Apparatus and method for secure, automated response to distributed denial of service attacks
First Claim
1. A method comprising:
- receiving, by an Internet host, notification of a distributed denial of service (DDoS) attack;
establishing security authentication with an upstream router from which attack traffic, transmitted by one or more attack host computers, is received; and
once security authentication is established, transmitting one or more filters to the upstream router such that attack traffic is dropped by the upstream router to terminate the DDoS attack, wherein the upstream router includes an upstream router administrator programmed DDoS squelch time to live value to define an expiration time for the one or more filters.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus and method for secure, automated response to distributed denial of service (DDoS) attacks are described. The method includes notification of a DDoS attack received by an Internet host. Once received by an Internet host, the Internet host establishes security authentication from an upstream router from which the attack traffic, transmitted by one or more host computers, is received. The Internet host then transmits filter(s) to the upstream router generated based upon characteristics of the attack traffic. Once installed by the upstream router, the attack traffic is dropped to terminate a DDoS attack. In addition, the router may determine upstream router(s) coupled to ports from which attack traffic is received, and securely forward the filter(s) to the upstream routers as a routing protocol updated in order to drop the attack traffic at a point closer to a source of the DDoS attack.
351 Citations
35 Claims
-
1. A method comprising:
-
receiving, by an Internet host, notification of a distributed denial of service (DDoS) attack; establishing security authentication with an upstream router from which attack traffic, transmitted by one or more attack host computers, is received; and once security authentication is established, transmitting one or more filters to the upstream router such that attack traffic is dropped by the upstream router to terminate the DDoS attack, wherein the upstream router includes an upstream router administrator programmed DDoS squelch time to live value to define an expiration time for the one or more filters. - View Dependent Claims (2, 3, 4)
-
-
5. A method comprising:
-
establishing security authentication of an Internet host under a distributed denial of service (DDoS) attack; receiving one or more filters from the Internet host; when security authentication is established, verifying that the one or more filters select only network traffic directed to the Internet host; and once verified, generating a filter expiration time for each filter based on an upstream router administrator programmed DDoS squelch time to live value, such that the filters are uninstalled once the expiration time expires; installing the one or more filters such that network traffic matching the one or more filters is prevented from reaching the Internet host. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
receiving a routing protocol update from a downstream router; selecting one or more filters from the routing protocol update received from the downstream router; establishing security authentication of the downstream router; once authentication is established, verifying that the one or more filters select only network traffic directed to the downstream router; once verified, generating a filter expiration time for each filter based on an upstream router administrator programmed DDoS squelch time to live value, such that the filters are uninstalled once the expiration time expires; and installing the one or more filters such that attack traffic matching the one or more filters is prevented from reaching the downstream router. - View Dependent Claims (12, 13, 14)
-
-
15. An article of manufacture, comprising a machine readable storage medium having associated data wherein the data, when accessed, results in a machine to perform operations, comprising:
-
receiving, by an Internet host, notification of a distributed denial of service (DDoS) attack; establishing security authentication with an upstream router from which attack traffic, transmitted by one or more attack host computers, is received; and once security authentication is established, transmitting one or more filters to the upstream router such that attack traffic is dropped by the upstream router to terminate the DDoS attack, wherein the upstream router include an upstream router administrator programmed DDoS squelch time to live value to define an expiration time for the one or more filters. - View Dependent Claims (16, 17, 18)
-
-
19. An article of manufacture, comprising a machine readable storage medium having associated data, wherein the data, when accessed, results in a machine to perform operations, comprising:
-
establishing a security authentication of a downstream device; once security authentication is established, verifying that one or more filters from the downstream device select only network traffic directed to the downstream device; and once verified, generating a filter expiration time for each filter based on an upstream router administrator programed DDoS squelch time to live value, such that the filters are uninstalled once the expiration time expires; and installing the one or more filters such that network traffic matching the one or more filters is prevented from reaching the downstream device. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
-
26. An apparatus, comprising:
-
a processor having circuitry to execute instructions; a control plane interface coupled to the processor, the control plane interface to packet processing filters, and to authenticate a source of the packet processing filters; and a storage device coupled to the processor, having sequences of instructions stored therein, which when executed by the processor cause the processor to; establish a security authentication of a downstream device, once security authentication is established, verify that one or more filters from the downstream device select only network traffic directed to the downstream device, once verified, generate a filter expiration time for each filter based on an upstream router administrator programmed DDoS squelch time to live value, such that the filters are uninstalled once the expiration time expires; and install the one or more filters such that network traffic matching the one or more filters is prevented from reaching the downstream device. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
-
33. A system comprising:
-
an Internet host; a wide area network; and a router coupled between the Internet host and the wide area network, the router having; a processor having circuitry to execute instructions; a control plane interface coupled to the processor, the control plane interface to receive packet processing filers, and to authenticate a source of the packet processing filters; and a storage device coupled to the processor, having sequences of instructions stored therein, which when executed by the processor cause the processor to; establish security authentication of an Internet host under a distributed denial of service (DDoS) attack; receive one or more filters from the Internet host; when security authentication is established, verify that the one or more filters select only network traffic directed to the Internet host; and once verified, generate a filter expiration time for each filter based on a router administrator programmed DDoS squelch time to live value, such that the filters are uninstalled once the expiration time expires; and install the one or more filters such that network traffic matching the one or more filters is prevented from reaching the Internet host. - View Dependent Claims (34, 35)
-
Specification