Network overload detection and mitigation system and method

US 7,478,429 B2
Filed: 10/01/2004
Issued: 01/13/2009
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A system for detecting and mitigating an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:

a network connection for receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network;

one or more attack mitigation modules for detecting data, directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions, the attack mitigation modules producing a volume of clean data from which all of the data detected to be bearing one or more of the characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time-period, P_out, wherein the time period, P_out, is equal to the time period, P_out; and

a meter for detecting the presence of a mitigated overload condition attempt when D_outdivided by P_outis substantially less than D_individed by P_in;

wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is disclosed for detecting and/or mitigating an overload condition from one or more first computers, such as a distributed denial of service (DDoS) attack, viral attack, or the like, targeting one or more of a plurality of second computers located on a network. While one or more DDoS attacks are mitigated, a meter, detection apparatus, software, or method, detects the condition being mitigated in a data cleaning center, and provides an alert or notification regarding the mitigated attack.

Another preferred embodiment relates, in general terms, to a system and method for detecting and/or mitigating an overload or attempted overload condition targeting a domain name server. A network connection is provided for receiving one or more DNS requests from one or more client computers located on a network. A preferred embodiment includes a processor for providing a response to the one or more DNS requests to the one or more client computers if more than a threshold number of duplicate DNS requests are received.

Another preferred embodiment relates, in general terms, to a system and method for detecting and/or mitigating an attempted overload condition targeting a networked computer system that uses a redirection module to divert data until it is deemed to be clean.

Citations

51 Claims

1. A system for detecting and mitigating an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
- a network connection for receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network;
  
  one or more attack mitigation modules for detecting data, directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions, the attack mitigation modules producing a volume of clean data from which all of the data detected to be bearing one or more of the characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time-period, P_out, wherein the time period, P_out, is equal to the time period, P_out; and
  
  a meter for detecting the presence of a mitigated overload condition attempt when D_outdivided by P_outis substantially less than D_individed by P_in;
  
  wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 50)
- - 2. The system of claim 1, wherein the network connection sends the clean data, D_out, to the one or more second computers.
  - 3. The system of claim 2, wherein the network connection sends cached clean data, D_cache, to the one or more second computers in lieu of a portion of the received data, D_in.
  - 4. The system of claim 3, wherein D_outdivided by P_outis substantially less than D_individed by P_out, if ((D_outplus D_cache) divided by P_out) is less than (D_individed by P_in).
  - 5. The system of claim 1, wherein the time period, P_in, has a start time, and the time period, P_out, has a start time, wherein the start time of P_outoccurs after the start time of P_in, plus a latency time period, L, for processing of the received data, D_in, by the attack mitigation modules.
  - 6. The system of claim 1, wherein D_outdivided by P_outis substantially less than D_individed by P_inif (D_individed by P_in) minus (D_outdivided by P_out) is greater than a threshold value.
  - 7. The system of claim 1, wherein D_outdivided by P_inis substantially less than D_individed by P_inif (D_individed by P_out) minus (D_outdivided by P_out) is greater than 0.
  - 8. The system of claim 1, wherein the one or more first computers include one or more user computers.
  - 9. The system of claim 1, wherein the one or more second computers include one or more server computers.
  - 10. The system of claim 1, wherein the one or more first computers include one or more server computers.
  - 11. The system of claim 1, wherein the one or more second computers include one or more user computers.
  - 12. The system of claim 1, wherein the network comprises the Internet.
  - 13. The system of claim 1, wherein the meter measures the received data, D_in, and the clean data, D_out.
  - 14. The system of claim 1, further comprising one or more proxy servers to provide proxy services to the one or more second computers.
  - 15. The system of claim 14, further comprising a load balancing apparatus for load balancing the proxy servers.
  - 16. The system of claim 1, further comprising an alert apparatus to provide an alert if D_outdivided by P_outis substantially less than D_individed by P_in.
  - 17. The system of claim 16, wherein the alert apparatus provides an electronic mail alert.
  - 18. The system of claim 16, wherein the alert apparatus provides an audible alert.
  - 19. The system of claim 16, wherein the alert apparatus provides a visible alert.
  - 20. The system of claim 1, wherein the one or more attack mitigation modules includes a module that determines whether a number of duplicate HTTP GET commands that have been received exceeds a threshold value.
  - 21. The system of claim 1, wherein the one or more attack mitigation modules includes a module that determines whether a user agent header entry in an HTTP header of a data packet contains an alphabetical character, and if not, discards the data packet.
  - 22. The system of claim 1, wherein the one or more attack mitigation modules includes a module that determines whether a host value header entry exists in an HTTP header of a data packet, and if not, discards the data packet.
  - 50. The system of claim 1, wherein at least one attack mitigation module resides at the application layer.

