rate of said second packets expected for said predetermined drop signature; and
      
      comparing in said noncompliant aggregate identifying step said packet arrival rate of said second packets with said nominal arrival rate.
  - 5. The method for detecting protocol noncompliant communication network traffic as recited in claim 1 further including the step of assigning a drop signature to be orthogonal to a drop signature assigned to at least one other routing node in the communication network.
  - 6. The method for detecting protocol noncompliant communication network traffic as recited in claim 5 further including assigning a codeword of a predetermined number of bits as said drop signature, where a bit thereof having a value of one is associated with dropping said first packets at said packet dropping rate during a predetermined interval and a bit thereof having a value of zero is associated with dropping none of said first packets during said predetermined interval.
  - 7. The method for detecting protocol noncompliant communication network traffic as recited in claim 6 including assigning a pseudonoise code as said codeword.

8. A method for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the communication network having a plurality of switching nodes for routing information packets between a plurality of source nodes and a plurality of destination nodes, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the method comprising:
- assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
  
  dropping a plurality of said first packets from each of said traffic flow aggregates at each of a plurality of routing nodes, said first packets being dropped at a packet dropping rate set in accordance with a predetermined drop signature, said drop signature being orthogonal to said drop signature at other routing nodes;
  
  identifying at said routing node a noncompliant aggregate as one of said traffic flow aggregates having said second packets received at an arrival rate noncompliant with the communication network protocol as conditioned by said packet dropping rate; and
  
  identifying an attacked node in the communication network from said portion of the address of the common destination node common to said traffic flows of said noncompliant aggregate.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method for detecting protocol noncompliant communication network traffic as recited in claim 8 including selecting packets formatted for transmitting substantive data from a source node as said first packets and selecting as said second packets said substantive data packets as retransmitted from said source node responsive to said first packets being dropped.
  - 10. The method for detecting protocol noncompliant communication network traffic as recited in claim 8 including selecting as said first packets transmission control protocol compliant synchronization packets and selecting as said second packets transmission control protocol compliant acknowledge packets.
  - 11. The method for detecting protocol noncompliant communication network traffic as recited in claim 8 including:
    - redefining said noncompliant aggregate into a plurality of aggregates upon a determination that said address of said common destination node could not be identified from said portion of the address of the common destination node in said attacked node identification step; and
      
      repeating the method at said first packets dropping step.
  - 12. The method for detecting protocol noncompliant communication network traffic as recited in claim 8 including:
    - determining a nominal arrival rate of said second packets expected for said predetermined drop signature; and
      
      comparing in said noncompliant aggregate identifying step said packet arrival rate of said second packets with said nominal arrival rate.
  - 13. The method for detecting protocol noncompliant communication network traffic as recited in claim 8 further including assigning a codeword of a predetermined number of bits as said drop signature, where a bit thereof having a value of one is associated with dropping said first packets at said packet dropping rate during a predetermined interval and a bit thereof having a value of zero is associated with dropping none of said first packets during said predetermined interval.
  - 14. The method for detecting protocol noncompliant communication network traffic as recited in claim 13 including assigning a pseudonoise code as said codeword.
  - 15. The method for detecting protocol noncompliant communication network traffic as recited in claim 13 including generating said codeword to have a number of bits having a value of zero equal to a number of bits having a value of one.
  - 16. The method for detecting protocol noncompliant communication network traffic as recited in claim 8 including determining a conformance measure as an integration operation over a length of said drop signature of a difference between an arrival rate of said first packets and said arrival rate of said second packets.
  - 17. The method for detecting protocol noncompliant communication network traffic as recited in claim 16 including comparing said conformance measure to an expected value of said conformance measure as predetermined from characteristics of said drop signature.

18. A system for detecting protocol noncompliant communication network traffic indicative of a distributed denial of service attack on a node of a communication network, the network traffic including information packets formatted in compliance with a communication network protocol and having an indication of an address of a source node in the network and an indication of an address of a destination node in the network, each of the packets belonging to a corresponding one of a plurality of traffic flows such that the packets of each of the traffic flows are addressed from a common source node and addressed to a common destination node, the system comprising:
- an aggregate classifier assigning each of the traffic flows to a corresponding one of a plurality of traffic flow aggregates such that a portion of the address of the common destination node is common to the traffic flows in said corresponding aggregate, the traffic flows in said aggregates including first packets and second packets such that said second packets are transmitted only upon one of either success or failure of transmission of said first packets;
  
  a perturbation signature generator generating a drop signature having characteristics that are orthogonal to other drop signatures at other nodes in the communication network;
  
  a packet dropper coupled to said perturbation signature generator and dropping a plurality of said first packets from each of said traffic flow aggregates at a packet dropping rate defined by said drop signature;
  
  a conformance estimator coupled to said aggregate classifier and identifying a noncompliant aggregate as one of said traffic flow aggregates having said second packets received thereat noncompliant with the communication network protocol as conditioned by said dropped packet rate; and
  
  a target identifier coupled to said conformance estimator and identifying an attacked node in the communication network from said portion of the address of the common destination node common to said traffic flows of said noncompliant aggregate.
- View Dependent Claims (19, 20)
- - 19. The system for detecting protocol noncompliant communication network traffic as recited in claim 18, wherein said target identifier signals said aggregate classifier to redefine said noncompliant aggregate into a plurality of aggregates if the address of the destination node is not identified from said portion of the address of the common node common to said traffic flows of said noncompliant aggregate.
  - 20. The system for detecting protocol noncompliant communication network traffic as recited in claim 18, wherein said perturbation signal generator, said packet dropper, said conformance estimator and said target identifier are installed in a router.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Maryland
Original Assignee
University of Maryland
Inventors
Shayman, Mark, Khandani, Mehdi

Granted Patent

US 7,992,208 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/235
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/326   with random discard, e.g. r...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Detection of nonconforming network traffic flow aggregates for mitigating distributed denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

162 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of nonconforming network traffic flow aggregates for mitigating distributed denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links