SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

US 20150095969A1
Filed: 10/01/2013
Published: 04/02/2015
Est. Priority Date: 07/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method for controlling a plurality of distributed denial of service (DDoS) mitigation appliances, comprising:

configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances; and

sending the DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliances.

Citations

28 Claims

1. A method for controlling a plurality of distributed denial of service (DDoS) mitigation appliances, comprising:
- configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances; and
  
  sending the DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises:
    - collecting, by the DDoS attack mitigation central controller, granular traffic rate information from the plurality of DDoS attack mitigation appliances;
      
      estimating granular behavioral packet rate thresholds based on the granular traffic rate information;
      
      updating DDoS attack mitigation policies based on the granular behavioral packet rate thresholds; and
      
      sending the updated DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances.
  - 3. The method of claim 1, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises:
    - receiving the DDoS attack mitigation policies from an administrator of the DDoS attack mitigation central controller through a user interface.
  - 4. The method of claim 1, further comprising:
    - collecting, by the DDoS attack mitigation central controller, granular packet drop statistics from the plurality of DDoS attack mitigation appliances; and
      
      reporting the granular packet drop statistics to the administrator of the DDoS attack mitigation central controller.
  - 5. The method of claim 1, further comprising:
    - establishing a secure connection between the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances;
      
      sending the DDoS attack mitigation policies through the secure connection; and
      
      receiving granular traffic rate information and granular packet drop statistics from the plurality of DDoS attack mitigation appliances through the secure connection.
  - 6. The method of claim 1, further comprising managing mitigation policies in a data store by the DDoS attack mitigation central controller.

7. A method for mitigating distributed denial of service (DDoS) attack, comprising:
- receiving, by a DDoS attack mitigation appliance, DDoS attack mitigation policies through a network connecting a DDoS attack mitigation central controller and the DDoS attack mitigation appliance; and
  
  mitigating DDoS attack based on the received DDoS attack mitigation policies.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, further comprising:
    - receiving, by the DDoS attack mitigation appliance, inbound and outbound packets; and
      
      performing behavioral DDoS attack mitigation by blocking packets that exceed granular behavioral thresholds or access control policies set by the received DDoS attack mitigation policies.
  - 9. The method of claim 8, further comprising creating service protection profiles based on Internet Protocol (IP) subnets, Virtual Local Area Network (VLAN) tags or Media Access Control (MAC) addresses of a source or a destination of the packets.
  - 10. The method of claim 8, further comprising:
    - collecting, by the DDoS attack mitigation appliance, granular traffic rate information from traffic passing through it, andsending granular traffic rate information to the DDoS attack mitigation central controller.
  - 11. The method of claim 10, further comprising tracking offending sources that exceed behavioral source packet rate thresholds or repetitively send packets that are caught within an identified behavioral granular parameter flood.
  - 12. The method of claim 7, further comprising:
    - collecting, by the DDoS attack mitigation appliance, granular packet drop statistics from traffic passing through it, andsending granular packet drop statistics to the DDoS attack mitigation central controller.
  - 13. The method of claim 7, further comprising enforcing the received DDoS attack mitigation policies at layers 2, 3, 4 and 7 of a network stack.
  - 14. The method of claim 7, further comprising creating a secure communication by the DDoS attack mitigation appliance with the DDoS attack mitigation central controller.

15. A distributed denial of service (DDoS) mitigation central controller for controlling a plurality of DDoS attack mitigation appliances, comprising:
- non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  configuring, by the DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances; and
  
  sending the DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The controller of claim 15, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises:
    - collecting, by the DDoS attack mitigation central controller, granular traffic rate information from the plurality of DDoS attack mitigation appliances;
      
      estimating granular behavioral packet rate thresholds based on the granular traffic rate information;
      
      updating DDoS attack mitigation policies based on the granular behavioral packet rate thresholds; and
      
      sending the updated DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances.
  - 17. The controller of claim 15, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises:
    - receiving the DDoS attack mitigation policies from an administrator of the DDoS attack mitigation central controller through a user interface.
  - 18. The controller of claim 15, wherein the method further comprises:
    - collecting, by the DDoS attack mitigation central controller, granular packet drop statistics from the plurality of DDoS attack mitigation appliances; and
      
      reporting the granular packet drop statistics to the administrator of the DDoS attack mitigation central controller.
  - 19. The controller of claim 15, wherein the method further comprises:
    - establishing a secure connection between the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances;
      
      sending the DDoS attack mitigation policies through the secure connection; and
      
      receiving granular traffic rate information and granular packet drop statistics from the plurality of DDoS attack mitigation appliances through the secure connection.
  - 20. The controller of claim 15, wherein the method further comprises managing mitigation policies in a data store by the DDoS attack mitigation central controller.

21. A distributed denial of service (DDoS) attack mitigation appliance, comprising:
- non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  receiving, by the DDoS attack mitigation appliance, DDoS attack mitigation policies through a network that connecting a DDoS attack mitigation central controller and the DDoS attack mitigation appliance; and
  
  mitigating DDoS attack based on the received DDoS attack mitigation policies.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The appliance of claim 21, wherein the method further comprises:
    - receiving, by the DDoS attack mitigation appliance, inbound and outbound packets; and
      
      performing behavioral DDoS attack mitigation by blocking packets that exceed granular behavioral thresholds or access control policies set by the received DDoS attack mitigation policies.
  - 23. The appliance of claim 22, wherein the method further comprises:
    - creating service protection profiles based on IP subnets, VLAN tag or MAC addresses of source or destination of the packets.
  - 24. The appliance of claim 22, wherein the method further comprises:
    - collecting, by the DDoS attack mitigation appliance, granular traffic rate information from traffic passing through it, andsending granular traffic rate information to the DDoS attack mitigation central controller.
  - 25. The appliance of claim 24, wherein the method further comprises tracking offending sources that exceed behavioral source packet rate thresholds or repetitively send packets which are caught within an identified behavioral granular parameter flood.
  - 26. The appliance of claim 21, wherein the method further comprises:
    - collecting, by the DDoS attack mitigation appliance, granular packet drop statistics from traffic passing through it, andsending granular packet drop statistics to the DDoS attack mitigation central controller.
  - 27. The appliance of claim 21, wherein the method further comprises enforcing the received DDoS attack mitigation policies at layers 2, 3, 4 and 7 of a network stack.
  - 28. The appliance of claim 21, wherein the method further comprises creating a secure communication by the DDoS attack mitigation appliance with the DDoS attack mitigation central controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar

Granted Patent

US 9,602,535 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links