Progressive and distributed regulation of selected network traffic destined for a network node

US 6,801,503 B1
Filed: 10/09/2000
Issued: 10/05/2004
Est. Priority Date: 10/09/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A network comprising:

a network node;

a plurality of routing devices of one or more degrees of separation from said network node to route network traffics, including routing network traffics destined for said network node; and

a director coupled to said routing devices that, in response to a denial of service attack on said network node, progressively regulates network traffic routing by said routing devices based at least in part on their degrees of separation from said network node.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time. In one embodiment, deregulation follows the reverse path, whereas in another embodiment, deregulation is determined and implemented locally, whenever regulation or the extent of regulation is no longer needed. In one embodiment, regulation is made in accordance with a not-to-exceed profile, and the not-to-exceed limit or limits are divided up as regulation extends away from the network node.

28 Citations

View as Search Results

60 Claims

1. A network comprising:
- a network node;
  
  a plurality of routing devices of one or more degrees of separation from said network node to route network traffics, including routing network traffics destined for said network node; and
  
  a director coupled to said routing devices that, in response to a denial of service attack on said network node, progressively regulates network traffic routing by said routing devices based at least in part on their degrees of separation from said network node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13)
- - 2. The network of claim 1, wherein the director is equipped to determine if routing of network traffic by said routing devices:
    - needs to be regulated;
      
      or, if regulation is already in progress, needs a change in the regulation.
  - 3. The network of claim 1, wherein the director is equipped to progressively regulate said routing devices, starting with a nearest subset of said routing devices, with the lowest degree of separation from said network node, and extending to a farthest subset of said routing devices, with the highest degree of separation from said network node, following in a reverse manner routing paths traversed by the network traffic to reach the network node.
  - 4. The network of claim 3, wherein the director is equipped to regulate said routing devices through at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing.
  - 5. The network of claim 3, wherein the director is equipped to regulate a subset of routing devices with n degrees of separation from said network node by apportioning a network traffic bandwidth of a routing device with n−
    - 1 degree of separation from said network node, and allocating the apportioned bandwidth to routing devices of said subset with n degrees of separation from said network node, which are to in turn route network traffic destined for said network node in accordance with the allocated bandwidth.
  - 6. The network of claim 3, wherein the director is also to progressively de-regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse path of said progressive regulation.
  - 7. The network of claim 6, wherein the director is equipped to determine if regulation imposed on routing of network traffic by said routing devices needs to be de-regulated.
  - 8. The network of claim 6, wherein the director is equipped to progressively de-regulate regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node.
  - 9. The network of claim 8, wherein the director is equipped to de-regulate at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing regulation imposed.
  - 11. The network of claim 1, wherein the director further bases said progressive regulation of network traffic routing by said routing device on network traffic type of the network traffic destined for said network node.
  - 12. The network of claim 11, wherein the director further bases said progressive regulation of network traffic routing by said routing devices on a desired not-to-exceed profile of network traffic by network traffic type to be routed to said network node.
  - 13. The network of claim 1, wherein the network further comprises a plurality of sensors selectively coupled to said routing devices or integrated with said routing devices to provide network traffic routing data of said routing devices to said director to facilitate said progressive regulation of said routing devices, the coupled sensors being also coupled to said director.

10. A network comprising:
- a network node;
  
  a plurality of routing devices of one or more degrees of separation from said network node to route network traffics including routing network traffics destined for said network node; and
  
  a director coupled to said routing devices to progressively regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node;
  
  wherein the director is equipped to progressively regulate said routing devices, starting with a nearest subset of said routing devices, with the lowest degree of separation from said network node, and extending to a farthest subset of said routing devices, with the highest degree of separation from said network node, following in a reverse manner routine paths traversed by the network traffic to reach the network node;
  
  wherein the director is also to progressively de-regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse path of said progressive regulation;
  
  wherein the director is equipped to progressively de-regulate regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node; and
  
  wherein the director is equipped to de-regulate regulation imposed on a routing device of said current outermost subset of routing devices with the highest degree of separation from said network node among routing devices being regulated, by lifting a network traffic bandwidth limit imposed on said routing device of the outermost subset for routing network traffic destined to said network node.

