Sampling rate-limited traffic

US 20070171824A1
Filed: 01/25/2006
Published: 07/26/2007
Est. Priority Date: 01/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method of rate-limiting and sampling rate-limited packets, the method comprising:

maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and

rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.

304 Citations

24 Claims

1. A method of rate-limiting and sampling rate-limited packets, the method comprising:
- maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
  
  rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein exactly one packet is selected during the out-of-profile leak state.
  - 3. The method of claim 1, wherein a plurality of particular packets are selected during the out-of-profile leak state, said particular packets including at least two consecutively received packets.
  - 4. The method of claim 1, wherein said rate limiting of the first type causes the packets to be dropped and said rate limiting of the second type causes the packets to be dropped.
  - 5. The method of claim 1, wherein the processing mechanism identifies a threat condition based on one or more of said selected packets, and in response to said identified threat condition, defensive action is taken to reduce said identified threat condition.
  - 6. The method of claim 5, wherein said defensive action includes adjusting at least one of the first or second thresholds.
  - 7. The method of claim 6, wherein exactly one packet is selected during the out-of-profile leak state.
  - 8. The method of claim 6, wherein a plurality of particular packets are selected during the out-of-profile leak state, said particular packets including at least two consecutively received packets.
  - 9. The method of claim 5, wherein said defensive action includes installing an access control list entry in an access control list being applied to said packet traffic to counter said identified threat condition.

10. An apparatus, comprising:
- a classification mechanism for classifying packet traffic into a plurality of classified packet traffic flows;
  
  a rate-limiter configured to rate limit traffic of said classified packet traffic flows according to a current rate-limiting state of a plurality of rate-limiting states identified based on a current rate of packet traffic for, the plurality of rate-limiting states including an in-profile forwarding state, an out-of-profile leak state, and an out-of-profile rate-limiting state;
  
  wherein said rate limiting of traffic according to the current rate-limiting state includes forwarding packets normally during the in-profile forwarding state, sampling packets during the out-of-profile leak state such that said sampled packets are forwarded to a processing mechanism while non-sampled packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus of claim 10, comprising the processing mechanism configured for analyzing leaked packets and to reacting to identified conditions based on an analysis of said leaked packets.
  - 12. The apparatus of claim 11, wherein said reacting to identified conditions includes adjusting a rate threshold defining said in-profile forwarding state.
  - 13. The apparatus of claim 10, wherein the current rate-limiting state transitions from the in-profile forwarding state to the out-of-profile leak state and then to the out-of-profile rate-limiting state.
  - 14. The apparatus of claim 13, wherein the current rate-limiting state transitions from the out-of-profile leak state to the out-of-profile rate-limiting state in response to achieving a predetermined number of packets.

15. An apparatus, comprising:
- means for identifying a current rate-limiting state of a plurality of rate-limiting states for a classification of traffic, the plurality of rate-limiting states including an in-profile forwarding state, an out-of-profile leak state, and an out-of-profile rate-limiting state; and
  
  means for rate-limiting packets of said packet traffic according to said rate-limiting state, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, comprising means for performing defensive action;
    - wherein the processing mechanism is configured to identify a threat condition based on one or more of said selected packets, and said means for performing defensive action is responsive to said identifying the threat condition by the processing mechanism.
  - 17. The apparatus of claim 15, wherein exactly one packet is selected during the out-of-profile leak state.
  - 18. The apparatus of claim 15, wherein a plurality of particular packets are selected during the out-of-profile leak state, said particular packets including at least two consecutively received packets.
  - 19. The apparatus of claim 15, wherein said means for identifying a current rate-limiting state includes means for identifying a current rate of packet traffic.
  - 20. The apparatus of claim 19, wherein said means for identifying a current rate of packet traffic includes means for updating a token value.
  - 21. The apparatus of claim 19, wherein said means for identifying a current rate of packet traffic includes means for updating a main token value and a burst token value.

22. A method of rate-limiting and sampling rate-limited packet traffic, the method comprising:
- maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
  
  rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are both forwarded normally and sent to a processing mechanism for processing, and packets during the out-of-profile rate-limiting state are forwarded normally or rate-limited of a second type.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, wherein all packet are selected during the out-of-profile leak state.
  - 24. The method of claim 22, wherein packets are not forwarded normally during the out-of-profile rate-limiting state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Elangovan, Anusankar, Borgione, Gaetano, De Silva, Suran, Ruello, Natale, Naqvi, Farrukh

Granted Patent

US 8,018,845 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/232
CPC Class Codes

H04L 43/022 by sampling

H04L 43/16 Threshold monitoring

Sampling rate-limited traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

304 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Sampling rate-limited traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

304 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links