TECHNIQUES FOR TRAFFIC DIVERSION IN SOFTWARE DEFINED NETWORKS FOR MITIGATING DENIAL OF SERVICE ATTACKS

US 20130333029A1
Filed: 06/10/2013
Published: 12/12/2013
Est. Priority Date: 06/11/2012
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating of denial of service (DoS) attacks in a software defined network (SDN), comprising:

receiving a DoS attack indication performed against at least one destination server;

programming each network element in the SDN to forward a packet based on a diversion value designated in a packet diversion field, upon reception of the DoS attack indication;

instructing at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the destination server, wherein each network element in the SDN receiving the packet with the marked diversion field is programmed to divert the packet to a security server; and

instructing edge network elements in the SDN to unmark the diversion field of each packet output by the security server, wherein each network element in the SDN is programmed to forward the unmarked packets processed by the security server to the at least one destination server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for mitigating of denial of service (DoS) attacks in a software defined network (SDN). The method comprises receiving a DoS attack indication performed against at least one destination server; programming each network element in the SDN to forward a packet based on a diversion value designated in a packet diversion field, upon reception of the DoS attack indication; instructing at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the destination server to allow diversion of the packet to a security server; and instructing edge network elements in the SDN to unmark the diversion field of each packet output by the security server, wherein each network element in the SDN is programmed to forward the unmarked packets processed by the security server to the at least one destination server.

Citations

22 Claims

1. A method for mitigating of denial of service (DoS) attacks in a software defined network (SDN), comprising:
- receiving a DoS attack indication performed against at least one destination server;
  
  programming each network element in the SDN to forward a packet based on a diversion value designated in a packet diversion field, upon reception of the DoS attack indication;
  
  instructing at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the destination server, wherein each network element in the SDN receiving the packet with the marked diversion field is programmed to divert the packet to a security server; and
  
  instructing edge network elements in the SDN to unmark the diversion field of each packet output by the security server, wherein each network element in the SDN is programmed to forward the unmarked packets processed by the security server to the at least one destination server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - receiving an indication that the DoS attack has been terminated; and
      
      instructing the at least one peer network element to unmark the diversion field in each packet in the incoming traffic addressed to the destination server.
  - 3. The method of claim 1, wherein packets injected to the network by the security server do not carry the DoS attack.
  - 4. The method of claim 1, wherein the diversion field is at least one field in any one of an internet protocol (IP) header and a MAC header.
  - 5. The method of claim 4, wherein the at least one field in the IP header is at least one of:
    - a time to live (TTL) field, a bit in a flags field, a hop limit field, a traffic class field, and an IP extension header, wherein the least one field in the IP header depends on an IP version in the network.
  - 6. The method of claim 4, wherein marking the diversion field further comprises setting the diversion field to a value not conventionally used or defined by the IP protocol for the respective at least one field.
  - 7. The method of claim 4, wherein the at least one field in the MAC header is a source MAC address field being set to an address not used by any network element.
  - 8. The method of claim 4, wherein the designation of packets that are required for diversion is performed per source IP, per destination IP address, and per a protocol type.
  - 9. The method of claim 1, wherein the DoS attack is detected using at least one of:
    - a DoS attack detection device and the central controller, wherein the DoS attack further includes a distributed DoS attack.
  - 10. The method of claim 1, wherein the at least one peer network element is a network element of the SDN that the incoming traffic addressed to the at least one destination server flows through.
  - 11. The method of claim 1, wherein an OpenFlow protocol is utilized for communication between the network elements.
  - 12. A non-transitory computer readable medium having stored thereon instructions for causing one or more processing units to execute the computerized method according to claim 1.

13. A system for mitigating of denial of service (DoS) attacks in a software defined networking (SDN) based network, comprising:
- a processor;
  
  a network-interface module connected to a SDN and configured to communicate and program network elements of the SDN;
  
  a memory connected to the processor and configured to contain a plurality of instructions that when executed by the processor configure the system to;
  
  receive a DoS attack indication performed against at least one destination server;
  
  generate instructions for programming at least one peer network element in the SDN to mark a diversion field in each packet in the incoming traffic addressed to the destination server, wherein each network element in the SDN receiving the packet with the marked diversion field is programmed to divert the packet to a security server; and
  
  generate instructions for programming edge network elements in the SDN connected to the security server to unmark the diversion field of each packet output by the security server, wherein each network element in the SDN is programmed to forward the unmarked packets processed by the security server to the at least one destination server.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The system of claim 13, wherein the system is further configured to:
    - receive an indication that the DoS attack has been terminated; and
      
      generate instructions for programming the at least one peer network element to unmark the diversion field in each packet in the incoming traffic addressed to the destination server.
  - 15. The system of claim 14, wherein packets injected to the network by the security server do not carry the DoS attack.
  - 16. The system of claim 14, wherein the diversion field is any one field in any one of an internet protocol (IP) header and a MAC header.
  - 17. The system of claim 15, wherein the at least one field in the IP header is at least one of:
    - a time to live (TTL) field, a bit in a flags field, a hop limit field, a traffic class field, and an IP extension header, wherein the least one field in the IP header depends on an IP version in the network.
  - 18. The system of claim 15, wherein the system is further configured to set the diversion field to a value not conventionally used or defined by the IP protocol for the respective at least one field.
  - 19. The system of claim 16, wherein the at least one field in the MAC header is a source MAC address field being set to an address not used by any network element.
  - 20. The system of claim 16, wherein the designation of packets that are required for diversion is performed per source IP, per destination IP address, and per a protocol type.
  - 21. The system of claim 13, wherein the at least one peer network element is a network element of the SDN that the incoming traffic addressed to the at least one destination server flows through, and wherein each of the edge network elements is directly connected to the security server.
  - 22. The system of claim 13, wherein the system utilizes an OpenFlow protocol for communication between the network elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radware Limited
Original Assignee
Radware Limited
Inventors
Chesla, Avi, Doron, Ehud

Granted Patent

US 9,055,006 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 41/122   of virtualised topologies, ...

H04L 45/00   Routing or path finding of ...

H04L 45/42   Centralised routing

H04L 45/64   using an overlay routing layer

H04L 45/655   Interaction between route c...

H04L 45/74   Address processing for routing

H04L 63/0892   by using authentication-aut...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 67/63   Routing a service request d...

TECHNIQUES FOR TRAFFIC DIVERSION IN SOFTWARE DEFINED NETWORKS FOR MITIGATING DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR TRAFFIC DIVERSION IN SOFTWARE DEFINED NETWORKS FOR MITIGATING DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links