14. A method comprising:
- receiving network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routing devices to said network node; and
  
  progressively regulating network traffic routing, in response to a denial of service attack on said network node, by said routing devices based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 24, 25, 26)
- - 15. The method of claim 14, wherein said progressive regulation comprises determining if routing of network traffic by said routing devices:
    - needs to be regulated;
      
      or, if regulation is already in progress, needs a change in the regulation.
  - 16. The method of claim 14, wherein said progressive regulation comprises progressively regulating said routing devices, starting with a nearest subset of said routing devices, with the lowest degree of separation from said network node, and extending to a farthest subset of said routing devices, with the highest degree of separation from said network node, following in a reverse manner routing paths traversed by said network traffic to reach said network node.
  - 17. The method of claim 16, wherein said progressive regulation comprises regulating said routing devices through at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing.
  - 18. The method of claim 16, wherein said progressive regulation comprises regulating a subset of routing devices with n degrees of separation from said network node by apportioning a network traffic bandwidth of a routing device with n−
    - 1 degree of separation from said network node, and allocating the apportioned bandwidth to routing devices of said subset with n degrees of separation from said network node, which are to in turn route network traffic destined for said network node in accordance with the allocated bandwidth.
  - 19. The method of claim 14, wherein the method further comprises progressively de-regulating network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse part of said progressive regulation.
  - 20. The method of claim 19, wherein said progressive de-regulation comprises determining if regulation imposed on routing of network traffic by said routing devices needs to be de-regulated.
  - 21. The method of claim 19, wherein said progressive de-regulation comprises progressively de-regulating regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node.
  - 22. The method of claim 21, wherein said progressive de-regulation comprises de-regulating at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization and re-routing regulation imposed.
  - 24. The method of claim 14, wherein said progressive regulation of network traffic routing by said routing devices is to be performed further based on network traffic types of the network traffic destined for said network node.
  - 25. The method of claim 24, wherein said progressive regulation of network traffic routing by said routing devices is to be performed further based on a desired not-to-exceed profile of network traffic by network traffic types to be routed to said network node.
  - 26. The method of claim 14, wherein said receiving comprises receiving network traffic routing data of said routing devices from a plurality of sensors selectively coupled to said routing devices or integrated with said routing devices.

23. A method comprising:
- receiving network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routine devices to said network node; and
  
  progressively regulating network traffic routing by said routing devices based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node;
  
  wherein the method further comprises progressively de-regulating network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse part of said progressive regulation;
  
  wherein said progressive de-regulation comprises progressively de-regulating regulation imposed on said routing devices, starting with a current outermost subset of said routing devices with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node; and
  
  wherein said progressive de-regulation comprises de-regulating regulation imposed on a routing device of said current outermost subset of routing devices with the highest degree of separation from said network node among routing devices being regulated, by lifting a network traffic bandwidth limit imposed on said routing device of the outermost subset for routing network traffic destined to said network node.

27. A method comprising:
- receiving network traffic reports, including network traffic type information, for network traffic routed through a plurality of routing devices and destined for a network node; and
  
  progressively regulating network traffic routing, based at least in part on degrees of separation from said network node, in response to a denial of service attack on said network node, by network traffic type by said routing devices based at least in part on said received network traffic reports and said network traffic type information.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The method of claim 27, wherein said regulating comprises determining if routing of network traffic of a network traffic type by said routing devices needs:
    - needs to be regulated;
      
      or, if regulation is already in progress, needs a change in the regulation.
  - 29. The method of claim 27, wherein said regulating comprises regulating said routing devices through at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing.
  - 30. The method of claim 27, wherein the method further comprises de-regulating network traffic routing by network traffic types by said routing devices based at least in part on said received network traffic data by network traffic types.
  - 31. The method of claim 30, wherein said de-regulating comprises determining if regulation imposed on routing of network traffic of a network traffic type by said routing devices needs to be de-regulated.
  - 32. The method of claim 30, wherein said de-regulation comprises de-regulating at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing regulation imposed.
  - 33. The method of claim 27, wherein said regulating of network traffic routing by network traffic type by said routing devices is to be performed further based on a desired not-to-exceed profile of network traffic by network traffic type to be routed to said network node.

