METHOD AND SYSTEM FOR DDOS TRAFFIC DETECTION AND TRAFFIC MITIGATION USING FLOW STATISTICS

US 20110138463A1
Filed: 11/15/2010
Published: 06/09/2011
Est. Priority Date: 12/07/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for distributed denial of service (DDoS) attack detection and traffic mitigation using flow statistics, the method comprising:

collecting first statistics for each flow based on flow information generated by traffic flow of a network connection device;

grouping and classifying the first statistics for each flow on a per-flow basis and processing the same into second statistics containing at least one of a number of bytes, the number of packets, and the number of flows per unit time;

calculating the rate of change of the second statistics, and if the rate of change exceeds a preset threshold rate, determining that a distributed denial of service attack occurs; and

limiting the flow rate of the traffic based on a predefined policy by executing a rate-limit function according to a result of the determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a method and system for distributed denial of service (DDoS) attack detection and traffic mitigation using flow statistics. The method for DDoS attack detection and traffic mitigation using flow statistics includes: collecting first statistics for each flow based on flow information generated by traffic flow of a network connection device; and grouping the first statistics for each flow on a per-flow basis and processing the same into second statistics containing at least one of the number of bytes, the number of packets, and the number of flows per unit time.

103 Citations

View as Search Results

10 Claims

1. A method for distributed denial of service (DDoS) attack detection and traffic mitigation using flow statistics, the method comprising:
- collecting first statistics for each flow based on flow information generated by traffic flow of a network connection device;
  
  grouping and classifying the first statistics for each flow on a per-flow basis and processing the same into second statistics containing at least one of a number of bytes, the number of packets, and the number of flows per unit time;
  
  calculating the rate of change of the second statistics, and if the rate of change exceeds a preset threshold rate, determining that a distributed denial of service attack occurs; and
  
  limiting the flow rate of the traffic based on a predefined policy by executing a rate-limit function according to a result of the determination.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the limiting of the flow rate further comprises reporting a DDoS attack event to a policy management server that manages network policies according to a result of the determination.
  - 3. The method of claim 1, wherein the first statistics for each flow contain at least one of the number of flows, the number of bytes, and the number of packets that are periodically processed.
  - 4. The method of claim 1, wherein the grouping of the first statistics comprises grouping the first statistics for each flow by at least one of source address, destination address, source-destination address, and protocol ID.
  - 5. The method of claim 1, wherein the determining comprises checking the number of passed packets per unit time, and if the number of packets exceeds a threshold level for one source node, determining that a DDoS attack is occurring.
  - 6. The method of claim 1, wherein the limiting of the flow rate comprises mitigating the flow rate of the traffic or blocking traffic of a source node suspected of the DDoS attack.

7. A system for distributed denial of service (DDoS) attack detection and traffic mitigation using flow statistics, the system comprising:
- a flow statistics collector that collects first statistics for each flow based on flow information generated by traffic flow of a network connection device;
  
  a statistics processor that groups and classifies the first statistics for each flow on a per-flow basis and processes the same into second statistics containing at least one of the number of bytes, the number of packets, and the number of flows per unit time;
  
  a determiner that calculates the rate of change of the second statistics, and if the rate of change exceeds a preset threshold rate, determines that a distributed denial of service attack is occurring; and
  
  a controller that limits the flow rate of the traffic based on a predefined policy by executing a rate-limit function according to a result of the determination.
- View Dependent Claims (8, 9, 10)
- - 8. The system of claim 7, further comprising:
    - a packet forwarding processor that looks up packets received from the interface of a line card of a router system in a routing table to forward the packets to a corresponding destination node, and generates flow information to be classified by a plurality of tuples; and
      
      a database storing the routing table and a statistics table having the second statistics.
  - 9. The system of claim 7, wherein the controller reports a DDoS attack event to a policy management server that manages network policies according to a result of the determination, and mitigates the flow rate of the traffic or blocks traffic of a source node suspected of the DDoS attack.
  - 10. The system of claim 7, wherein the determiner defines the threshold rate for each of a plurality of stages, and determines that one of abnormal traffic, a suspected DDoS attack, and a DDoS attack is occurring depending on a degree to which the rate of change of the second statistics exceeds a preset threshold rate for each stage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
KIM, Hak Suh, KANG, Kyoung-Soon, KIM, Bong Tae, JEON, Ki Cheol, AHN, Byungjun

Application Number

US12/946,849
Publication Number

US 20110138463A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1458 Denial of Service

METHOD AND SYSTEM FOR DDOS TRAFFIC DETECTION AND TRAFFIC MITIGATION USING FLOW STATISTICS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR DDOS TRAFFIC DETECTION AND TRAFFIC MITIGATION USING FLOW STATISTICS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links