Detection of Distributed Denial of Service Attacks in Autonomous System Domains
First Claim
1. A method for detecting malicious communication traffic at an autonomous system domain comprising:
- aggregating a plurality of flows traversing at least one routing node in the autonomous system domain into a plurality of flow aggregates, each of said flows including incoming packets having a common source address and outgoing packets having a common destination address, each of said flow aggregates having mapped thereto a set of said flows;
sampling packets of each of said flow aggregates during a predetermined time interval;
storing at least a flow identifier of suspect flows in each of said flow aggregates, said suspect flows corresponding to a flow aggregate having a number of said outgoing packets sampled therefrom exceeding by a predetermined value a number of said incoming packets sampled therefrom; and
determining from said suspicious flows a flow identifier of an attack flow.
2 Assignments
0 Petitions
Accused Products
Abstract
A denial-of-service network attack detection system is deployable in single-homed and multi-homed stub networks. The detection system maintains state information of flows entering and leaving the stub domain to determine if exiting traffic exceeds traffic entering the system. Monitors perform simple processing tasks on sampled packets at individual routers in the network at line speed and perform more intensive processing at the routers periodically. The monitors at the routers form an overlay network and communicate pertinent traffic state information between nodes. The state information is collected and analyzed to determine the presence of an attack.
-
Citations
27 Claims
-
1. A method for detecting malicious communication traffic at an autonomous system domain comprising:
-
aggregating a plurality of flows traversing at least one routing node in the autonomous system domain into a plurality of flow aggregates, each of said flows including incoming packets having a common source address and outgoing packets having a common destination address, each of said flow aggregates having mapped thereto a set of said flows;
sampling packets of each of said flow aggregates during a predetermined time interval;
storing at least a flow identifier of suspect flows in each of said flow aggregates, said suspect flows corresponding to a flow aggregate having a number of said outgoing packets sampled therefrom exceeding by a predetermined value a number of said incoming packets sampled therefrom; and
determining from said suspicious flows a flow identifier of an attack flow. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 20, 21, 22, 23)
-
-
9. A method for detecting malicious communication traffic at an autonomous network domain comprising:
-
sampling packets of a plurality of flows at each of a plurality of routing nodes in the autonomous network domain, each of said flows including incoming packets having a common source address and outgoing packets having a common destination address;
counting at each of said routing nodes said sampled packets into at least one counter mapped to said plurality of flows;
determining at each of said routing nodes a residual count of said outgoing packets exceeding said incoming packets;
transmitting said count from said each of said routing nodes to at least one rendezvous node; and
determining at said rendezvous node at least one flow identifier of an attack flow. - View Dependent Claims (10, 11, 12, 13, 14, 24, 25, 26, 27)
-
-
15. A system for detecting malicious communication traffic at an autonomous system domain having a plurality of routers addressable through at least one border gateway, the system comprising:
a plurality of monitors respectively coupled to at least a number of the routers, and each of said monitors receiving a plurality of flows from a respective port thereof, each of said flows including incoming packets having a common source address and outgoing packets having a common destination address, each of said monitors including;
a per-packet processor forming aggregates of said flows in accordance with a mapping of respective flow identifiers thereof and sampling packets thereof in accordance with a predetermined sampling rate, said per-packet processor including;
at least one counter for each of said aggregates and maintaining a count therein responsive to a number of said outgoing packets and a number of said incoming packets; and
a record store storing a flow record for each suspect flow in each said aggregate having said number of said outgoing packets exceeding by a predetermined value a number of said incoming packets, each said flow record having stored therein at least a flow identifier of said suspect flow corresponding thereto; and
a periodic processor receiving said flow record for each said suspect flow at predetermined intervals, said periodic processor computing a score for each said suspect flow and comparing said score with a predetermined threshold, said periodic processor providing said flow identifier of each said suspect flows having said score exceeding said predetermined threshold, wherein a time between said periodic intervals is greater than said sampling rate. - View Dependent Claims (16, 17, 18, 19)
Specification