34. An apparatus comprising:
- (a) storage medium having stored therein a plurality of programming instructions designed to enable the apparatus to receive network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routing devices to said network node, and to progressively regulate network traffic routing by said routing devices, in response to a denial of service attack on said network node, based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node; and
  
  (b) at least one processor coupled the storage medium to execute the programming instructions.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 44, 45, 46)
- - 35. The apparatus of claim 34, wherein said programming instructions enable the apparatus to determine if routing of network traffic by said routing devices needs:
    - needs to be regulated;
      
      or, if regulation is already in progress, needs a change in the regulation.
  - 36. The apparatus of claim 34, wherein said programming instructions enable the apparatus to progressive regulating said routing devices, starting with a nearest subset of said routing devices, with the lowest degree of separation from said network node, and extending to a farthest subset of said routing devices, with the highest degree of separation from said network node, following in a reverse manner routing paths traversed by said network traffic to reach said network node.
  - 37. The apparatus of claim 36, wherein said programming instructions enable the apparatus to regulate said routing devices through at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing.
  - 38. The apparatus of claim 37, wherein said programming instructions enable the apparatus to regulate a subset of routing devices with n degrees of separation from said network node by apportioning a network traffic bandwidth of a routing device with n−
    - 1 degree of separation from said network node, and allocating the apportioned bandwidth to routing devices of said subset with n degrees of separation from said network node, which are to in turn route network, traffic destined for said network node in accordance with the allocated bandwidth.
  - 39. The apparatus of claim 34, wherein said programming instructions further enable the apparatus to progressively de-regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse path of said progressive regulation.
  - 40. The apparatus of claim 39, wherein said programming instructions enable the apparatus to determine if regulation imposed on routing of network traffic by said routing devices needs to be de-regulated.
  - 41. The apparatus of claim 39, wherein said programming instructions enable the apparatus to progressively de-regulate regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node.
  - 42. The apparatus of claim 41, wherein said programming instructions enable the apparatus to de-regulate at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing regulation imposed.
  - 44. The apparatus of claim 34, wherein said programming instructions enable the apparatus to further based said progressive regulation of network traffic routing by said routing devices on network traffic types of the network traffic destined for said network node.
  - 45. The apparatus of claim 44, wherein said programming instructions further enable the apparatus to further base said progressive regulation of network traffic routing by said routing devices on a desired not-to-exceed profile of network traffic by network traffic types to be routed to said network node.
  - 46. The apparatus of claim 34, wherein said programming instructions enable the apparatus to receive said network traffic routing data of said routing devices from a plurality of sensors selectively coupled to said routing devices or integrated with said routing devices.

43. An apparatus comprising:
- (a) storage medium having stored therein a plurality of programming instructions designed to enable the apparatus to receive network traffic data describing network traffic routed through a plurality of routing devices with one or more degrees of separation from a network node, including at least network traffic data for network traffic destined for said network node routed by said routing devices to said network node, and to progressively regulate network traffic routing by said routing devices based at least in part on said received network traffic data and said degrees of separation of said routing devices from said network node; and
  
  (b) at least one processor coupled the storage medium to execute the programming instructions;
  
  wherein said programming instructions further enable the apparatus to progressively de-regulate network traffic routing by said routing devices based at least in part on their degrees of separation from said network node, following a reverse path of said progressive regulation;
  
  wherein said programming instructions enable the apparatus to progressively de-regulate regulation imposed on said routing devices, starting with a current outermost subset of said routing devices, with the highest degree of separation from said network node among the routing devices being regulated, and retreating to the nearest subset of said routing devices, with the lowest degree of separation from said network node; and
  
  wherein said programming instructions enable the apparatus to de-regulate regulation imposed on a routing device of said current outermost subset of routing devices with the highest degree of separation from said network node among routing devices being regulated, by lifting a network traffic bandwidth limit imposed on said routing device of the outermost subset for routing network traffic destined to said network node.

