DETECTION AND MITIGATION SOLUTION USING HONEYPOTS

US 20200137112A1
Filed: 10/30/2018
Published: 04/30/2020
Est. Priority Date: 10/30/2018
Status: Active Grant

First Claim

Patent Images

1. A system for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system, the system comprising:

at least one DDoS honeypot in operative communication with a central controller in the networked computing system, wherein;

the at least one DDoS honeypot is configured to receive a data packet from a network, determine a source address of the data packet, and send the source address to the central controller; and

the central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system. At least one DDoS honeypot in operative communication with a central controller in the networked computing system is configured to receive a data packet from a network, determine a source address of the data packet, and send the source address to the central controller. The central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

Citations

20 Claims

1. A system for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system, the system comprising:
- at least one DDoS honeypot in operative communication with a central controller in the networked computing system, wherein;
  
  the at least one DDoS honeypot is configured to receive a data packet from a network, determine a source address of the data packet, and send the source address to the central controller; and
  
  the central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the DDoS honeypot performs the determination of whether the received data packet is part of the DDoS attack.
  - 3. The system of claim 1, wherein the central controller performs the determination of whether the received data packet is part of the DDoS attack.
  - 4. The system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot is part of the DDoS attack.
  - 5. The system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that satisfies a specified data pattern is part of the DDoS attack.
  - 6. The system of claim 1, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack.
  - 7. The system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the flagged source address is to be rate limited.
  - 8. The system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the flagged source address is to be blocked, discarded, or both.
  - 9. The system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the flagged source address is to be diverted to a specified network address.
  - 10. The system of claim 1, wherein one of the one or more mitigation rules indicates that DPI is to be performed on the network traffic from the flagged source address.
  - 11. The system of claim 1, wherein the central controller is a component of the DDoS honeypot.
  - 12. The system of claim 1, wherein the central controller is further configured to send at least one of the mitigation rules to at least one network device.
  - 13. The system of claim 12, wherein the at least one network device is part of an internet service provider'"'"'s infrastructure, a hosting provider'"'"'s infrastructure, or an enterprise'"'"'s infrastructure.
  - 14. The system of claim 1, wherein the central controller is further configured to initiate a cancellation of the mitigation action in response to a cessation of the DDoS attack.
  - 15. The system of claim 1, wherein the at least one DDoS honeypot is configured to send to the central controller application layer information from a payload of the data packet indicating a type of query that is being requested.

16. A method comprising:
- receiving a data packet at a DDoS honeypot from a network;
  
  determining a source address of the data packet; and
  
  initiating a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of a DDoS attack is based on one or more detection rules.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that satisfies a specified data pattern is part of the DDoS attack.
  - 18. The method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack.
  - 19. The method of claim 16, wherein one of the one or more mitigation rules indicates that network traffic from the flagged source address is to be blocked, discarded, or both.

20. A non-transitory computer readable medium comprising computer executable instructions which when executed by a processor cause the processor to perform a method of:
- receiving a data packet at a DDoS honeypot from a network;
  
  determining a source address of the data packet; and
  
  initiating a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of a DDoS attack is based on one or more detection rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Charter Communications Operating LLC (Charter Communications Incorporated)
Original Assignee
Charter Communications Operating LLC (Charter Communications Incorporated)
Inventors
COMPTON, Richard A.

Granted Patent

US 12,069,092 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

DETECTION AND MITIGATION SOLUTION USING HONEYPOTS

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTION AND MITIGATION SOLUTION USING HONEYPOTS

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links