Detecting network denial of service attacks

US 7,266,754 B2
Filed: 08/14/2003
Issued: 09/04/2007
Est. Priority Date: 08/14/2003
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:

receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;

incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;

determining if the packet counter associated with the destination address is greater than a specified threshold value; and

generating a notification message when the packet counter has exceeded the threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for detecting a suspicious packet flow in a packet-switched network comprises the computer-implemented step of receiving a first packet in which the SYN bit but not the ACK or RST bit of the packet'"'"'s TCP header is set. If a specified first time has elapsed, a packet counter associated with the destination address of the flow is incremented. A determination as to whether the packet counter is greater than a specified threshold values is made. If the packet counter is greater than the threshold value, a notification message is generated. In one embodiment, information identifying a packet flow is aggregated to an aggregation cache based on the destination address of the flow.

160 Citations

38 Claims

1. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
- receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
  
  incrementing a packet counter associated with a destination address of the flow if a specified first time has elapsed;
  
  determining if the packet counter associated with the destination address is greater than a specified threshold value; and
  
  generating a notification message when the packet counter has exceeded the threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1, further comprising the step of:
    - caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address.
  - 3. A method as recited in claim 1, wherein:
    - the incrementing step is not performed if a second packet of the flow in which an ACK bit of the TCP header is set is received before the specified first time has elapsed.
  - 4. A method as recited in claim 1, further comprising the step of:
    - expiring the flow from a network flow data cache when the first time has elapsed.
  - 5. A method as recited in claim 1, further comprising the steps of:
    - receiving a second packet of the flow in which a RST bit of the TCP header is set;
      
      determining a time difference between when the first packet was received and when the second packet was received;
      
      incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
      
      determining if the flow counter associated with the destination address is greater than a specified threshold value; and
      
      generating a notification message when the flow counter has exceeded the threshold value.
  - 6. A method as recited in claim 5, further comprising the steps of:
    - counting a number of packets received in the flow between the first packet and the second packet;
      
      determining whether the number of packets is less than a specified minimum threshold value;
      
      incrementing the flow counter if the number of packets is less than the threshold value.
  - 7. A method as recited in claim 6, further comprising the step of:
    - caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
  - 8. A method as recited in claim 6, further comprising the step of:
    - expiring the flow from a network flow data cache if the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
  - 9. A method as recited in claim 5, wherein the message further comprises:
    - a source address, source port, protocol, destination port, and destination address of the flow;
      
      the flow counter; and
      
      the time difference.
  - 10. A method as recited in claim 5, further comprising the step of:
    - caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
  - 11. A method as recited in claim 5, further comprising the step of:
    - expiring the flow from a network flow data cache when a second time that is equal to the greater of the first time and the global connection uptime value has elapsed.
  - 12. A method as recited in claim 5, further comprising the step of:
    - expiring the flow from a network flow data cache if the time difference is less than the specified global connection uptime value.

13. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
- receiving a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
  
  receiving a second packet of the flow in which a RST bit of the TCP header is set;
  
  determining a time difference between when the first packet was received and when the second packet was received;
  
  incrementing a flow counter associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
  
  determining if the flow counter associated with the destination address is greater than a specified threshold value; and
  
  generating a notification message when the flow counter has exceeded the threshold value.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. A method as recited in claim 13, further comprising the steps of:
    - counting a number of packets received in the flow between the first packet and the second packet;
      
      determining whether the number of packets is less than a specified minimum threshold value;
      
      incrementing the flow counter if the number of packets is less than the threshold value.
  - 15. A method as recited in claim 14, further comprising the step of:
    - caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
  - 16. A method as recited in claim 14, further comprising the step of:
    - expiring the flow from a network flow data cache the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
  - 17. A method as recited in claim 13, wherein the message further comprises:
    - a source address, source port, protocol, destination port, and destination address of the flow;
      
      the flow counter; and
      
      the time difference.
  - 18. A method as recited in claim 13, further comprising the step of:
    - caching information identifying the packet flow in an aggregation cache that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
  - 19. A method as recited in claim 13, further comprising the step of:
    - expiring the flow from a network flow data cache if the time difference is less than the specified global connection uptime value.

20. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
- receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
  
  incrementing a packet counter stored at the router and associated with a destination address of the flow if a specified first time has elapsed;
  
  determining if the packet counter associated with the destination address is greater than a specified threshold value; and
  
  generating a notification message when the packet counter has exceeded the threshold value.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 34, 37)
- - 21. A method as recited in claim 20, further comprising the step of:
    - caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address.
  - 22. A method as recited in claim 20, wherein:
    - the incrementing step is not performed if a second packet of the flow in which an ACK bit of the TCP header is set is received before the specified first time has elapsed.
  - 23. A method as recited in claim 20, further comprising the step of:
    - expiring the flow from a NetFlow cache stored at the router when the first time has elapsed.
  - 24. A method as recited in claim 20, further comprising the steps of:
    - receiving, at the router, a second packet of the flow in which a RST bit of the TCP header is set;
      
      determining a time difference between when the first packet was received and when the second packet was received;
      
      incrementing a flow counter stored at the router and associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
      
      determining if the flow counter associated with the destination address is greater than a specified threshold value; and
      
      generating a notification message when the flow counter has exceeded the threshold value.
  - 25. A method as recited in claim 24, further comprising the steps of:
    - counting a number of packets received at the router in the flow between the first packet and the second packet;
      
      determining whether the number of packets is less than a specified minimum threshold value;
      
      incrementing the flow counter if the number of packets is less than the threshold value.
  - 26. A method as recited in claim 25, further comprising the step of:
    - caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.
  - 27. A method as recited in claim 25, further comprising the step of:
    - expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
  - 28. A method as recited in claim 27, further comprising the step of:
    - expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value or if the number of packets is less than the specified minimum threshold value.
  - 29. A method as recited in claim 24, wherein the message further comprises:
    - a source address, source port, protocol, destination port, and destination address of the flow, wherein the source address and the destination address are Internet Protocol (IP) addresses;
      
      the flow counter; and
      
      the time difference.
  - 30. A method as recited in claim 24, further comprising the step of:
    - caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
  - 31. A method as recited in claim 24, further comprising the step of:
    - expiring the flow from a NetFlow cache stored at the router when a second time that is equal to the greater of the first time and the global connection uptime value has elapsed.
  - 32. A method as recited in claim 24, further comprising the step of:
    - expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value.
  - 34. A method as recited in claim 32, further comprising the steps of:
    - counting a number of packets received at the router in the flow between the first packet and the second packet;
      
      determining whether the number of packets is less than a specified minimum threshold value;
      
      incrementing the flow counter if the number of packets is less than the threshold value.
  - 37. A method as recited in claim 34, further comprising the step of:
    - caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the number of packets is less than the specified minimum threshold value.

33. A method of detecting a suspicious packet flow in a packet-switched network, comprising the computer-implemented steps of:
- receiving, at a router, a first packet of a flow in which a SYN bit but not an ACK or RST bit of a TCP header is set;
  
  receiving, at the router, a second packet of the flow in which a RST bit of the TCP header is set;
  
  determining a time difference between when the first packet was received and when the second packet was received;
  
  incrementing a flow counter stored at the router and associated with the destination address of the flow if the time difference is less than a specified global connection uptime value;
  
  determining if the flow counter associated with the destination address is greater than a specified threshold value; and
  
  generating a notification message when the flow counter has exceeded the threshold value.
- View Dependent Claims (35, 36, 38)
- - 35. A method as recited in claim 33, wherein the message further comprises:
    - a source address, source port, protocol, destination port, and destination address of the flow, wherein the source address and the destination address are Internet Protocol (IP) addresses;
      
      the flow counter; and
      
      the time difference.
  - 36. A method as recited in claim 33, further comprising the step of:
    - caching information identifying the packet flow in a NetFlow aggregation cache stored at the router that aggregates packet flows based on destination address if the time difference is less than the specified global connection uptime value.
  - 38. A method as recited in claim 33, further comprising the step of:
    - expiring the flow from a NetFlow cache stored at the router if the time difference is less than the specified global connection uptime value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Valluri, Vamsidhar, Shah, Pritam, Ramesh, Chengelpet
Primary Examiner(s)
Lamarre; Guy J.

Application Number

US10/641,494
Publication Number

US 20050039104A1
Time in Patent Office

1,482 Days
Field of Search

714/776, 370/392, 370/401, 370/229, 726/13, 726/23, 709/229, 713/154
US Class Current

714/776
CPC Class Codes

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

H04L 69/22   Parsing or analysis of headers

Detecting network denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

160 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Detecting network denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others