SYSTEM AND METHOD OF TRAFFIC FILTERING UPON DETECTION OF A DDOS ATTACK

US 20180316714A1
Filed: 06/06/2017
Published: 11/01/2018
Est. Priority Date: 04/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack, wherein the method comprises:

responsive to detecting a computing device is subject to a DDoS attack, intercepting data from a network node to the computing device;

determining one or more data transmission parameters based on the intercepted data;

assigning a danger rating to the network node;

changing the danger rating of the network node based on application of a filter and on the data transmission parameters; and

responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a system, a method, and computer readable storage medium having instructions for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack. The described technique includes intercepting data from a network node to the computing device responsive to detecting a computing device is subject to a DDoS attack. The technique further includes determining one or more data transmission parameters based on the intercepted data, assigning a danger rating to the network node, and changing the danger rating of the network node based on application of a filter and on the data transmission parameters. The described technique limits a transmittal of data from the network node to the computing device if the resultant danger rating of the network node exceeds a threshold value.

14 Citations

View as Search Results

21 Claims

1. A method for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack, wherein the method comprises:
- responsive to detecting a computing device is subject to a DDoS attack, intercepting data from a network node to the computing device;
  
  determining one or more data transmission parameters based on the intercepted data;
  
  assigning a danger rating to the network node;
  
  changing the danger rating of the network node based on application of a filter and on the data transmission parameters; and
  
  responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein assigning the initial danger rating to the network node further comprises:
    - assigning the danger rating to the network node according to a database storing danger ratings of known network nodes and on a network address of the network node.
  - 3. The method of claim 2, further comprising:
    - updating a stored danger dating in the database based on a period of time in which the transmittal of data from the network node to the computing device was limited.
  - 4. The method of claim 1, further comprising:
    - reverting changes to the danger rating of the network node responsive to an expiration of the filter; and
      
      responsive to determining that the danger rating of the network node no longer exceeds the threshold value, canceling the limiting of the transmittal of data from the network node to the computing device.
  - 5. The method of claim 1, further comprising:
    - extending a lifetime of the filter responsive to detecting a repeat triggering of the filter based on the data transmission parameters.
  - 6. The method of claim 1, wherein changing the danger rating of the network node based on application of the filter and on the data transmission parameters further comprises:
    - increasing the danger rating of the network node based on a determination that criteria associated with the filter is met by the data transmission parameters.
  - 7. The method of claim 1, wherein limiting the transmittal of data from the network node to the computing device further comprises:
    - limiting a channel capacity between the network node and the computing device based on a degree to which the danger rating of the network node exceeds the threshold value.

8. A system for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack, wherein the system comprises:
- a memory device storing one or more filters; and
  
  a processor configured to;
  
  responsive to detecting a computing device is subject to a DDoS attack, intercept data from a network node to the computing device;
  
  determine one or more data transmission parameters based on the intercepted data;
  
  assign a danger rating to the network node;
  
  change the danger rating of the network node based on application of a filter and on the data transmission parameters; and
  
  responsive to determining that the danger rating of the network node exceeds a threshold value, limit a transmittal of data from the network node to the computing device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the processor configured to assign the initial danger rating to the network node is further configured to:
    - assign the danger rating to the network node according to a database storing danger ratings of known network nodes and on a network address of the network node.
  - 10. The system of claim 9, wherein the processor is further configured to:
    - update a stored danger dating in the database based on a period of time in which the transmittal of data from the network node to the computing device was limited.
  - 11. The system of claim 8, wherein the processor is further configured to:
    - revert changes to the danger rating of the network node responsive to an expiration of the filter; and
      
      responsive to determining that the danger rating of the network node no longer exceeds the threshold value, cancel the limiting of the transmittal of data from the network node to the computing device.
  - 12. The system of claim 8, wherein the processor is further configured to:
    - extend a lifetime of the filter responsive to detecting a repeat triggering of the filter based on the data transmission parameters.
  - 13. The system of claim 8, wherein the processor configured to change the danger rating of the network node based on application of the filter and on the data transmission parameters is further configured to:
    - Increase the danger rating of the network node based on a determination that criteria associated with the filter is met by the data transmission parameters.
  - 14. The system of claim 8, wherein the processor configured to limit the transmittal of data from the network node to the computing device is further configured to:
    - limit a channel capacity between the network node and the computing device based on a degree to which the danger rating of the network node exceeds the threshold value.

15. A non-transitory computer readable medium comprising computer executable instructions for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack, including instructions for:
- responsive to detecting a computing device is subject to a DDoS attack, intercepting data from a network node to the computing device;
  
  determining one or more data transmission parameters based on the intercepted data;
  
  assigning a danger rating to the network node;
  
  changing the danger rating of the network node based on application of a filter and on the data transmission parameters; and
  
  responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein the instructions for assigning the initial danger rating to the network node further comprises instructions for:
    - assigning the danger rating to the network node according to a database storing danger ratings of known network nodes and on a network address of the network node.
  - 17. The non-transitory computer readable medium of claim 16, further comprising instructions for:
    - updating a stored danger dating in the database based on a period of time in which the transmittal of data from the network node to the computing device was limited.
  - 18. The non-transitory computer readable medium of claim 15, further comprising instructions for:
    - reverting changes to the danger rating of the network node responsive to an expiration of the filter; and
      
      responsive to determining that the danger rating of the network node no longer exceeds the threshold value, canceling the limiting of the transmittal of data from the network node to the computing device.
  - 19. The non-transitory computer readable medium of claim 15, further comprising instructions for:
    - extending a lifetime of the filter responsive to detecting a repeat triggering of the filter based on the data transmission parameters.
  - 20. The non-transitory computer readable medium of claim 15, wherein instructions for changing the danger rating of the network node based on application of the filter and on the data transmission parameters further comprises instructions for:
    - increasing the danger rating of the network node based on a determination that criteria associated with the filter is met by the data transmission parameters.
  - 21. The non-transitory computer readable medium of claim 15, wherein instructions for limiting the transmittal of data from the network node to the computing device further comprises instructions for:
    - limiting a channel capacity between the network node and the computing device based on a degree to which the danger rating of the network node exceeds the threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Gudov, Nikolay V, Khalimonenko, Alexander A., Koreshkov, Denis E.

Granted Patent

US 10,693,907 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1458 Denial of Service

SYSTEM AND METHOD OF TRAFFIC FILTERING UPON DETECTION OF A DDOS ATTACK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

14 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD OF TRAFFIC FILTERING UPON DETECTION OF A DDOS ATTACK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others