Coordinated thwarting of denial of service attacks
First Claim
1. A control system, comprising:
- a computer system to coordinate thwarting attacks on a data center that is coupled to a network the computer system comprising;
a communication device, coupled to a physically separate network from the network that the data center is coupled to, to receive statistical data collected from network traffic flows collected by a plurality of monitors dispersed through the network that the data center is coupled to, with the monitors sending the statistical data collected from the network that the data center is coupled to over the physically separate network from the network that the plurality of monitors collect the statistical data from;
with the computer system executing;
a process to analyze the statistical data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic;
a process to identify gateways on the monitoring network that are sources of malicious traffic destined for the data center; and
a filtering process to eliminate the malicious traffic from entering the data center.
21 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
94 Citations
23 Claims
-
1. A control system, comprising:
a computer system to coordinate thwarting attacks on a data center that is coupled to a network the computer system comprising; a communication device, coupled to a physically separate network from the network that the data center is coupled to, to receive statistical data collected from network traffic flows collected by a plurality of monitors dispersed through the network that the data center is coupled to, with the monitors sending the statistical data collected from the network that the data center is coupled to over the physically separate network from the network that the plurality of monitors collect the statistical data from;
with the computer system executing;a process to analyze the statistical data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic; a process to identify gateways on the monitoring network that are sources of malicious traffic destined for the data center; and a filtering process to eliminate the malicious traffic from entering the data center. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A method, executed on a computer system, the method comprises:
-
receiving by the computer system statistical data from a plurality of monitors, dispersed through a network, with the monitors sending the statistical data collected from the network over a second, different network, that is a physically separate network from the network that the plurality of monitors collect data from; analyzing in the computer system the statistical data from the plurality of monitors to determine network traffic statistics that can identify sources of malicious network traffic; and determining in the computer system a filtering process to install on devices in the network that the monitors collect data from to inhibit the malicious network traffic from entering a victim data center; and installing the filtering process on the devices to inhibit the malicious network traffic from entering the victim data center. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer program product stored in a computer storage to coordinate an attack on a data center that is coupled to a network, the computer program product comprises instructions to cause a computer to:
-
receive data from a plurality of monitors, dispersed through a first network that is coupled to the data center, with the monitors sending statistical data collected by the monitors from the first network over a second, different network, that is a physically separate network from the first network that the plurality of monitors collect data from; analyze the data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic; determine a filtering process to install on at least one device in the network that the monitors collect data from to inhibit the malicious traffic from entering the data center; and coordinate measures to locate and block a sources of the attack. - View Dependent Claims (17)
-
-
18. A control center system, comprising:
a computer system, configured as the control center to coordinate thwarting of attacks on a data center that is coupled to a first network, the control center executing; a communication process that executes on the computer system to receive statistical data from and send messages to a plurality of monitors dispersed through the network, with the communication process sending the messages and receiving the statistical data from the monitors over a second, different network, that is a physically separate network from the first network that the plurality of monitors collect data from; and an analysis process that executes on the computer system to analyze the statistical data from the plurality of monitors to determine network traffic statistics that can identify malicious network traffic and to send the messages to the monitors to control monitors in the network to coordinate thwarting an attack on the data center; and a process to aggregate traffic statistics from the plurality of monitors to use in coordinating measures to locate and block a sources of the attack. - View Dependent Claims (19, 20, 21, 22, 23)
Specification