Progressive and distributed regulation of selected network traffic destined for a network node
First Claim
1. A network comprising:
- a network node;
a plurality of routing devices of one or more degrees of separation from said network node to route network traffics, including routing network traffics destined for said network node; and
a director coupled to said routing devices that, in response to a denial of service attack on said network node, progressively regulates network traffic routing by said routing devices based at least in part on their degrees of separation from said network node.
5 Assignments
0 Petitions
Accused Products
Abstract
An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time. In one embodiment, deregulation follows the reverse path, whereas in another embodiment, deregulation is determined and implemented locally, whenever regulation or the extent of regulation is no longer needed. In one embodiment, regulation is made in accordance with a not-to-exceed profile, and the not-to-exceed limit or limits are divided up as regulation extends away from the network node.
28 Citations
60 Claims
-
1. A network comprising:
-
a network node;
a plurality of routing devices of one or more degrees of separation from said network node to route network traffics, including routing network traffics destined for said network node; and
a director coupled to said routing devices that, in response to a denial of service attack on said network node, progressively regulates network traffic routing by said routing devices based at least in part on their degrees of separation from said network node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13)
-
-
10. A network comprising:
-
a network node;
a plurality of routing devices of one or more degrees of separation from said network node to route network traffics including routing network traffics destined for said network node; and
a director coupled to said routing devices to progressively regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node;
wherein the director is equipped to progressively regulate said routing devices, starting with a nearest subset of said routing devices, with the lowest degree of separation from said network node, and extending to a farthest subset of said routing devices, with the highest degree of separation from said network node, following in a reverse manner routine paths traversed by the network traffic to reach the network node;
wherein the director is also to progressively de-regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse path of said progressive regulation;
wherein the director is equipped to progressively de-regulate regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node; and
wherein the director is equipped to de-regulate regulation imposed on a routing device of said current outermost subset of routing devices with the highest degree of separation from said network node among routing devices being regulated, by lifting a network traffic bandwidth limit imposed on said routing device of the outermost subset for routing network traffic destined to said network node.
-
-
14. A method comprising:
-
receiving network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routing devices to said network node; and
progressively regulating network traffic routing, in response to a denial of service attack on said network node, by said routing devices based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26)
-
-
23. A method comprising:
-
receiving network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routine devices to said network node; and
progressively regulating network traffic routing by said routing devices based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node;
wherein the method further comprises progressively de-regulating network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse part of said progressive regulation;
wherein said progressive de-regulation comprises progressively de-regulating regulation imposed on said routing devices, starting with a current outermost subset of said routing devices with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node; and
wherein said progressive de-regulation comprises de-regulating regulation imposed on a routing device of said current outermost subset of routing devices with the highest degree of separation from said network node among routing devices being regulated, by lifting a network traffic bandwidth limit imposed on said routing device of the outermost subset for routing network traffic destined to said network node.
-
-
27. A method comprising:
-
receiving network traffic reports, including network traffic type information, for network traffic routed through a plurality of routing devices and destined for a network node; and
progressively regulating network traffic routing, based at least in part on degrees of separation from said network node, in response to a denial of service attack on said network node, by network traffic type by said routing devices based at least in part on said received network traffic reports and said network traffic type information. - View Dependent Claims (28, 29, 30, 31, 32, 33)
-
-
34. An apparatus comprising:
-
(a) storage medium having stored therein a plurality of programming instructions designed to enable the apparatus to receive network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routing devices to said network node, and to progressively regulate network traffic routing by said routing devices, in response to a denial of service attack on said network node, based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node; and
(b) at least one processor coupled the storage medium to execute the programming instructions. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 44, 45, 46)
-
-
43. An apparatus comprising:
-
(a) storage medium having stored therein a plurality of programming instructions designed to enable the apparatus to receive network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routing devices to said network node, and to progressively regulate network traffic routing by said routing devices based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node; and
(b) at least one processor coupled the storage medium to execute the programming instructions;
wherein said programming instructions further enable the apparatus to progressively de-regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse path of said progressive regulation;
wherein said programming instructions enable the apparatus to progressively de-regulate regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node; and
wherein said programming instructions enable the apparatus to de-regulate regulation imposed on a routing device of said current outermost subset of routing devices with the highest degree of separation from said network node among routing devices being regulated, by lifting a network traffic bandwidth limit imposed on said routing device of the outermost subset for routing network traffic destined to said network node.
-
-
47. An apparatus comprising:
-
(a) storage medium having stored therein a plurality of programming instructions designed to enable the apparatus to receive network traffic data by network traffic types for network traffic routed through a plurality of routing devices, including at least network traffic data by network traffic types for network traffic destined for a network node routed by said routing devices to said network node; and
to progressively regulate network traffic routing by network traffic types by said routing devices, in response to a denial of service attack on said network node, based at least in part on said received network traffic data by network traffic types and degrees of separation from said network node; and
(b) at least one processor coupled the storage medium to execute the programming instructions. - View Dependent Claims (48, 49, 50, 51, 52, 53)
-
-
54. A network comprising:
-
a network node having a network traffic profile governing a maximum amount of network traffics to be received by the network node;
a plurality of routing devices of one or more degrees of separation from said network node to route network traffics, for routing network traffics destined for said network node; and
a director coupled to said routing devices for reducing network traffics routed to said network node in response to said network traffics exceeding the network traffic profile, the director reducing the network traffics by first regulating network traffic routing by said routing devices at lower degrees of separation from said network node and then, if the network traffic profile is still being exceeded, reducing the network traffics by regulating network traffic routing by said routing devices at increasing degrees of separation from said network node. - View Dependent Claims (55, 56, 57, 58, 59, 60)
-
Specification