PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS

US 20110055921A1
Filed: 10/28/2009
Published: 03/03/2011
Est. Priority Date: 09/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring, with a first network device, network connections to a second network device protected by the first network device;

upon determining that a parameter associated with the monitored network connections exceeds a connection threshold, monitoring each of a plurality of types of transactions associated with the network connections;

upon determining that a parameter associated with at least one of the plurality of types of transactions exceeds a corresponding transaction-type threshold, monitoring communications associated with network addresses from which transactions of the at least one of the plurality of types of transactions originate; and

executing a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a corresponding client-transaction threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.

491 Citations

26 Claims

1. A method comprising:
- monitoring, with a first network device, network connections to a second network device protected by the first network device;
  
  upon determining that a parameter associated with the monitored network connections exceeds a connection threshold, monitoring each of a plurality of types of transactions associated with the network connections;
  
  upon determining that a parameter associated with at least one of the plurality of types of transactions exceeds a corresponding transaction-type threshold, monitoring communications associated with network addresses from which transactions of the at least one of the plurality of types of transactions originate; and
  
  executing a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a corresponding client-transaction threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1,wherein monitoring the network connections comprises determining a number of network connections to the second network device as the parameter associated with the monitored network connections, andwherein determining that the parameter associated with the monitored network connections exceed a connection threshold comprises determining that the number of network connections to the second network device exceeds the connection threshold, wherein the connection threshold defines a threshold number of simultaneous connections.
  - 3. The method of claim 1,wherein monitoring the connections comprises determining a rate at which connection requests for the second network device are received as the parameter associated with the monitored network connections, andwherein determining that the parameter associated with the monitored network connections exceeds a connection threshold comprises determining that the rate at which the connection requests for the second network device are received exceeds the connection threshold, wherein the connection threshold defines a threshold rate of received connection requests.
  - 4. The method of claim 1, wherein monitoring each of the plurality of types of transactions associated with the network connections comprises monitoring values of one or more protocol fields of the transactions.
  - 5. The method of claim 1,wherein monitoring each of the plurality of types of transactions comprises determining a number of transactions for each of the plurality of types of transactions over a period of time as the parameter associated with the at least one of the plurality of types of transactions, andwherein determining that the parameter associated with the at least one of the plurality of types of transactions exceeds a transactions threshold comprises determining that the number of transactions for the at least one of the plurality of types of transactions exceeds the transaction-type threshold, wherein the transaction-type threshold defines a threshold number of transactions for the at least one of the plurality of types of transactions.
  - 6. The method of claim 1,wherein monitoring each of the plurality of types of transactions comprises determining a rate at which transactions for each of the plurality of types of transactions is received as the parameter associated with the at least one of the plurality of types of transactions, andwherein determining that the parameter associated with the at least one of the plurality of types of transactions exceeds a transactions threshold comprises determining that the rate at which transactions of the at least one of the plurality of types of transactions exceeds the transaction-type threshold, wherein the transaction-type threshold defines a threshold rate at which transactions for the at least one of the plurality of types of transactions are to be received.
  - 7. The method of claim 1,wherein monitoring the communications associated with the network addresses comprises determining, for each of the network addresses, a number of transactions of the at least one of the plurality of types of transactions originating from the network address over a period of time, andwherein executing the programmed action comprises executing the programmed action with respect to the at least one of the network addresses when the determined number of transactions for the at least one of the network addresses exceeds the client-transaction threshold, wherein the client-transaction threshold defines a threshold number of transactions of the at least one of the plurality of types of transactions for an individual client.
  - 8. The method of claim 1, wherein executing the programmed action comprises one or more of blocking network connections of the at least one of the network addresses, dropping packets of a network connection associated with the at least one of the network addresses, blocking connection attempts originating from the at least one of the network addresses, advertising the at least one of the network addresses to a third network device to cause the third network device to block network connections of the at least one of the network addresses, sending a close-session message to the at least one of the network addresses, rate limiting future network sessions from at least one of the network addresses, and sending a close-session message to the second network device associated with the at least one of the network addresses.
  - 9. The method of claim 1, further comprising:
    - determining the connection threshold during a learning stage that occurs prior to monitoring the connections to the second network device;
      
      determining the transaction-type threshold during the learning stage; and
      
      determining the client-transaction threshold during the learning stage.
  - 10. The method of claim 9, wherein determining the connection threshold comprises calculating at least one of an average number of concurrent connections during the learning stage, a number of connection requests received during the learning stage over one or more periods of time, and a rate at which the connection requests are received during the learning stage.
  - 11. The method of claim 9, wherein determining the transaction-type threshold comprises calculating an average number of transactions for each of the plurality of types of transactions during the learning stage over one or more periods of time, and setting the transaction-type threshold based on the average number of transactions.
  - 12. The method of claim 9, wherein determining the client-transaction threshold comprises calculating an average number of transactions for each of the plurality of types of transactions from individual clients during the learning stage, and setting the client-transaction threshold based on the average number of transactions.
  - 13. The method of claim 1, wherein monitoring each of the plurality of types of transactions associated with the connections comprises:
    - decoding packets of each of the plurality of types of transactions to extract application-layer data from the packets; and
      
      performing content inspection of the application-layer data from the packets.