47. An apparatus comprising:
- (a) storage medium having stored therein a plurality of programming instructions designed to enable the apparatus to receive network traffic data by network traffic types for network traffic routed through a plurality of routing devices, including at least network traffic data by network traffic types for network traffic destined for a network node routed by said routing devices to said network node; and
  
  to progressively regulate network traffic routing by network traffic types by said routing devices, in response to a denial of service attack on said network node, based at least in part on said received network traffic data by network traffic types and degrees of separation from said network node; and
  
  (b) at least one processor coupled the storage medium to execute the programming instructions.
- View Dependent Claims (48, 49, 50, 51, 52, 53)
- - 48. The apparatus of claim 47, wherein said programming instructions enable the apparatus to determine if routing of network traffic of a network traffic type by said routing devices needs:
    - needs to be regulated;
      
      or, if regulation is already in progress, needs a change in the regulation.
  - 49. The apparatus of claim 47, wherein said programming instructions enable the apparatus to regulate said routing devices through at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing.
  - 50. The apparatus of claim 47, wherein said programming instructions further enable the apparatus to de-regulate network traffic routing by network traffic types by said routing devices based at least in part on said received network traffic data by network traffic types.
  - 51. The apparatus of claim 50, wherein said programming instructions enable the apparatus to determine if regulation imposed on routing of network traffic of a network traffic type by said routing devices needs to be de-regulated.
  - 52. The apparatus of claim 50, wherein said programming instructions enable the apparatus to de-regulate at least a selected one of bandwidth allocation, rate limiting, traffic re-prioritization, and re-routing regulation imposed.
  - 53. The apparatus of claim 47, wherein said programming instructions enable the apparatus to further base said regulating of network traffic routing by network traffic type by said routing devices on a desired not-to-exceed profile of network traffic by network traffic type to be routed to said network node.

54. A network comprising:
- a network node having a network traffic profile governing a maximum amount of network traffics to be received by the network node;
  
  a plurality of routing devices of one or more degrees of separation from said network node to route network traffics, for routing network traffics destined for said network node; and
  
  a director coupled to said routing devices for reducing network traffics routed to said network node in response to said network traffics exceeding the network traffic profile, the director reducing the network traffics by first regulating network traffic routing by said routing devices at lower degrees of separation from said network node and then, if the network traffic profile is still being exceeded, reducing the network traffics by regulating network traffic routing by said routing devices at increasing degrees of separation from said network node.
- View Dependent Claims (55, 56, 57, 58, 59, 60)
- - 55. The network of claim 54, wherein the director is equipped to determine if routing of network traffic by said routing devices:
    - needs to be regulated;
      
      or, if regulation is already in progress, needs a change in the regulation.
  - 56. The network of claim 54, wherein the director regulates said routing devices, starting with a nearest subset of said routing devices, with the lowest degree of separation from said network node, and extending to a farthest subset of said routing devices, with the highest degree of separation from said network node, following in a reverse manner routing paths traversed by the network traffic to reach the network node.
  - 57. The network of claim 54, wherein the director regulates said routing devices through bandwidth allocation.
  - 58. The network of claim 54, wherein the director regulates said routing devices through rate limiting.
  - 59. The network of claim 54, wherein the director regulates said routing devices through traffic re-prioritization.
  - 60. The network of claim 54, wherein the director regulates said routing devices re-routing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Anderson, Thomas E., Wetherall, David J., Savage, Stefan R.
Primary Examiner(s)
Kizou, Hassan
Assistant Examiner(s)
Levitan, Dmitry

Application Number

US09/685,518
Time in Patent Office

1,457 Days
Field of Search

370/229, 370/230, 370/230.1, 370/231, 370/232, 370/233, 370/234, 370/235, 370/236, 370/236.1, 370/236.2, 370/241, 370/241.1, 370/248, 370/250, 370/251, 370/252, 370/253, 709/223, 709/224, 709/226, 709/227, 709/228, 709/229, 709/238, 709/244
US Class Current

370/235
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/122   by diverting traffic away f...

H04L 47/19   at layers above the network...

H04L 47/20   Traffic policing

H04L 47/2433   Allocation of priorities to...

H04L 63/1458   Denial of Service

Progressive and distributed regulation of selected network traffic destined for a network node

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

60 Claims

Specification

Use Cases

Quick Links

Others

Progressive and distributed regulation of selected network traffic destined for a network node

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

60 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others