23. A system for detecting an overload condition targeting one or more of a plurality of networked computer systems, comprising:
- a network connection for receiving a volume of data, D_in, over a time period, P_in, from attacking coputers located on a network; and
  
  a meter to detect the presence of an overload condition and data associated therewith, the overload condition being mitigated by one or more attack mitigation modules, the overload condition being directed to one or more of a plurality of target computers located on the network, the attack mitigation modules producing a volume of clean data from which all data detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time period, P_out, wherei the time period, P_out, is equal to the time period, P_in, the meter detecting the presence of the mitigated overload condition attempt when D_outdivided by P_outis substantially less than D_individed by P_in;
  
  wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more characteristics determined to be assocated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt.
- View Dependent Claims (24)
- - 24. The system of claim 23, wherein at least one attack mitigation module resides at the application layer.

25. A method for detecting and mitigating an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
- receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network;
  
  detecting data, within the received data and directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions;
  
  producing a volume of clean data from which all data detected to be bearing one or more of the characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time period, P_out, wherein the time period, P_out, is equal to the time period, P_in; and
  
  detecting the presence of a mitigated overload condition attempt if D_outdivided by P_outis substantially less than D_individed by P_in;
  
  wherein removal of the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions occurs at least at a time before detecting the presence of the mitigated overload condition attempt.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 51)
- - 26. The method of claim 25, further comprising sending the clean data, D_out, to the one or more second computers.
  - 27. The method of claim 25, wherein the time period, P_in, has a start time, and the time period, P_out, has a start time, and wherein the staff time of P_outoccurs after the start time of P_in, plus a latency time period, L, for processing of the received data, D_in, by the attack mitigation modules.
  - 28. The method of claim 25, further comprising sending cached clean data, D_cache, to the one or more second computers in place of a portion of the received data, D_in.
  - 29. The method of claim 25, wherein D_outdivided by P_outis substantially less than D_individed by P_in, if ((D_outplus D_cache) divided by P_out) is less than (D_individed by P_in).
  - 30. The method of claim 25, wherein D_outdivided by P_outis substantially less than D_individed by P_in, if (D_individed by P_in) minus (D_outdivided by P_out) is greater than a threshold value.
  - 31. The method of claim 25, wherein D_outdivided by P_outis substantially less than D_individed by P_in, if (D_individed by P_in) minus (D_outdivided by P_out) is greater than 0.
  - 32. The method of claim 25, wherein the one or more first computers include one or more user computers.
  - 33. The method of claim 25, wherein the one or more second computers include one or more server computers.
  - 34. The method of claim 25, wherein the one or more first computers include one or more server computers.
  - 35. The method of claim 25, wherein the one or more second computers include one or more user computers.
  - 36. The method of claim 25, wherein the network comprises the Internet.
  - 37. The method of claim 25, further comprising providing proxy services to the one or more second computers.
  - 38. The method of claim 37, further comprising load balancing the proxy servers.
  - 39. The method of claim 25, wherein detecting data that bears one or more characteristics determined to be associated with attempted overload conditions comprises determining whether a number of duplicate HTTP GET commands that have been received exceeds a threshold value.
  - 40. The method of claim 25, wherein detecting data that bears one or more characteristics determined to be associated with attempted overload conditions comprises determining whether a user agent header entry in an HTTP header of a data packet contains an alphabetical character, and if not, discarding the data packet.
  - 41. The method of claim 25, wherein detecting data that bears one or more characteristics determined to be associated with attempted overload conditions comprises determining whether a host value header entry exists in an HTTP header of a data packet, and if not, discarding the data packet.
  - 51. The system of claim 25, wherein detecting data associated with the attempted overload condition comprises examining data at the application layer.

