MANAGING A DDOS ATTACK

US 20130219502A1
Filed: 04/01/2013
Published: 08/22/2013
Est. Priority Date: 09/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method of managing a distributed denial of service attack in a multiprocessor environment, the method comprising:

determining, by one or more processors, (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses;

in response to one or more processors detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitoring, by one or more processors, a specific port at the single destination address;

in response to one or more processors detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determining, by one or more processors, that an apparent distributed denial of service attack is in progress; and

notifying, by one or more processors, an administrator of the multiprocessor environment of the apparent distributed denial of service attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and/or computer program product manages a distributed denial of service attack in a multiprocessor environment. A determination is made of (a) a first upper threshold for a normal number of packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the packets from the multiprocessor environment to a single destination address compared to the packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of packets from the multiprocessor environment to a single port at a single destination address compared to packets from the multiprocessor environment to the multiple destination addresses. In response to the first and second thresholds being exceeded, a specific port is monitored to determine if the third upper threshold is being exceeded at that port, thus indicating an apparent distributed denial of service attack.

20 Citations

View as Search Results

18 Claims

1. A method of managing a distributed denial of service attack in a multiprocessor environment, the method comprising:
- determining, by one or more processors, (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses;
  
  in response to one or more processors detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitoring, by one or more processors, a specific port at the single destination address;
  
  in response to one or more processors detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determining, by one or more processors, that an apparent distributed denial of service attack is in progress; and
  
  notifying, by one or more processors, an administrator of the multiprocessor environment of the apparent distributed denial of service attack.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - in response to a ratio of (i) a number of packets to a particular destination address to (ii) a total number of packets outbound being greater than a predetermined number leading to a false positive indication of the apparent distributed denial of service attack, issuing, by one or more processors, an instruction to the administrator of the multiprocessor environment to disallow continued monitoring of the particular destination address.
  - 3. The method of claim 1, further comprising:
    - in response to detecting a high proportion of outbound network packets being sent to the specific port, commencing, by one or more processors, blocking measures to mitigate the apparent distributed denial of service attack.
  - 4. The method of claim 1, wherein the apparent distributed denial of service attack is an outbound denial of service attack.
  - 5. The method of claim 1, further comprising:
    - monitoring outgoing traffic with respect to a specific destination address;
      
      in response to a ratio of (i) a number of packets to said specific destination address to (ii) a total number of packets outbound being greater than a preset number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols; and
      
      in response to the ratio of (i) a number of packets to one of said selected ports to (ii) a total number of packets to all of said selected ports being above a preset value, and in response to a protocol used by packets being sent to the specific destination address being consistent across more than a predetermined percentage of the selected ports, commencing, by one or more processors, blocking measures to end the apparent distributed denial of service attack.
  - 6. The method of claim 1, wherein the multiprocessor environment is a grid computer environment.

7. A computer program product for managing a distributed denial of service attack in a multiprocessor environment, the computer program product comprising:
- one or more computer-readable storage devices and program instructions stored on at least one of the one or more computer-readable storage devices, the program instructions comprising;
  
  program instructions to determine (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses;
  
  program instructions to, in response to detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitor a specific port at the single destination address;
  
  program instructions to, in response to detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determine that an apparent distributed denial of service attack is in progress; and
  
  program instructions to notify an administrator of the multiprocessor environment of the apparent distributed denial of service attack.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, further comprising program instructions stored on at least one of the one or more storage devices, to:
    - in response to a ratio of (i) a number of packets to a particular destination address to (ii) a total number of packets outbound being greater than a predetermined number leading to a false positive indication of the apparent distributed denial of service attack, issue an instruction to the administrator of the multiprocessor environment to disallow continued monitoring of the particular destination address.
  - 9. The computer program product of claim 7, further comprising program instructions stored on at least one of the one or more storage devices, to:
    - in response to detecting a high proportion of outbound network packets sent to the specific port, commence blocking measures to mitigate the apparent distributed denial of service attack.
  - 10. The computer program product of claim 7, wherein the apparent distributed denial of service attack is an outbound denial of service attack.
  - 11. The computer program product of claim 7, further comprising program instructions stored on at least one of the one or more storage devices, to:
    - monitor outgoing traffic with respect to a specific destination address;
      
