PROTECTING AGAINST DISTRIBUTED NETWORK FLOOD ATTACKS
First Claim
1. A method comprising:
- monitoring, with a first network device, network connections to a second network device protected by the first network device;
upon determining that a parameter associated with the monitored network connections exceeds a connection threshold, monitoring each of a plurality of types of transactions associated with the network connections;
upon determining that a parameter associated with at least one of the plurality of types of transactions exceeds a corresponding transaction-type threshold, monitoring communications associated with network addresses from which transactions of the at least one of the plurality of types of transactions originate; and
executing a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a corresponding client-transaction threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
A network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.
491 Citations
26 Claims
-
1. A method comprising:
-
monitoring, with a first network device, network connections to a second network device protected by the first network device; upon determining that a parameter associated with the monitored network connections exceeds a connection threshold, monitoring each of a plurality of types of transactions associated with the network connections; upon determining that a parameter associated with at least one of the plurality of types of transactions exceeds a corresponding transaction-type threshold, monitoring communications associated with network addresses from which transactions of the at least one of the plurality of types of transactions originate; and executing a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a corresponding client-transaction threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A network device comprising:
-
a network interface to receive packets of a plurality of network sessions to a protected network device; a computer-readable medium storing a connection threshold, a transaction-type threshold, and a client-transaction threshold; a control unit having one or more processors; a reassembly module executing within the control unit to re-assemble application-layer data for the plurality of network sessions; and an attack detection module executing within the control unit to monitor network connections for the plurality of network sessions to the protected network device, to monitor each of a plurality of types of transactions associated with the plurality of network sessions when a parameter associated with the monitored network connections exceeds the connection threshold, to monitor communications associated with network addresses from which transactions of at least one of the plurality of types of transactions originate when a parameter associated with the at least one of the plurality of types of transactions exceeds the transaction-type threshold, and to execute a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds the client-transaction threshold. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A system comprising:
-
a protected network device; a plurality of client devices, wherein each of the plurality of client devices participate in one of a plurality of network sessions with the protected network device; and a network security device positioned between the protected network device and the plurality of client devices, wherein the network security device comprises; a network interface to receive packets of the plurality of network sessions; a computer-readable medium storing a connection threshold, a transaction-type threshold, and a client-transaction threshold; a control unit having one or more processors; a reassembly module executing within the control unit to re-assemble application-layer data for the plurality of network sessions; and an attack detection module executing within the control unit to monitor network connections for the plurality of network sessions to the protected network device, to monitor each of a plurality of types of transactions associated with the plurality of network sessions when a parameter associated with the monitored network connections exceeds the connection threshold, to monitor communications associated with network addresses from which transactions of at least one of the plurality of types of transactions originate when a parameter associated with the at least one of the plurality of types of transactions exceeds the transaction-type threshold, and to execute a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds the client-transaction threshold.
-
-
23. A computer-readable storage medium encoded with instructions for causing a programmable processor to:
-
monitor network connections to a protected network device; upon determining that a parameter associated with the connections exceeds a connection threshold, monitor each of a plurality of types of transactions associated with the network connections; upon determining that a parameter associated with the at least one of the plurality of types of transactions exceeds a corresponding transaction-type threshold, monitor communications associated with network addresses from which transactions of the at least one of the plurality of types of transactions originate; and execute a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a corresponding client-transaction threshold. - View Dependent Claims (24, 25, 26)
-
Specification