Architecture to thwart denial of service attacks

US 7,213,264 B2
Filed: 01/31/2002
Issued: 05/01/2007
Est. Priority Date: 01/31/2002
Status: Expired due to Term

First Claim

Patent Images

1. A monitoring device disposed for thwarting denial of service attacks on a data center, the monitoring device comprising:

a plurality of probe devices that are coupled to links that couple the network to the data center and collect statistical information on packets that are sent over the links that couple the network to the data center;

a cluster head coupled to each of the plurality of probe devices, the cluster head receiving collected statistical information from the probe devices and determining from the collected information whether the data center is under a denial of service attack.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring device disposed for thwarting denial of service attacks on the data center is described. The monitoring device includes a plurality of probe devices that are disposed to collect statistical information on packets that are sent between the network and the data center and a cluster head coupled to each of the plurality of probe devices, the cluster head receiving collected statistical information from the probe devices and determining from the collected information whether the data center is under a denial of service attack.

82 Citations

View as Search Results

32 Claims

1. A monitoring device disposed for thwarting denial of service attacks on a data center, the monitoring device comprising:
- a plurality of probe devices that are coupled to links that couple the network to the data center and collect statistical information on packets that are sent over the links that couple the network to the data center;
  
  a cluster head coupled to each of the plurality of probe devices, the cluster head receiving collected statistical information from the probe devices and determining from the collected information whether the data center is under a denial of service attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The device of claim 1 wherein the cluster head is coupled to the plurality of probe devices through a dedicated, private network, that is a different network from the network being monitored.
  - 3. The device of claim 2 wherein the cluster head further comprises:
    - a communication process that sends statistics collected by the probe devices to a control center, and that receives queries or instructions from the control center.
  - 4. The device of claim 3 wherein the monitoring device is a gateway device and further comprises:
    - a process to install filters to thwart denial of service attacks by removing network traffic that is deemed part of an attack.
  - 5. The device of claim 1 wherein the probes are physically deployed in line in the links that couple the network to the data center with each of the probes deployed to monitor one or more links.
  - 6. The device of claim 1 wherein the probes execute a joining process that allows the probes to join the device.
  - 7. The device of claim 1 wherein the cluster head comprises a process to aggregate statistics collected from the probes and to produce logs and apply detection heuristics to the statistics collected from the probes.
  - 8. The device of claim 1 wherein the probes are coupled between the network and the data center to monitor traffic on links that couple the data center to the network.
  - 9. The device of claim 1 wherein the probes are scaleable and can dynamically join or leave the cluster.
  - 10. The device of claim 1 wherein the cluster head analyzes traffic on the links and treats the traffic on the monitored links as if the traffic originated on one virtual link.
  - 11. The device of claim 1 wherein at least one of the probes examines packets sent across the link that the at least one probe monitors and randomly chooses selected numbers of packets per second to pass to the cluster head.

12. A method of thwarting denial of service attacks on a victim data center coupled to a network comprises:
- monitoring network traffic through probes that are coupled to links between the victim data center and the network; and
  
  communicating data from the probes, over a dedicated network, to a cluster head device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12 further comprising:
    - communicating data from the cluster head device to a control center over a hardened network.
  - 14. The method of claim 12 further comprising:
    - analyzing network traffic statistics to identify malicious network traffic; and
      
      filtering network traffic, which is identified as malicious network traffic, during analyzing of the network traffic.
  - 15. The method of claim 12 further comprising providing the cluster head device and the probe devices as a clustered gateway.
  - 16. The method of claim 15 wherein when a new cluster probe seeks to join to the clustered gateway, the method further comprises:
    - dynamically discovering the new cluster probe that seeks to join the clustered gateway.
  - 17. The method of claim 12 further comprising:
    - performing intelligent traffic analysis and filtering to identify the malicious traffic and to eliminate the malicious traffic.
  - 18. The method of claim 17 wherein performing intelligent traffic analysis is controlled by the cluster head and filtering is performed by the probes.
  - 19. The method of claim 12 wherein monitoring comprises disposing the probes to monitor traffic on links that couple the data center to the network.

20. A gateway for thwarting denial of service attacks on a victim data center comprises:
- a cluster head; and
  
  a plurality of probes disposed to monitor links that couple a network and a victim data center, the probes collecting statistical data, for performance of intelligent traffic analysis and filtering by the probes, to identify malicious traffic for thwarting denial of service attacks.
- View Dependent Claims (21, 22)
- - 21. The gateway of claim 20 wherein the gateway includes a process to insert filters to discard packets that are deemed to be part of an attack.
  - 22. The device of claim 20 wherein the probes are coupled between the network and the data center to monitor traffic on links that couple the data center to the network.

23. A monitoring device disposed for thwarting denial of service attacks on a data center, the monitoring device comprising:
- a device that collects statistical information on packets that are sent between the network and the data center over a plurality of links and that produces statistical information from network traffic over the plurality of links to determine from the statistical information whether the data center is under a denial of service attack.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The monitoring device of claim 23 wherein the monitoring device is coupled to a control center through a hardened network.
  - 25. The device of claim 24 wherein the probes are coupled between the network and the data center to monitor traffic on links that couple the data center to the network.
  - 26. The monitoring device of claim 23 wherein the device further comprises:
    - a communication process that communicates statistics with a control center, and that receives queries or instructions from the control center.
  - 27. The monitoring device of claim 23 wherein the monitoring device is a gateway device and further comprises:
    - a process to install filters to thwart denial of service attacks by removing network traffic that is deemed part of an attack.
  - 28. The monitoring device of claim 27 wherein the gateway comprises:
    - a process to aggregate statistics collected from the various links and to produce logs and detection heuristics concerning the statistics collected from the probes.

29. A method of thwarting denial of service attacks on a victim data center coupled to a network comprises:
- monitoring network traffic over a plurality of links between the victim data center and the network; and
  
  communicating data to a control center, with communicating occurring over a redundant network that is a different network from the network being monitored.
- View Dependent Claims (30, 31, 32)
- - 30. The method of claim 29 wherein monitoring is performed by probe devices that sample network traffic at a constant rate.
  - 31. The method of claim 30 further comprising:
    - delivering the sampled network traffic by the probes to a clustered head for traffic analysis.
  - 32. The method of claim 31 wherein the probes send the sampled network traffic to the cluster head at a substantially constant rate irrespective of traffic on the monitored network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology Incorporated
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Poletto, Massimiliano Antonio, Vlachos, Dimitri Stratton
Primary Examiner(s)
Smithers; Matthew

Application Number

US10/062,974
Publication Number

US 20030145231A1
Time in Patent Office

1,916 Days
Field of Search

713/201, 713/200, 713/154, 713/187, 726 22- 27
US Class Current

726/22
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Architecture to thwart denial of service attacks

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

82 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Architecture to thwart denial of service attacks

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links