      in response to a ratio of (i) a number of packets to said specific destination address to (ii) a total number of packets outbound being greater than a preset number and the total number of outbound packets is above a preset value, monitor selected ports and protocols;
      
      in response to the ratio of (i) a number of packets to one of said selected ports to (ii) a total number of packets to all of said selected ports being above a preset value, and in response to a protocol used by packets being sent to the specific destination address being consistent across more than a predetermined percentage of the selected ports, commence blocking measures to end the apparent distributed denial of service attack.
  - 12. The computer program product of claim 7, wherein the multiprocessor environment is a grid computer environment.

13. A computer system for managing a distributed denial of service attack in a multiprocessor environment, the computer system comprising:
- one or more processors, one or more computer-readable memories, one or more computer-readable storage devices, and program instructions stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, the program instructions comprising;
  
  first program instructions to determine (a) a first upper threshold for a normal number of outbound network packets from the multiprocessor environment to multiple destination addresses, (b) a second upper threshold for a normal ratio of the outbound network packets from the multiprocessor environment to a single destination address compared to the outbound network packets from the multiprocessor environment to the multiple destination addresses, and (c) a third upper threshold for a normal ratio of outbound network packets from the multiprocessor environment to a single port at a single destination address compared to outbound network packets from the multiprocessor environment to the multiple destination addresses;
  
  second program instructions to, in response to detecting that the first upper threshold and the second upper threshold are exceeded in the multiprocessor environment, monitor a specific port at the single destination address;
  
  third program instructions to, in response to detecting that the third upper threshold is exceeded for outbound network packets being sent to the specific port being monitored, determine that an apparent distributed denial of service attack is in progress; and
  
  fourth program instructions to notify an administrator of the multiprocessor environment of the apparent distributed denial of service attack.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer system of claim 13, further comprising:
    - fifth program instructions, stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, to, in response to a ratio of (i) a number of packets to a particular destination address to (ii) a total number of packets outbound being greater than a predetermined number leading to a false positive indication of the apparent distributed denial of service attack, issue an instruction to the administrator of the multiprocessor environment to disallow continued monitoring of the particular destination address.
  - 15. The computer system of claim 13, further comprising:
    - fifth program instructions, stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, to, in response to detecting a high proportion of outbound network packets sent to the specific port, commence blocking measures to mitigate the apparent distributed denial of service attack.
  - 16. The computer system of claim 13, wherein the apparent distributed denial of service attack is an outbound denial of service attack.
  - 17. The computer system of claim 13, further comprising:
    - fifth program instructions, stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, to monitor outgoing traffic with respect to a specific destination address;
      
      sixth program instructions, stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, to, in response to a ratio of (i) a number of packets to said specific destination address to (ii) a total number of packets outbound being greater than a preset number and the total number of outbound packets is above a preset value, monitor selected ports and protocols; and
      
      seventh program instructions, stored on at least one of the one or more computer-readable storage devices for execution by at least one of the one or more processors via at least one of the one or more computer-readable memories, to, in response to the ratio of (i) a number of packets to one of said selected ports to (ii) a total number of packets to all of said selected ports being above a preset value, and in response to a protocol used by packets being sent to the specific destination address being consistent across more than a predetermined percentage of the selected ports, commence blocking measures to end the apparent distributed denial of service attack.
  - 18. The computer system of claim 13, wherein the multiprocessor environment is a grid computer environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
DANFORD, ROBERT W., ESCAMILLA, TERRY D., HIMBERGER, KEVIN D., JEFFRIES, CLARK D.

Granted Patent

US 9,633,202 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 11/349   for interfaces, buses

G06F 11/3495   for systems

G06F 21/55   Detecting local intrusion o...

G06F 2201/81   Threshold

H04L 2463/141   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Y02D 10/00   Energy efficient computing,...

MANAGING A DDOS ATTACK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

MANAGING A DDOS ATTACK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links