EARLY TRAFFIC REGULATION TECHNIQUES TO PROTECT AGAINST NETWORK FLOODING

US 20080043620A1
Filed: 10/24/2007
Published: 02/21/2008
Est. Priority Date: 11/13/2001
Status: Active Grant

First Claim

Patent Images

1. A packet flow control method comprising the steps of:

detecting congestion in a first node along a packet flow path between a source device and a destination device;

identifying a node in said path preceding said first node; and

transmitting to said preceding network node a traffic regulation signal used to initiate flow rate control on flows identified from information included in said traffic regulation signal.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for providing an Anti-Flooding Flow-Control (AFFC) mechanism suitable for use in defending against flooding network Denial-of-Service (N-DoS) attacks is described. Features of the AFFC mechanism include (1) traffic baseline generation, (2) dynamic buffer management, (3) packet scheduling, and (4) optional early traffic regulation. Baseline statistics on the flow rates for flows of data corresponding to different classes of packets are generated. When a router senses congestion, it activates the AFFC mechanism of the present invention. Traffic flows are classified. Elastic traffic is examined to determine if it is responsive to flow control signals. Flows of non-responsive elastic traffic is dropped. The remaining flows are compared to corresponding class baseline flow rates. Flows exceeding the baseline flow rates are subject to forced flow rate reductions, e.g., dropping of packets.

Citations

20 Claims

1. A packet flow control method comprising the steps of:
- detecting congestion in a first node along a packet flow path between a source device and a destination device;
  
  identifying a node in said path preceding said first node; and
  
  transmitting to said preceding network node a traffic regulation signal used to initiate flow rate control on flows identified from information included in said traffic regulation signal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein said information included in said traffic regulation signal includes a destination address.
  - 3. The method of claim 2, wherein said step of identifying a node in said path includes the step of:
    - transmitting a signal to said destination device requesting path information.
  - 4. The method of claim 2, wherein the step of detecting congestion at a first node includes the steps of:
    - monitoring to detect when said first node is saturated with packet traffic for a preselected period of time.
  - 5. The method of claim 4, wherein said traffic regulation signal further includes packet flow path information.
  - 6. The method of claim 5, further comprising the steps of:
    - operating said preceding network node to transmit an additional traffic regulation signal to an additional preceding node to cause the additional preceding node to initiate flow rate control on flows directed to a destination address identified in said additional traffic regulation signal.
  - 7. The method of claim 1, further comprising:
    - operating said preceding network node to perform a forced reduction in the flow rate of at least one packet flow in response to detecting traffic congestion.
  - 8. The method of claim 7, further comprising:
    - operating the first node to perform a forced reduction in the flow rate of at least one packet flow in response to detecting traffic congestion.
  - 9. The method of claim 8, wherein the forced reduction in the flow rate performed in the first node is performed as a function of a base line flow rate for traffic flowing through the first node;
    - and wherein the forced reduction in the flow rate performed in the preceding network node is performed as a function of a base line flow rate for traffic flowing through the preceding network node.

10. A method of implementing flow control in a communications network including a first node, a second node and a destination node, the first node being located upstream of the second node on a communications path to said destination device, the method comprising the steps of:
- operating the second node to detect when the second node is saturated with traffic for a period of time;
  
  in response to detecting that said second node is saturated with traffic for said period of time, operating the second node to send a first traffic regulation signal to the first node to trigger said first node to perform traffic regulation of flow rates on flows of packets directed to said destination device.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10 wherein, in response to detecting that said second node is saturated with traffic for said period of time, said second node performs the step of:
    - initiating a path determination operation to determine at least a portion of a path of a flow causing congestion at said second node.
  - 12. The method of claim 11, further comprising:
    - operating said second node to receive path information identifying said first node as part of said path of the flow causing congestion.
  - 13. The method of claim 12, further comprising:
    - operating the second node to detect when the second node ceases to be saturated with traffic after being saturated for said period of time;
      
      in response to the second node detecting that has ceased to be saturated with traffic, sending a second traffic regulation message to said first node to cause said first node to cease traffic regulation of flow rates on flows of packets directed to said destination device.
  - 14. The method of claim 12, further comprising:
    - operating the first node, in response to said first traffic regulation message, to perform forced flow rate reduction operations on at least some flows directed to said destination node.
  - 15. The method of claim 14, further comprising:
    - operating the first node to transmit a third traffic regulation message to a node located upstream of said first node in said path of the flow causing the congestion to trigger flow control operations in said node located upstream of said first node.
  - 16. The method of claim 14, wherein operating the first node to perform forced flow rate reduction operations includes:
    - comparing packet flow rates of packet flows directed to said destination to at least one flow rate baseline for said first node; and
      
      dropping packets from packet flows directed to said destination which have flow rates exceeding the flow rate base line to which the particular flow rate is compared.
  - 17. The method of claim 16, further comprising, in said first node, distinguishing, for traffic flow control purposes, between packet flows corresponding to protocol types which are responsive to congestion control signals and packet flows corresponding to protocol types which are not responsive to congestion control signals.

18. A communications system for communicating information as flows of packets, the system comprising:
- a first network node including;
  
  i. congestion control means for detecting congestion at said network node;
  
  ii. traffic flow path determination means for determining the path of at least one packet flow causing congestion at said first network node; and
  
  iii. early traffic regulation signaling means for transmitting a traffic regulation signal to initiate traffic regulation at an upstream network node; and
  
  an upstream network node, the upstream network node being coupled to the first network node, the upstream network node including;
  
  i. means for receiving traffic regulation signals from said first network node; and
  
  ii. flow control means for performing flow rate reduction operations on one or more traffic flows identified from information included in received traffic flow control messages.
- View Dependent Claims (19, 20)
- - 19. The communication system of claim 18, further comprising:
    - a destination node coupled to said first network node for serving as the destination of at least some of the packet flows passing through the first network node, the destination node including;
      
      means for reconstructing packet flow paths from received information; and
      
      means for transmitting reconstructed packet flow path information to the first network node in response to a request for path information from said traffic flow path determination means.
  - 20. The communication system of claim 19, wherein the traffic regulation signal generated by the early traffic regulation signaling means of the first network node includes a destination address corresponding to said destination node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Ye, Baoqing

Granted Patent

US 7,903,551 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/232
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/11   Identifying congestion

H04L 47/12   Avoiding congestion; Recove...

H04L 47/32   by discarding or delaying d...

H04L 49/501   Overload detection

H04L 63/1458   Denial of Service

H04W 28/02   Traffic management, e.g. fl...

H04W 28/10   Flow control between commun...

EARLY TRAFFIC REGULATION TECHNIQUES TO PROTECT AGAINST NETWORK FLOODING

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

EARLY TRAFFIC REGULATION TECHNIQUES TO PROTECT AGAINST NETWORK FLOODING

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links