14. A network device comprising:
- a network interface to receive packets of a plurality of network sessions to a protected network device;
  
  a computer-readable medium storing a connection threshold, a transaction-type threshold, and a client-transaction threshold;
  
  a control unit having one or more processors;
  
  a reassembly module executing within the control unit to re-assemble application-layer data for the plurality of network sessions; and
  
  an attack detection module executing within the control unit to monitor network connections for the plurality of network sessions to the protected network device, to monitor each of a plurality of types of transactions associated with the plurality of network sessions when a parameter associated with the monitored network connections exceeds the connection threshold, to monitor communications associated with network addresses from which transactions of at least one of the plurality of types of transactions originate when a parameter associated with the at least one of the plurality of types of transactions exceeds the transaction-type threshold, and to execute a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds the client-transaction threshold.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The network device of claim 14, wherein to monitor the connections, the attack detection module calculates the parameter associated with the monitored network connections as a number of connections to the protected network device and determines whether the number of connections to the protected network device exceeds the connection threshold.
  - 16. The network device of claim 14, wherein to monitor the connections, the attack detection module calculates the parameter associated with the monitored network connections as a rate at which connection requests for the protected network device are received and determines whether the rate exceeds the connection threshold.
  - 17. The network device of claim 14, wherein to monitor the plurality of types of transactions, the attack detection module calculates the parameter associated with the at least one of the plurality of types of transactions as a number of requests for each of the types of transactions over a period of time and determines whether the number exceeds the transaction-type threshold.
  - 18. The network device of claim 14, wherein to monitor the network addresses, the attack detection module calculates a number of times a request for the at least one of the plurality of types of transactions is received from each of the network addresses over a period of time and determines whether the number exceeds the client-transaction threshold.
  - 19. The network device of claim 14, further comprising a threshold learning module to determine the connection threshold during a learning stage that occurs prior to monitoring the network connections to the protected network device, to determine the transaction-type threshold during the learning stage, to determine the client-transaction threshold during the learning stage, and to record the connection threshold, the transaction-type threshold, and the client-transaction threshold in the computer-readable medium.
  - 20. The network device of claim 19, wherein the threshold learning module calculates the connection threshold according to at least one of an average number of concurrent connections during the learning stage, a number of connection requests received during the learning stage, and a rate at which the connection requests are received during the learning stage, wherein the threshold learning module calculates the transaction-type threshold as an average number of transactions for each of the plurality of types of transactions during the learning stage, and wherein the threshold learning module calculates the client-transaction threshold as an average number of transactions for each of the plurality of types of transactions from individual clients during the learning stage.
  - 21. The network device of claim 14, wherein the programmed action comprises one or more of blocking network connections of the at least one of the network addresses, dropping packets of a network connection associated with the at least one of the network addresses, blocking connection attempts originating from the at least one of the network addresses, advertising the at least one of the network addresses to a third network device to cause the third network device to block network connections of the at least one of the network addresses, sending a close-session message to the at least one of the network addresses, rate limiting future network sessions of at least one of the network addresses, and sending a close-session message to the protected network device associated with the at least one of the network addresses.

22. A system comprising:
- a protected network device;
  
  a plurality of client devices, wherein each of the plurality of client devices participate in one of a plurality of network sessions with the protected network device; and
  
  a network security device positioned between the protected network device and the plurality of client devices, wherein the network security device comprises;
  
  a network interface to receive packets of the plurality of network sessions;
  
  a computer-readable medium storing a connection threshold, a transaction-type threshold, and a client-transaction threshold;
  
  a control unit having one or more processors;
  
  a reassembly module executing within the control unit to re-assemble application-layer data for the plurality of network sessions; and
  
  an attack detection module executing within the control unit to monitor network connections for the plurality of network sessions to the protected network device, to monitor each of a plurality of types of transactions associated with the plurality of network sessions when a parameter associated with the monitored network connections exceeds the connection threshold, to monitor communications associated with network addresses from which transactions of at least one of the plurality of types of transactions originate when a parameter associated with the at least one of the plurality of types of transactions exceeds the transaction-type threshold, and to execute a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds the client-transaction threshold.

23. A computer-readable storage medium encoded with instructions for causing a programmable processor to:
- monitor network connections to a protected network device;
  
  upon determining that a parameter associated with the connections exceeds a connection threshold, monitor each of a plurality of types of transactions associated with the network connections;
  
  upon determining that a parameter associated with the at least one of the plurality of types of transactions exceeds a corresponding transaction-type threshold, monitor communications associated with network addresses from which transactions of the at least one of the plurality of types of transactions originate; and
  
  execute a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a corresponding client-transaction threshold.
- View Dependent Claims (24, 25, 26)
- - 24. The computer-readable medium of claim 23,wherein the instructions to monitor the network connections comprise instructions to determine a number of connections to the second network device as the parameter associated with the monitored network connections, andwherein the instructions to determine that the parameter associated with the monitored network connections exceeds a connection threshold comprise instructions to determine that the number of connections exceeds the connection threshold, wherein the connection threshold defines a threshold number of simultaneous connections.
  - 25. The computer-readable medium of claim 23,wherein the instructions to monitor the network connections comprise instructions to determine a rate of received connection requests for the second network device as the parameter associated with the monitored network connections, andwherein the instructions to determine that the parameter associated with the monitored network connections exceed a connection threshold comprise instructions to determine that the rate at which the connection requests are received exceeds the connection threshold, wherein the connection threshold defines a threshold rate of received connection requests.
  - 26. The computer-readable medium of claim 23,wherein the instructions to monitor each of the plurality of types of transactions comprise instructions to determine a number of transactions for each of the plurality of types of transactions over a period of time as the parameter associated with the at least one of the plurality of types of transactions, andwherein the instructions to determine that the parameter associated with the at least one of the plurality of types of transactions exceeds a transactions threshold comprise instructions to determine that the number of transactions for the at least one of the plurality of types of transactions exceeds the transaction-type threshold, wherein the transaction-type threshold defines a threshold number of transactions for the at least one of the plurality of types of transactions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Manthena, Venkata Rama Raju, Narayanaswamy, Krishna, Burns, Bryan

Granted Patent

US 8,789,173 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

491 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

491 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links