SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT
0 Assignments
0 Petitions
Accused Products
Abstract
A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.
14 Citations
21 Claims
-
1. (canceled)
-
2. A method for processing network traffic data by a network switching device, the method comprising:
-
receiving a packet by a network interface of the network switching device; determining, on the network switching device, a number N of concurrent sessions to a concurrent session threshold T1; when the number N of concurrent sessions is less than the concurrent session threshold T1, passing the packet from the network switching device toward an intended recipient; when the number N of concurrent sessions is less than the concurrent session threshold T1; determining, on the network switch device, a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷
t;when the session rate threshold R is less than the prescribed session rate threshold T2 (R<
T2), passing the packet from the network switching device toward an intended recipient; andclassifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T2 (R≧
T2) and performing a preventative action with regard to the packet. - View Dependent Claims (3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory device-readable storage medium including a set of instructions stored thereon which when executed by a processor of a network switching device cause the network switching device to:
-
receive a packet by a network interface of the network switching device; determine, on the network switching device, a number N of concurrent sessions to a concurrent session threshold T1; when the number N of concurrent sessions is less than the concurrent session threshold T1, pass the packet from the network switching device toward an intended recipient; when the number N of concurrent sessions is less than the concurrent session threshold T1; determine, on the network switch device, a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷
t;when the session rate threshold R is less than the prescribed session rate threshold T2 (R<
T2), pass the packet from the network switching device toward an intended recipient; andclassify the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T2 (R≧
T2) and perform a preventative action with regard to the packet. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A network switching device, comprising:
-
a processor; a communication interface for communicating over a network; a memory device including instructions stored thereon which when executed by the processor, cause the device to; receive a packet by a network interface of the network switching device; determine, on the network switching device, a number N of concurrent sessions to a concurrent session threshold T1; when the number N of concurrent sessions is less than the concurrent session threshold T1, pass the packet from the network switching device toward an intended recipient; when the number N of concurrent sessions is less than the concurrent session threshold T1; determine, on the network switch device, a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷
t;when the session rate threshold R is less than the prescribed session rate threshold T2 (R<
T2), pass the packet from the network switching device toward an intended recipient; andclassify the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T2 (R≧
T2) and perform a preventative action with regard to the packet. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification