Method and apparatus for rate based denial of service attack detection and prevention
First Claim
1. A digital computing apparatus capable of detecting and preventing a plurality of rate based and non rate based denial of service attacks, said apparatus comprising:
- a media access controller (MAC) interface connected to an unprotected side of a network and to a protected side of the network;
a classification means operatively coupled to said MAC interface for classifying data packets received from the unprotected side of the network through said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax, wherein the classifying comprises isolating header values and performing hierarchical protocol classification;
a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached;
a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface;
an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics;
a source tracking mechanism multiplicatively incrementing count for sources that send identified flood data, thereby distinguishing said sources from others that send non-flood data;
a SYN flood detection and prevention mechanism having a support means for creating a plurality of legitimate IP addresses during normal operation when a TCP state of TCP connections through the MAC interface transitions to ESTABLISHED, wherein said SYN flood detection and prevention mechanism allows only said plurality of legitimate IP addresses to be stored during normal operation, wherein the TCP state of the TCP connections is maintained by a TCP state machine in the apparatus;
anda zombie flood detection and prevention mechanism havinga means for limiting connections from the MAC interface to said plurality of legitimate IP addresses stored during normal operation; and
a means for determining a threshold for said connections based on baseline traffic learned during normal operation;
wherein said support means for creating said plurality of legitimate IP addresses adds an IP address to said plurality of legitimate IP addresses when the TCP state of the TCP connections through the MAC interface transitions to “
established”
for the first time;
wherein said plurality of legitimate IP addresses comprises IP addresses which have established valid TCP connections through the MAC interface.
3 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method and apparatus for detecting and preventing a plurality of denial of service (DOS) and distributed denial of service (DDOS) attacks. The apparatus includes classifiers for parsing packets; meters storing statistics for the classified packets and detecting flood thresholds; an Ager for maintaining timeouts; a decision multiplexer for multiplexing inputs from various meters and determines whether to allow or deny the packet; and a threshold estimation means for estimating thresholds based on past data from meters, baselines, trends and seasonality. The apparatus includes a PCI interface through which a host can interact, learn continuously and set thresholds in a continuous and adaptive manner so as to prevent rate based DOS and DDOS attacks. The apparatus includes a mechanism to track culprit sources at layer 2 and layer 3 through a multiplicative increment method.
64 Citations
7 Claims
-
1. A digital computing apparatus capable of detecting and preventing a plurality of rate based and non rate based denial of service attacks, said apparatus comprising:
-
a media access controller (MAC) interface connected to an unprotected side of a network and to a protected side of the network; a classification means operatively coupled to said MAC interface for classifying data packets received from the unprotected side of the network through said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax, wherein the classifying comprises isolating header values and performing hierarchical protocol classification; a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached; a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface; an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics; a source tracking mechanism multiplicatively incrementing count for sources that send identified flood data, thereby distinguishing said sources from others that send non-flood data; a SYN flood detection and prevention mechanism having a support means for creating a plurality of legitimate IP addresses during normal operation when a TCP state of TCP connections through the MAC interface transitions to ESTABLISHED, wherein said SYN flood detection and prevention mechanism allows only said plurality of legitimate IP addresses to be stored during normal operation, wherein the TCP state of the TCP connections is maintained by a TCP state machine in the apparatus; and a zombie flood detection and prevention mechanism having a means for limiting connections from the MAC interface to said plurality of legitimate IP addresses stored during normal operation; and a means for determining a threshold for said connections based on baseline traffic learned during normal operation; wherein said support means for creating said plurality of legitimate IP addresses adds an IP address to said plurality of legitimate IP addresses when the TCP state of the TCP connections through the MAC interface transitions to “
established”
for the first time;wherein said plurality of legitimate IP addresses comprises IP addresses which have established valid TCP connections through the MAC interface. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method for rate-based denial of service attack detection implemented at an apparatus positioned between a protected side of a network and an unprotected side of the network, the method comprising:
-
receiving packets from the unprotected side of the network; classifying the received packets according to network layer 2, 3, 4 classification, wherein the classifying comprises isolating header values and performing hierarchical protocol classification; metering the classification to produce statistics related to multiple types of attacks; creating and storing a table of legitimate IP addresses during normal operation when a TCP state of TCP connections through the apparatus transitions to “
established”
;detecting a SYN flood state; dropping at the apparatus packets from IP addresses not in the table of legitimate IP addresses during the detected SYN flood state; detecting a zombie flood state when a number of packets received at the apparatus from legitimate IP addresses exceeds a threshold; and dropping at the apparatus packets from IP addresses in the table of legitimate IP addresses during the detected zombie flood state; wherein creating and storing the table of legitimate IP addresses comprises; adding an IP address to the table of legitimate IP addresses when the TCP state of TCP connections through the apparatus transitions to “
established”
for the first time; andmaintaining in the table of legitimate IP addresses a list of IP addresses which have established valid TCP connections through the apparatus.
-
Specification