Method and apparatus for rate based denial of service attack detection and prevention

US 7,426,634 B2
Filed: 01/15/2004
Issued: 09/16/2008
Est. Priority Date: 04/22/2003
Status: Active Grant

First Claim

Patent Images

1. A digital computing apparatus capable of detecting and preventing a plurality of rate based and non rate based denial of service attacks, said apparatus comprising:

a media access controller (MAC) interface connected to an unprotected side of a network and to a protected side of the network;

a classification means operatively coupled to said MAC interface for classifying data packets received from the unprotected side of the network through said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax, wherein the classifying comprises isolating header values and performing hierarchical protocol classification;

a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached;

a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface;

an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics;

a source tracking mechanism multiplicatively incrementing count for sources that send identified flood data, thereby distinguishing said sources from others that send non-flood data;

a SYN flood detection and prevention mechanism having a support means for creating a plurality of legitimate IP addresses during normal operation when a TCP state of TCP connections through the MAC interface transitions to ESTABLISHED, wherein said SYN flood detection and prevention mechanism allows only said plurality of legitimate IP addresses to be stored during normal operation, wherein the TCP state of the TCP connections is maintained by a TCP state machine in the apparatus;

anda zombie flood detection and prevention mechanism havinga means for limiting connections from the MAC interface to said plurality of legitimate IP addresses stored during normal operation; and

a means for determining a threshold for said connections based on baseline traffic learned during normal operation;

wherein said support means for creating said plurality of legitimate IP addresses adds an IP address to said plurality of legitimate IP addresses when the TCP state of the TCP connections through the MAC interface transitions to “

established”

for the first time;

wherein said plurality of legitimate IP addresses comprises IP addresses which have established valid TCP connections through the MAC interface.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and apparatus for detecting and preventing a plurality of denial of service (DOS) and distributed denial of service (DDOS) attacks. The apparatus includes classifiers for parsing packets; meters storing statistics for the classified packets and detecting flood thresholds; an Ager for maintaining timeouts; a decision multiplexer for multiplexing inputs from various meters and determines whether to allow or deny the packet; and a threshold estimation means for estimating thresholds based on past data from meters, baselines, trends and seasonality. The apparatus includes a PCI interface through which a host can interact, learn continuously and set thresholds in a continuous and adaptive manner so as to prevent rate based DOS and DDOS attacks. The apparatus includes a mechanism to track culprit sources at layer 2 and layer 3 through a multiplicative increment method.

64 Citations

View as Search Results

7 Claims

1. A digital computing apparatus capable of detecting and preventing a plurality of rate based and non rate based denial of service attacks, said apparatus comprising:
- a media access controller (MAC) interface connected to an unprotected side of a network and to a protected side of the network;
  
  a classification means operatively coupled to said MAC interface for classifying data packets received from the unprotected side of the network through said MAC interface according to Layer 2, Layer 3, and Layer 4 classifications, said classification means being capable of enforcing Layer 2, Layer 3, and Layer 4 accepted header syntax, wherein the classifying comprises isolating header values and performing hierarchical protocol classification;
  
  a meter means operatively coupled to said classification means, said meter means having a plurality of meters and being capable of maintaining statistics of said attacks and determining whether a threshold has been reached;
  
  a decision multiplexer means operatively coupled to said meter means, said decision multiplexer means being capable of accepting decisions from said plurality of meters and informing a single decision to said MAC interface;
  
  an ager means capable of timing out flood states identified by said classification means or by said meter means, said ager means comprising a continuous learning mechanism for continuously learning and updating said statistics;
  
  a source tracking mechanism multiplicatively incrementing count for sources that send identified flood data, thereby distinguishing said sources from others that send non-flood data;
  
  a SYN flood detection and prevention mechanism having a support means for creating a plurality of legitimate IP addresses during normal operation when a TCP state of TCP connections through the MAC interface transitions to ESTABLISHED, wherein said SYN flood detection and prevention mechanism allows only said plurality of legitimate IP addresses to be stored during normal operation, wherein the TCP state of the TCP connections is maintained by a TCP state machine in the apparatus;
  
  anda zombie flood detection and prevention mechanism havinga means for limiting connections from the MAC interface to said plurality of legitimate IP addresses stored during normal operation; and
  
  a means for determining a threshold for said connections based on baseline traffic learned during normal operation;
  
  wherein said support means for creating said plurality of legitimate IP addresses adds an IP address to said plurality of legitimate IP addresses when the TCP state of the TCP connections through the MAC interface transitions to “
  
  established”
  
  for the first time;
  
  wherein said plurality of legitimate IP addresses comprises IP addresses which have established valid TCP connections through the MAC interface.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein said plurality of meters detect and prevent rate based denial of service attacks selected from the group consisting of synchronization (SYN) flood, Transmission Control Protocol (TCP) flood, Internet Control and Message Protocol (ICMP) flood, User Datagram Protocol (UDP) flood, port scan, source flood, destination flood, broadcast flood, Address Resolution Protocol (ARP) flood, Reverse ARP (RARP) flood, multicast flood, Virtual Local Area Network (VLAN) flood, double encapsulated VLAN flood, protocol flood, Internet Protocol (IP) option flood, fragment flood, port flood, Layer 2 floods, Layer 3 floods, and Layer 4 floods.
  - 3. The apparatus of claim 2, wherein said rate based denial of service attacks are to an end node or from said end node to other nodes on the internet.
  - 4. The apparatus of claim 1, wherein said ager means monitors said statistics maintained by said plurality of meters.
  - 5. The apparatus of claim 4, wherein said plurality of meters identify whether a threshold of counts has been reached for a flood state corresponding to a packet header value.
  - 6. The apparatus of claim 5, wherein said plurality of meters inform said decision multiplexer means to block traffic with said packet header value.

7. A computer-implemented method for rate-based denial of service attack detection implemented at an apparatus positioned between a protected side of a network and an unprotected side of the network, the method comprising:
- receiving packets from the unprotected side of the network;
  
  classifying the received packets according to network layer 2, 3, 4 classification, wherein the classifying comprises isolating header values and performing hierarchical protocol classification;
  
  metering the classification to produce statistics related to multiple types of attacks;
  
  creating and storing a table of legitimate IP addresses during normal operation when a TCP state of TCP connections through the apparatus transitions to “
  
  established”
  
  ;
  
  detecting a SYN flood state;
  
  dropping at the apparatus packets from IP addresses not in the table of legitimate IP addresses during the detected SYN flood state;
  
  detecting a zombie flood state when a number of packets received at the apparatus from legitimate IP addresses exceeds a threshold; and
  
  dropping at the apparatus packets from IP addresses in the table of legitimate IP addresses during the detected zombie flood state;
  
  wherein creating and storing the table of legitimate IP addresses comprises;
  
  adding an IP address to the table of legitimate IP addresses when the TCP state of TCP connections through the apparatus transitions to “
  
  established”
  
  for the first time; and
  
  maintaining in the table of legitimate IP addresses a list of IP addresses which have established valid TCP connections through the apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
IntruGuard Devices, Inc. (Fortinet Inc.)
Inventors
Jain, Hemant Kumar
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Shaifer Harriman; Dant B

Application Number

US10/759,799
Publication Number

US 20040215976A1
Time in Patent Office

1,706 Days
Field of Search

713/151, 726/22, 726/23, 726/11, 726/12, 709/230, 709/231, 709/233, 709/235
US Class Current

713/151
CPC Class Codes

H04L 2463/141 Denial of service attacks a...

H04L 63/1458 Denial of Service

Method and apparatus for rate based denial of service attack detection and prevention

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for rate based denial of service attack detection and prevention

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links