Dynamic DoS flooding protection
First Claim
1. A method of protecting against a computer network denial of service flooding attack, comprising:
- determining that data packets deemed responsible for a denial of service flooding condition have been received at a first network location;
establishing a filter that prevents the data packets deemed responsible for the denial of service flooding condition from being forwarded from the first network location;
monitoring a flow of data packets received at the first location to determine whether the flow of data packets exhibits legitimate behavior, such that the flow of data packets that exhibits legitimate behavior is deemed to originate from a legitimate source that is not responsible for the denial of service flooding condition; and
modifying the filter to filter increasingly specific portions of network address space of the data packet source wherein a corresponding greater portion of the data packets that originate from a legitimate source are not filtered and are forwarded from the first network location.
14 Assignments
0 Petitions
Accused Products
Abstract
Detecting and protecting against denial of service flooding attacks that are initiated against an end system on a computer network. In accordance with one aspect of the invention, a filter is established at a network location. The filter prevents data packets received at a first network location and deemed responsible for the denial of service flooding condition from being forwarded to a subsequent network location. Data packets received at the first network location are then monitored to determine whether the flow of any data packets from a network source exhibit a legitimate behavior, such as where the flow of data packets exhibits a backoff behavior. The filter is then modified to permit data packets that exhibit legitimate behavior to pass through the filter.
133 Citations
15 Claims
-
1. A method of protecting against a computer network denial of service flooding attack, comprising:
-
determining that data packets deemed responsible for a denial of service flooding condition have been received at a first network location; establishing a filter that prevents the data packets deemed responsible for the denial of service flooding condition from being forwarded from the first network location; monitoring a flow of data packets received at the first location to determine whether the flow of data packets exhibits legitimate behavior, such that the flow of data packets that exhibits legitimate behavior is deemed to originate from a legitimate source that is not responsible for the denial of service flooding condition; and modifying the filter to filter increasingly specific portions of network address space of the data packet source wherein a corresponding greater portion of the data packets that originate from a legitimate source are not filtered and are forwarded from the first network location. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A network device for responding to a denial of service flooding attack against an end the network device comprising:
-
a network interface that permits the device to intercept data packets bound for the end-system; a memory in which instructions and data are stored; and a processor, coupled to the memory, such that the processor receives the instructions stored in the memory and executes the instructions to perform operations for responding to a denial of service flooding attack, the operations comprising; determining that data packets deemed responsible for a denial of service flooding condition have been received at the network device; establishing a filter that prevents data packets deemed responsible for the denial of service flooding condition from being forwarded from the first network device; monitoring a flow of data packets received at the first network device to determine whether the flow of data packets exhibits legitimate behavior, such that the flow of data packets that exhibits behavior is determined to originate from a legitimate source that is not responsible for the denial of service flooding condition; and modifying the filter to filter increasingly specific portions of network address space of the data packet source wherein a corresponding greater portion of the data packets that originate from a legitimate source are not filtered and are forwarded from the first network device. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A program product for use in a computer network device that executes program steps recorded in a computer-readable media to perform a method of protecting against a computer network denial of service attack, the program product comprising:
-
a recordable media; and computer-readable instructions recorded on the recordable media comprising instructions executable by the computer to perform operations comprising; determining that data packets deemed responsible for a denial of service flooding condition have been received at a first network location; establishing a filter that prevents data packets deemed responsible for the denial of service flooding condition from being forwarded from the first network location; monitoring a flow of data packets received at the first location to determine whether the flow of data packets exhibit legitimate behavior, such that the flow of data packets that exhibits legitimate behavior is determined to originate from a legitimate source that is not responsible for the denial of service flooding condition; and modifying the filter to filter increasingly specific portions of network address space of the data packet source wherein a corresponding greater portion of the data packets that originate from a legitimate source to be are not filtered and are forwarded from the first network location.
-
Specification