Detecting network denial of service attacks
First Claim
1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
- receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
determining if the packet counter associated with the destination address is greater than a specified threshold value; and
generating a notification message when the packet counter has exceeded the threshold value.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for detecting a suspicious packet flow in a packet-switched network comprises the computer-implemented step of receiving a first packet in which the SYN bit but not the ACK or RST bit of the packet'"'"'s TCP header is set. If a specified first time has elapsed, a packet counter associated with the destination address of the flow is incremented. A determination as to whether the packet counter is greater than a specified threshold values is made. If the packet counter is greater than the threshold value, a notification message is generated. In one embodiment, information identifying a packet flow is aggregated to an aggregation cache based on the destination address of the flow.
160 Citations
38 Claims
-
1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed; determining if the packet counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the packet counter has exceeded the threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; receiving a second packet of the flow in which a RST bit of the TCP header is set; determining a time difference between when the first packet was received and when the second packet was received; incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value; determining if the flow counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the flow counter has exceeded the threshold value. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; incrementing a packet counter stored at the router and associated with a destination address of the flow if a specified first time has elapsed; determining if the packet counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the packet counter has exceeded the threshold value. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 37)
-
-
33. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
-
receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set; receiving, at the router, a second packet of the flow in which a RST bit of the TCP header is set; determining a time difference between when the first packet was received and when the second packet was received; incrementing a flow counter stored at the router and associated with the destination address of the flow if the time difference is less than a specified global connection uptime value; determining if the flow counter associated with the destination address is greater than a specified threshold value; and generating a notification message when the flow counter has exceeded the threshold value. - View Dependent Claims (35, 36, 38)
-
Specification