42. A system for detecting an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
- a network connection for receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network; and
  
  a meter to detect the presence of an attempted overload condition and data associated therewith, the overload condition being mitigated by one or more attack mitigation modules, the attempted overload condition being directed to one or more of a plurality of second computers located on the network, the attack mitigation modules producing a volume of clean data from which all data detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time period, P_out, wherein the time period, P_out, is equal to the time period, P_in, the meter detecting the presence of the mitigated overload condition attempt when D_outdivided by P_outis substantially less than D_individed by P_in;
  
  wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt.
- View Dependent Claims (43)
- - 43. The system of claim 42, wherein at least one attack mitigation module resides at the application layer.

44. A method for detecting an attempted overload condition targeting one or more of a plurality of networked computer systems, comprising:
- receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network; and
  
  detecting data, within the received data and directed to one or more of a plurality of second computers located on the network, that bears one or more characteristics determined to be associated with attempted overload conditions;
  
  wherein a volume of clean data from which all data detected to be associated with the attempted overload condition has been removed, D_out, is produced over a time period, P_out, wherein the time period, P_out, is equal to the time period, P_in;
  
  wherein detecting comprises determining the presence of the mitigated overload condition attempt if D_outdivided by P_outis substantially less than D_individed by P_in; and
  
  wherein removal of the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions occurs at least at a time before detecting the presence of the mitigated overload condition attempt.
- View Dependent Claims (45)
- - 45. The system of claim 44, wherein detecting data associated with the attempted overload condition comprises examining data at the application layer.

46. A system for mitigating an overload condition targeting one or more of a plurality of networked computer systems, comprising:
- a network connection for receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network; and
  
  a meter to detect the presence of an overload condition and data associated therewith, the overload condition being mitigated by one or more attack mitigation modules, the overload condition being directed to one or more of a plurality of second computers located on the network, the attack mitigation modules producing a volume of clean data from which all data detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time period, P_out, wherein the time period, P_out, is equal to the time period, P_in, the meter detecting the presence of the mitigated overload condition attempt when D_outdivided by P_outis substantially less than D_individed by P_in;
  
  wherein the one or more attack mitigation modules function to remove the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions at least at a time before the meter has detected the presence of the mitigated overload condition attempt.
- View Dependent Claims (47)
- - 47. The system of claim 46, wherein at least one attack mitigation module resides at the application layer.

48. A method for mitigating an overload condition targeting one or more of a plurality of networked computer systems, comprising:
- receiving a volume of data, D_in, over a time period, P_in, from one or more first computers located on a network;
  
  mitigating the overload condition using one or more of a plurality of mitigation modules, the overload condition being directed to one or more of a plurality of second computers located on the network, wherein a mitigation of the overload condition produces a volume of clean data from which all data that has been detected to be bearing one or more characteristics determined to be associated with attempted overload conditions has been removed, D_out, over a time period, P_out, wherein the time period, P_out, is equal to the time period, P_in; and
  
  determining the presence of the mitigated overload condition attempt if D_outdivided by P_outis substantially less than D_individed by P_in;
  
  wherein removal of the data detected to be bearing the one or more of the characteristics determined to be associated with attempted overload conditions occurs at least at a time before detecting the presence of the mitigated overload condition attempt.
- View Dependent Claims (49)
- - 49. The system of claim 48, wherein at least one attack mitigation module resides at the application layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
Prolexic Technologies, Inc. (Akamai Technologies, Inc.)
Inventors
Lyon, Barrett
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Okoronkwo; Chinwendu C

Application Number

US10/956,721
Publication Number

US 20060075491A1
Time in Patent Office

1,565 Days
Field of Search

726/2, 726/22
US Class Current

726/23
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 65/103   in the network

H04L 65/104   in the network

H04L 65/1069   Session establishment or de...

H04L 65/1101   Session protocols

H04L 65/80   Responding to QoS

Network overload detection and mitigation system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Network overload detection and mitigation system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links