Sampling rate-limited traffic
First Claim
Patent Images
1. A method of rate-limiting and sampling rate-limited packets, the method comprising:
- maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type.
1 Assignment
0 Petitions
Accused Products
Abstract
Out-of-profile rate-limited traffic is sampled to provide data for analysis, such as for, but not limited to, identifying a threat condition such as a denial-of-service or other malicious attack, or a non-malicious attack such as an error in configuration. A rate limiter including at least three states is typically used, with one of these states being an out-of-profile sampling state wherein the packet traffic is sampled to identify one or more sampled packets on which analysis can be performed, with defensive action possibly taken in response to the analysis.
304 Citations
24 Claims
-
1. A method of rate-limiting and sampling rate-limited packets, the method comprising:
-
maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
a classification mechanism for classifying packet traffic into a plurality of classified packet traffic flows;
a rate-limiter configured to rate limit traffic of said classified packet traffic flows according to a current rate-limiting state of a plurality of rate-limiting states identified based on a current rate of packet traffic for, the plurality of rate-limiting states including an in-profile forwarding state, an out-of-profile leak state, and an out-of-profile rate-limiting state;
wherein said rate limiting of traffic according to the current rate-limiting state includes forwarding packets normally during the in-profile forwarding state, sampling packets during the out-of-profile leak state such that said sampled packets are forwarded to a processing mechanism while non-sampled packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type. - View Dependent Claims (11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
means for identifying a current rate-limiting state of a plurality of rate-limiting states for a classification of traffic, the plurality of rate-limiting states including an in-profile forwarding state, an out-of-profile leak state, and an out-of-profile rate-limiting state; and
means for rate-limiting packets of said packet traffic according to said rate-limiting state, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are forwarded to a processing mechanism for processing said selected packets while any non-selected packets during the out-of-profile leak state are rate-limited of a first type, and packets during the out-of-profile rate-limiting state are rate-limited of a second type. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
-
22. A method of rate-limiting and sampling rate-limited packet traffic, the method comprising:
-
maintaining a representation of a current rate of packet traffic for a classification of traffic, the current rate corresponding to one of a plurality of rate-limiting states, the plurality of rate-limiting states including an in-profile forwarding state corresponding to the current rate of packet traffic being below a first threshold, an out-of-profile leak state corresponding to the current rate of traffic being above the first threshold and below a second threshold, and an out-of-profile rate-limiting state corresponding to the current rate of traffic being above the second threshold; and
rate-limiting packets of said packet traffic according to said rate-limiting state corresponding to the current rate of packet traffic, wherein packets are forwarded normally during the in-profile forwarding state, one or more of the packets are selected during the out-of-profile leak state such that said selected packets are both forwarded normally and sent to a processing mechanism for processing, and packets during the out-of-profile rate-limiting state are forwarded normally or rate-limited of a second type. - View Dependent Claims (23, 24)
-
Specification