Network overload detection and mitigation system and method
First Claim
1. A system for detecting and mitigating an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
- a network connection for receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network;
one or more attack mitigation modules for detecting data, directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions, the attack mitigation modules producing a volume of clean data from which all of the data detected to be bearing one or more of the characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time-period, Pout, wherein the time period, Pout, is equal to the time period, Pout; and
a meter for detecting the presence of a mitigated overload condition attempt when Dout divided by Pout is substantially less than Din divided by Pin;
wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method is disclosed for detecting and/or mitigating an overload condition from one or more first computers, such as a distributed denial of service (DDoS) attack, viral attack, or the like, targeting one or more of a plurality of second computers located on a network. While one or more DDoS attacks are mitigated, a meter, detection apparatus, software, or method, detects the condition being mitigated in a data cleaning center, and provides an alert or notification regarding the mitigated attack.
Another preferred embodiment relates, in general terms, to a system and method for detecting and/or mitigating an overload or attempted overload condition targeting a domain name server. A network connection is provided for receiving one or more DNS requests from one or more client computers located on a network. A preferred embodiment includes a processor for providing a response to the one or more DNS requests to the one or more client computers if more than a threshold number of duplicate DNS requests are received.
Another preferred embodiment relates, in general terms, to a system and method for detecting and/or mitigating an attempted overload condition targeting a networked computer system that uses a redirection module to divert data until it is deemed to be clean.
-
Citations
51 Claims
-
1. A system for detecting and mitigating an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
a network connection for receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network; one or more attack mitigation modules for detecting data, directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions, the attack mitigation modules producing a volume of clean data from which all of the data detected to be bearing one or more of the characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time-period, Pout, wherein the time period, Pout, is equal to the time period, Pout; and a meter for detecting the presence of a mitigated overload condition attempt when Dout divided by Pout is substantially less than Din divided by Pin; wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 50)
-
-
23. A system for detecting an overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
a network connection for receiving a volume of data, Din, over a time period, Pin, from attacking coputers located on a network; and a meter to detect the presence of an overload condition and data associated therewith, the overload condition being mitigated by one or more attack mitigation modules, the overload condition being directed to one or more of a plurality of target computers located on the network, the attack mitigation modules producing a volume of clean data from which all data detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time period, Pout, wherei the time period, Pout, is equal to the time period, Pin, the meter detecting the presence of the mitigated overload condition attempt when Dout divided by Pout is substantially less than Din divided by Pin; wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more characteristics determined to be assocated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt. - View Dependent Claims (24)
-
-
25. A method for detecting and mitigating an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network; detecting data, within the received data and directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions; producing a volume of clean data from which all data detected to be bearing one or more of the characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time period, Pout, wherein the time period, Pout, is equal to the time period, Pin; and detecting the presence of a mitigated overload condition attempt if Doutdivided by Pout is substantially less than Din divided by Pin; wherein removal of the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions occurs at least at a time before detecting the presence of the mitigated overload condition attempt. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 51)
-
-
42. A system for detecting an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
a network connection for receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network; and a meter to detect the presence of an attempted overload condition and data associated therewith, the overload condition being mitigated by one or more attack mitigation modules, the attempted overload condition being directed to one or more of a plurality of second computers located on the network, the attack mitigation modules producing a volume of clean data from which all data detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time period, Pout, wherein the time period, Pout, is equal to the time period, Pin, the meter detecting the presence of the mitigated overload condition attempt when Dout divided by Pout is substantially less than Din divided by Pin; wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt. - View Dependent Claims (43)
-
-
44. A method for detecting an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network; and detecting data, within the received data and directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions; wherein a volume of clean data from which all data detected to be associated with the attempted overload condition has been removed, Dout, is produced over a time period, Pout, wherein the time period, Pout, is equal to the time period, Pin; wherein detecting comprises determining the presence of the mitigated overload condition attempt if Dout divided by Pout is substantially less than Din divided by Pin; and wherein removal of the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions occurs at least at a time before detecting the presence of the mitigated overload condition attempt. - View Dependent Claims (45)
-
-
46. A system for mitigating an overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
a network connection for receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network; and a meter to detect the presence of an overload condition and data associated therewith, the overload condition being mitigated by one or more attack mitigation modules, the overload condition being directed to one or more of a plurality of second computers located on the network, the attack mitigation modules producing a volume of clean data from which all data detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time period, Pout, wherein the time period, Pout, is equal to the time period, Pin, the meter detecting the presence of the mitigated overload condition attempt when Dout divided by Pout is substantially less than Din divided by Pin; wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt. - View Dependent Claims (47)
-
-
48. A method for mitigating an overload condition targeting one or more of a plurality of networked computer systems, comprising:
-
receiving a volume of data, Din, over a time period, Pin, from one or more first computers located on a network; mitigating the overload condition using one or more of a plurality of mitigation modules, the overload condition being directed to one or more of a plurality of second computers located on the network, wherein a mitigation of the overload condition produces a volume of clean data from which all data that has been detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, Dout, over a time period, Pout, wherein the time period, Pout, is equal to the time period, Pin; and determining the presence of the mitigated overload condition attempt if Dout divided by Pout is substantially less than Din divided by Pin; wherein removal of the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions occurs at least at a time before detecting the presence of the mitigated overload condition attempt. - View Dependent Claims (49)
-
Specification