Coordinated thwarting of denial of service attacks

US 7,278,159 B2
Filed: 08/16/2001
Issued: 10/02/2007
Est. Priority Date: 09/07/2000
Status: Expired due to Term

First Claim

Patent Images

1. A control system, comprising:

a computer system to coordinate thwarting attacks on a data center that is coupled to a network the computer system comprising;

a communication device, coupled to a physically separate network from the network that the data center is coupled to, to receive statistical data collected from network traffic flows collected by a plurality of monitors dispersed through the network that the data center is coupled to, with the monitors sending the statistical data collected from the network that the data center is coupled to over the physically separate network from the network that the plurality of monitors collect the statistical data from;

with the computer system executing;

a process to analyze the statistical data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic;

a process to identify gateways on the monitoring network that are sources of malicious traffic destined for the data center; and

a filtering process to eliminate the malicious traffic from entering the data center.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.

94 Citations

View as Search Results

23 Claims

1. A control system, comprising:
- a computer system to coordinate thwarting attacks on a data center that is coupled to a network the computer system comprising;
  
  a communication device, coupled to a physically separate network from the network that the data center is coupled to, to receive statistical data collected from network traffic flows collected by a plurality of monitors dispersed through the network that the data center is coupled to, with the monitors sending the statistical data collected from the network that the data center is coupled to over the physically separate network from the network that the plurality of monitors collect the statistical data from;
  
  with the computer system executing;
  
  a process to analyze the statistical data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic;
  
  a process to identify gateways on the monitoring network that are sources of malicious traffic destined for the data center; and
  
  a filtering process to eliminate the malicious traffic from entering the data center.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 wherein the statistical data analyzed by the control center is sampled packet traffic and/or accumulated and collected statistical information about network flows.
  - 3. The system of claim 1 wherein the control center aggregates traffic information and coordinates measures to locate and block the sources of an attack.
  - 4. The system of claim 1 wherein the physically separate network is a telephone network.
  - 5. The system of claim 1 wherein monitors include gateways that are disposed at the victim data center and data collectors that are disposed in the network, and the analysis process executed or the control center analyzes the statistical data from gateways and data collectors dispersed throughout the network to determine gateways that are the sources for the malicious traffic.
  - 6. The system of claim 1 wherein the analysis process classifies attacks and determines a response based on the class of attack.
  - 7. The system of claim 6 wherein the classes of attack are denoted as low-grade with spoofing, low-grade without spoofing and high-grade whether spoofing or non-spoofing.

8. A method, executed on a computer system, the method comprises:
- receiving by the computer system statistical data from a plurality of monitors, dispersed through a network, with the monitors sending the statistical data collected from the network over a second, different network, that is a physically separate network from the network that the plurality of monitors collect data from;
  
  analyzing in the computer system the statistical data from the plurality of monitors to determine network traffic statistics that can identify sources of malicious network traffic; and
  
  determining in the computer system a filtering process to install on devices in the network that the monitors collect data from to inhibit the malicious network traffic from entering a victim data center; and
  
  installing the filtering process on the devices to inhibit the malicious network traffic from entering the victim data center.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8 further comprising:
    - aggregating in the computer system statistical data pertaining to network traffic information from the plurality of monitors and coordinating measures to locate and block the sources of an attack.
  - 10. The method of claim 8 wherein receiving and analyzing are performed by the computer system that is a control center coupled to the monitors via the second network.
  - 11. The method of claim 8 wherein the plurality of monitoring devices are data collectors dispersed throughout the network and at least one gateway device that is disposed adjacent the victim site to protect the victim and wherein analyzing comprises:
    - analyzing in the computer system data from the at least one gateway and the data collectors dispersed throughout the network.
  - 12. The method of claim 8 wherein analyzing comprises:
    - classifying attacks and determining a response based on the class of attack.
  - 13. The method of claim 12 wherein the classes of attack are denoted as low-grade with spoofing, low-grade without spoofing and high-grade whether spoofing or non-spoofing.
  - 14. The method of claim 12 further comprising:
    - sending requests to gateways and/or data collectors to send statistical data pertaining to network traffic flows to the control center.
  - 15. The method of claim 12 further comprising:
    - sending requests from the control center to gateways and/or data collectors for requests to install filters out malicious traffic.

16. A computer program product stored in a computer storage to coordinate an attack on a data center that is coupled to a network, the computer program product comprises instructions to cause a computer to:
- receive data from a plurality of monitors, dispersed through a first network that is coupled to the data center, with the monitors sending statistical data collected by the monitors from the first network over a second, different network, that is a physically separate network from the first network that the plurality of monitors collect data from;
  
  analyze the data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic;
  
  determine a filtering process to install on at least one device in the network that the monitors collect data from to inhibit the malicious traffic from entering the data center; and
  
  coordinate measures to locate and block a sources of the attack.
- View Dependent Claims (17)
- - 17. The computer program product of claim 16 wherein instructions to coordinate, comprises instructions to:
    - send messages to either automatically shutdown traffic having the victim'"'"'s destination address at appropriate gateways or identify appropriate network administrators to contact.

18. A control center system, comprising:
- a computer system, configured as the control center to coordinate thwarting of attacks on a data center that is coupled to a first network, the control center executing;
  
  a communication process that executes on the computer system to receive statistical data from and send messages to a plurality of monitors dispersed through the network, with the communication process sending the messages and receiving the statistical data from the monitors over a second, different network, that is a physically separate network from the first network that the plurality of monitors collect data from; and
  
  an analysis process that executes on the computer system to analyze the statistical data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic and to send the messages to the monitors to control monitors in the network to coordinate thwarting an attack on the data center; and
  
  a process to aggregate traffic statistics from the plurality of monitors to use in coordinating measures to locate and block a sources of the attack.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The system of claim 18 further comprising:
    - a process that executed on the computer system to select a filtering process to eliminate the malicious traffic from entering the data center.
  - 20. The system of claim 18 further comprising:
    - a process that executes on the computer system to classify attacks and determine a response based on the class of attack.
  - 21. The system of claim 18 wherein the classes of attack are denoted as a low-grade attack with spoofing, a low-grade attack without spoofing and a high-grade attack whether spoofing or non-spoofing.
  - 22. The system of claim 18, further comprising:
    - a process that sends requests to gateways and/or data collectors to send data back to the system pertaining to an attack.
  - 23. The system of claim 18 further comprising:
    - a process to send requests from the control center to gateways and/or data collectors to install filters to filter out attacking traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Kohler, Edward W. Jr., Poletto, Massimiliano Antonio, Kaashoek, Marinus Frans, Morris, Robert T.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Shiferaw; Eleni A.

Application Number

US09/931,291
Publication Number

US 20020095492A1
Time in Patent Office

2,238 Days
Field of Search

713/200, 713/201, 713/160, 709223-229, 709/208, 709/220, 726 2- 4, 726 13- 14, 726 22- 25, 726/188
US Class Current

726/22
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 43/00   Arrangements for monitoring...

H04L 43/026   using flow identification

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Coordinated thwarting of denial of service attacks

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

94 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated thwarting of denial of service attacks

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links