MANAGING A DDOS ATTACK
First Claim
1. A method of managing a distributed denial of service attack in a multiprocessor environment, the method comprising:
- determining, by one or more processors, (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses;
in response to one or more processors detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitoring, by one or more processors, a specific port at the single destination address;
in response to one or more processors detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determining, by one or more processors, that an apparent distributed denial of service attack is in progress; and
notifying, by one or more processors, an administrator of the multiprocessor environment of the apparent distributed denial of service attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system, and/or computer program product manages a distributed denial of service attack in a multiprocessor environment. A determination is made of (a) a first upper threshold for a normal number of packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the packets from the multiprocessor environment to a single destination address compared to the packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of packets from the multiprocessor environment to a single port at a single destination address compared to packets from the multiprocessor environment to the multiple destination addresses. In response to the first and second thresholds being exceeded, a specific port is monitored to determine if the third upper threshold is being exceeded at that port, thus indicating an apparent distributed denial of service attack.
20 Citations
18 Claims
-
1. A method of managing a distributed denial of service attack in a multiprocessor environment, the method comprising:
-
determining, by one or more processors, (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses; in response to one or more processors detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitoring, by one or more processors, a specific port at the single destination address; in response to one or more processors detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determining, by one or more processors, that an apparent distributed denial of service attack is in progress; and notifying, by one or more processors, an administrator of the multiprocessor environment of the apparent distributed denial of service attack. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product for managing a distributed denial of service attack in a multiprocessor environment, the computer program product comprising:
-
one or more computer-readable storage devices and program instructions stored on at least one of the one or more computer-readable storage devices, the program instructions comprising; program instructions to determine (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses; program instructions to, in response to detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitor a specific port at the single destination address; program instructions to, in response to detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determine that an apparent distributed denial of service attack is in progress; and program instructions to notify an administrator of the multiprocessor environment of the apparent distributed denial of service attack. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer system for managing a distributed denial of service attack in a multiprocessor environment, the computer system comprising:
-
one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, the program instructions comprising; first program instructions to determine (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses; second program instructions to, in response to detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitor a specific port at the single destination address; third program instructions to, in response to detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determine that an apparent distributed denial of service attack is in progress; and fourth program instructions to notify an administrator of the multiprocessor environment of the apparent distributed denial of service attack. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification