DOS DETECTION AND MITIGATION IN A LOAD BALANCER

US 20140373146A1
Filed: 06/14/2013
Published: 12/18/2014
Est. Priority Date: 06/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method for a load balancer to detect and mitigate a Denial of Service (DOS) attack directed at one or more tenant addresses, the load balancer being placed in a data path of network data packets being transmitted between one or more sources and the one or more tenant addresses, the method comprising:

an act of analyzing one or more performance parameters regarding network data packets received at the load balancer that is placed in the data path, the network data packets being structured so as to be directed to one or more tenant addresses, the one or more performance parameters describing network data packet flow to the one or more tenant addresses;

an act of detecting, based on the analysis of the one or more performance parameters, that one or more of the tenant addresses is being subjected to a DOS attack; and

an act of performing a mitigation operation to isolate the one or more tenant address being subjected to the DOS attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A load balancer that is able to detect and mitigate a Denial of Service (DOS) attack. The load balancer is placed in the flow path of network data packets that are destined for one or more tenant addresses. The load balancer analyzes performance parameters regarding the network data packets that are destined for the one or more tenant addresses and are received at the load balancer. The performance parameters describe network data packet flow to the tenant addresses. The load balancer detects, based on the analysis of the performance parameters, that one or more of the tenant addresses are being subjected to a DOS attack. The load balancer performs a mitigation operation to isolate the one or more tenant addresses being subjected to the DOS attack.

29 Citations

View as Search Results

20 Claims

1. A method for a load balancer to detect and mitigate a Denial of Service (DOS) attack directed at one or more tenant addresses, the load balancer being placed in a data path of network data packets being transmitted between one or more sources and the one or more tenant addresses, the method comprising:
- an act of analyzing one or more performance parameters regarding network data packets received at the load balancer that is placed in the data path, the network data packets being structured so as to be directed to one or more tenant addresses, the one or more performance parameters describing network data packet flow to the one or more tenant addresses;
  
  an act of detecting, based on the analysis of the one or more performance parameters, that one or more of the tenant addresses is being subjected to a DOS attack; and
  
  an act of performing a mitigation operation to isolate the one or more tenant address being subjected to the DOS attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method in accordance with claim 1, wherein the act of performing the mitigation operation comprises:
    - an act of determining a range of tenant addresses to which the one or more tenant addresses that are being subjected to the DOS attack belong;
      
      an act of causing the load balancer to no longer advertise that the range of tenant addresses is available to receive the network data packets;
      
      an act of removing the one or more tenant addresses that are being subjected to the DOS attack from the range of tenant addresses;
      
      an act of aggregating the range of the tenant addresses not including the one or more tenant addresses that have been removed from the range of tenant addresses into a second range of tenant addresses; and
      
      an act of advertising across one or more data planes of the load balancer that the second range of tenant addresses is available to receive the network data packets and wherein the one or more tenant addresses that have been removed from the range of tenant addresses are not advertised as being available to receive the network data packets.
  - 3. The method in accordance with claim 2, further comprising:
    - an act of storing a current configuration of the one or more tenant addresses that have been removed from the range of tenant addresses in a persistent store; and
      
      an act of at least temporarily preventing the one or more tenant addresses that have been removed from the range of tenant addresses from being able to send network data packets.
  - 4. The method in accordance with claim 2, further comprising:
    - an act of waiting a specified amount of time;
      
      an act of adding the one or more tenant addresses that have been removed from the range of tenant addresses to the second range of tenant addresses; and
      
      an act of determining if the one or more tenant addresses added to the second range of tenant addresses is still be subjected to the DOS attack, wherein if it is determined that at least one of the one or more tenant addresses is still being subjected to the DOS attack, the at least one of the one or more tenant addresses is again removed from the range of tenant addresses.
  - 5. The method in accordance with claim 1, wherein the one or more tenant addresses is a virtual IP address that is load balanced across a plurality of destinations.
  - 6. The method in accordance with claim 1, wherein the load balancer includes two or more data planes configured to receive the network data packets, a first data plane receiving the network data packets for the one or more tenant addresses that are being subjected to the DOS attack when the DOS attack is detected, wherein the act of performing the mitigation operation comprises:
    - an act of moving the one or more tenant addresses that are being subjected to the DOS attack to a second data plane of the load balancer, wherein the second data plane handles the network data packets for the one or more tenant addresses so that the one or more tenant addresses that are being subjected to the DOS attack are able to continue to receive the network data packets while being under attack; and
      
      an act of returning the one or more tenant addresses to the first data plane when it is determined that the one or more tenant addresses are no longer under attack.
  - 7. The method in accordance with claim 1, wherein the act of performing a mitigation operation comprises:
    - an act of moving the one or more tenant addresses that are being subjected to the DOS attack to a second load balancer that is configured to analyze the DOS attack so as to learn information about the DOS attack, andan act of returning the one or more tenant addresses to the original load balancer when it is determined that the one or more tenant addresses are no longer under attack.
  - 8. The method in accordance with claim 1, wherein the act of detecting comprises:
    - an act of comparing the one or more performance parameters with a predetermined threshold; and
      
      detecting that the one or more tenant addresses are being subjected to the DOS attack when the one or more performance parameters exceed the predetermined threshold.
  - 9. The method in accordance with claim 1, wherein the one or more performance parameters include one or more of:
    - packets received per second;
      
      packets received and discarded;
      
      CPU usage; and
      
      protocol session disconnect from an edge router.
  - 10. The method in accordance in accordance with claim 1, wherein the DOS attack is initiated by one of the tenant addresses on another of the tenant addresses.

11. A computer program product comprising one or more computer-readable storage media having stored thereon computer-executable instructions that are structured such that, when executed by one or more processors associated with a load balancer that is placed in a data path of network data packets being transmitted between one or more source addresses and a one or more tenant addresses, cause the load balancer to detect and mitigate a Denial of Service (DOS) attack directed at one or more of the tenant addresses, the method comprising:
- an act of collecting one or more performance parameters regarding network data packets received at the load balancer that is placed in the data path, the network data packets being structured so as to be directed to one or more tenant addresses, the one or more performance parameters describing network data packet flow to the one or more tenant addresses;
  
  an act of comparing the collected performance parameters with performance thresholds;
  
  an act of detecting, based on the comparison of the one or more performance parameters with the performance thresholds, that at least one of the one or more of the tenant addresses is being subjected to a DOS attack;
  
  an act of identifying which of the one or more tenant addresses is being subjected to the DOS attack; and
  
  an act of performing a mitigation operation to isolate the one or more tenant address being subjected to the DOS attack.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer program product in accordance with claim 11, wherein the act of performing the mitigation operation comprises:
    - an act of determining a range of tenant addresses to which the one or more tenant addresses that are being subjected to the DOS attack belong;
      
      an act of causing the load balancer to no longer advertise that the range of tenant addresses is available to receive the network data packets;
      
      an act of removing the one or more tenant addresses that are being subjected to the DOS attack from the range of tenant addresses;
      
      an act of aggregating the range of the tenant addresses not including the one or more tenant addresses that have been removed from the range of tenant addresses into a second range of tenant addresses; and
      
      an act of advertising across one or more data planes of the load balancer that the second range of tenant addresses is available to receive the network data packets and wherein the one or more tenant addresses that have been removed from the range of tenant addresses are not advertised as being available to receive the network data packets.
  - 13. The computer program product in accordance with claim 12, further comprising:
    - an act of storing a current configuration of the one or more tenant addresses that have been removed from the range of tenant addresses in a persistent store; and
      
      an act of at least temporarily preventing the one or more tenant addresses that have been removed from the range of tenant addresses from being able to send any network data packets.
  - 14. The computer program product in accordance with claim 12, further comprising:
    - an act of waiting a specified amount of time;
      
      an act of adding the one or more tenant addresses that have been removed from the range of tenant addresses to the second range of tenant addresses; and
      
      an act of determining if the one or more tenant addresses added to the second range of tenant addresses is still be subjected to the DOS attack, wherein if it is determined that at least one of the one or more tenant addresses is still being subjected to the DOS attack, the at least one of the one or more tenant addresses is again removed from the range of tenant addresses.
  - 15. The computer program product in accordance with claim 11, wherein the load balancer includes two or more data planes configured to receive the network data packets, a first data plane receiving the network data packets for the one or more tenant addresses that are being subjected to the DOS attack when the DOS attack is detected, wherein the act of performing the mitigation operation comprises:
    - an act of moving the one or more tenant addresses that are being subjected to the DOS attack to a second data plane of the load balancer, wherein the second data plane handles the network data packets for the one or more tenant addresses so that the one or more tenant addresses that are being subjected to the DOS attack are able to continue to receive the network data packets while being under attack; and
      
      an act of returning the one or more tenant addresses to the first data plane when it is determined that the one or more tenant addresses are no longer under attack.
  - 16. The computer program product in accordance with claim 11, wherein the act of performing the mitigation operation comprises:
    - an act of moving the one or more tenant addresses that are being subjected to the DOS attack to a second load balancer that is configured to analyze the DOS attack so as to learn information about the DOS attack, andan act of returning the one or more tenant addresses to the original load balancer when it is determined that the one or more tenant addresses are no longer under attack.
  - 17. The computer program product in accordance with claim 11, wherein the act of collecting one or more performance parameters comprises:
    - implementing a sliding window that collects a predefined number of the performance parameters; and
      
      storing a maximum value and average value of the performance parameters collected in the sliding window.
  - 18. The computer program product in accordance with claim 11, wherein the DOS attack is initiated by one of the tenant addresses on another of the tenant addresses.

19. A system, the system comprising:
- one or more tenants each having a tenant address that identifies the tenant as an intended recipient of network data packets sent from one or more sources;
  
  a performance threshold repository that holds performance threshold values that are indicative of a Denial of Service (DOS) attack;
  
  one or more processors;
  
  an edge router configured to receive one or more network data packets destined for one or more of the tenant addresses; and
  
  a load balancer that is configured to receive the one or more network data packets from the edge router and to distribute the one or more network data packets to the tenant address, the load balancer being in the data flow path of the one or more network data packets, the load balancer configured to detect and mitigate a DOS attack on at least one of the one or more of the tenant addresses, the load balancer comprising;
  
  a detection module configured to perform the following;
  
  collect one or more performance parameters regarding network data packets received at the load balancer, the network data packets being destined for one or more tenant addresses, the one or more performance parameters describing network data packet flow to the one or more tenant addresses;
  
  compare the collected performance parameters with the performance thresholds values;
  
  detect, based on the comparison of the one or more performance parameters with the performance threshold values, that one or more of the tenant addresses is being subjected to a DOS attack;
  
  identifying which of the one or more tenant addresses is being subjected to the DOS attack; and
  
  a mitigation module configured to perform the following;
  
  perform a mitigation operation to isolate the one or more tenant address being subjected to the DOS attack.
- View Dependent Claims (20)
- - 20. The system according to claim 19, wherein the one or more tenant addresses is a virtual IP address that is load balanced across a plurality of destinations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Murthy, Ashwin, Zikos, Marios, Bansal, Deepak, Karri, Naveen Reddy, Patel, Parveen Kumar, Wu, HongYu, Sethuraman, Yagya Narayanan

Granted Patent

US 9,055,095 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

H04L 67/564   Enhancement of application ...

DOS DETECTION AND MITIGATION IN A LOAD BALANCER

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DOS DETECTION AND MITIGATION IN A LOAD BALANCER

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links