System and method for implementing traffic management based on network resources

US 7,536,452 B1
Filed: 10/08/2003
Issued: 05/19/2009
Est. Priority Date: 10/08/2003
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus, comprising:

an intrusion detection system (IDS) module coupled to a main central processing unit (CPU), the main CPU being operable to communicate a copy of one or more incoming packets to the IDS module, the IDS module having an IDS CPU, the IDS module operable to;

determine that the IDS CPU has reached a particular threshold indicating that the IDS module is low on a resource;

identify a volume associated with the incoming packets in response to the determination; and

communicate feedback information to the main CPU, the feedback information signaling that the IDS module is low on the resource, the main CPU operable to respond to the feedback information by restricting a number of additional incoming packets that are received by the main CPU.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for implementing traffic management is provided that includes communicating a copy of one or more incoming packets and identifying a volume associated with the incoming packets in order to communicate feedback information to a main central processing unit (CPU), the feedback information signaling that an intrusion detection system (IDS) module is expending a designated amount of resources. The feedback information may be responded to by restricting a number of additional incoming packets that are received by the main CPU.

25 Citations

View as Search Results

28 Claims

1. An apparatus, comprising:
- an intrusion detection system (IDS) module coupled to a main central processing unit (CPU), the main CPU being operable to communicate a copy of one or more incoming packets to the IDS module, the IDS module having an IDS CPU, the IDS module operable to;
  
  determine that the IDS CPU has reached a particular threshold indicating that the IDS module is low on a resource;
  
  identify a volume associated with the incoming packets in response to the determination; and
  
  communicate feedback information to the main CPU, the feedback information signaling that the IDS module is low on the resource, the main CPU operable to respond to the feedback information by restricting a number of additional incoming packets that are received by the main CPU.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the IDS module is operable to identify a plurality of thresholds, one or more of which are operable to trigger the feedback information to be communicated to the main CPU by the IDS module, the one or more thresholds each representing volume levels reflecting an amount of incoming packets that are received by the IDS module, and wherein the main CPU is operable to increase the volume associated with the incoming packets in response to receiving additional feedback from the IDS module.
  - 3. The apparatus of claim 1, wherein the IDS module communicates with the main CPU based on a selected one of a router blade control protocol (RBCP) and a simple network management protocol (SNMP).
  - 4. The apparatus of claim 1, wherein the IDS module is operable to communicate an alarm to a network management element that signals that the IDS module has reached a certain volume level associated with an amount of incoming packets received.
  - 5. The apparatus of claim 1, wherein the IDS module is operable to execute a transmission control protocol (TCP) reset in order to indicate an attack is being seen from a source address such that a connection corresponding to the source address may be torn down.
  - 6. The apparatus of claim 1, wherein the IDS module is operable to block a source location by establishing an access control list (ACL) that includes the source location, wherein communications associated with the source location are restricted as a result of being included on the ACL.
  - 7. The apparatus of claim 1, wherein the IDS module and the main CPU are included in a network element, the network element being selected from a group of elements consisting of:
    - (a) a router;
      
      (b) a bridge;
      
      (c) a switch;
      
      (d) a loadbalancer;
      
      (e) a processor; and
      
      (f) a gateway.

8. A method for implementing traffic management, comprising:
- receiving, at an intrusion detection system (IDS) module, a copy of one or more incoming packets from a main central processing unit (CPU), the IDS module having an IDS CPU;
  
  determining that the IDS CPU has reached a particular threshold indicating that the IDS module is low on a resource;
  
  identifying a volume associated with the incoming packets in response to the determination;
  
  communicating feedback information to the main CPU, the feedback information signaling that the IDS module is low on the resource; and
  
  responding to the feedback information by restricting a number of additional incoming packets that are received by the main CPU.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - identifying a plurality of thresholds, one or more of which are operable to trigger the feedback information to be communicated to the main CPU by the IDS module, the one or more thresholds each representing volume levels of incoming packets that are received by the IDS module.
  - 10. The method of claim 8, wherein the IDS module communicates with the main CPU based on a selected one of a router blade control protocol (RBCP) and a simple network management protocol (SNMP).
  - 11. The method of claim 8, further comprising:
    - communicating an alarm to a network management element that signals that the IDS module has reached a certain volume level associated with an amount of incoming packets received.
  - 12. The method of claim 8, further comprising:
    - executing a transmission control protocol (TCP) reset in order to indicate an attack is being seen from a source address such that a connection corresponding to the source address may be torn down.
  - 13. The method of claim 8, further comprising:
    - blocking a source location by establishing an access control list (ACL) that includes the source location, wherein communications associated with the source location are restricted as a result of being included on the ACL.
  - 14. The method of claim 8, further comprising:
    - increasing the volume associated with the incoming packets based on additional feedback being received from the IDS module, the additional feedback reflecting a reduced volume associated with the incoming packets.

15. A computer hardware system for implementing traffic management, comprising:
- means for receiving, at an intrusion detection system (IDS) module, a copy of one or more incoming packets from a main central processing unit (CPU), the IDS module having an IDS CPU;
  
  means for determining that the IDS CPU has reached a particular threshold indicating that the IDS module is low on a resource;
  
  means for identifying a volume associated with the incoming packets in response to the determination;
  
  means for communicating feedback information to the main CPU, the feedback information signaling that the IDS module is low on the resource; and
  
  means for responding to the feedback information by restricting a number of additional incoming packets that are received by the main CPU.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer hardware system of claim 15, further comprising:
    - means for identifying a plurality of thresholds, one or more of which are operable to trigger the feedback information to be communicated to the main CPU by the IDS module, the one or more thresholds each representing volume levels of incoming packets that are received by the IDS module.
  - 17. The computer hardware system of claim 15, wherein the IDS module communicates with the main CPU based on a selected one of a router blade control protocol (RBCP) and a simple network management protocol (SNMP).
  - 18. The computer hardware system of claim 15, further comprising:
    - means for communicating an alarm to a network management element that signals that the IDS module has reached a certain volume level associated with an amount of incoming packets received.
  - 19. The computer hardware system of claim 15, further comprising:
    - means for executing a transmission control protocol (TCP) reset in order to indicate an attack is being seen from a source address such that a connection corresponding to the source address may be torn down.
  - 20. The computer hardware system of claim 15, further comprising:
    - means for blocking a source location by establishing an access control list (ACL) that includes the source location, wherein communications associated with the source location are restricted as a result of being included on the ACL.
  - 21. The computer hardware system of claim 15, further comprising:
    - means for increasing the volume associated with the incoming packets based on additional feedback being received from the IDS module, the additional feedback reflecting a reduced volume associated with the incoming packets.

22. A computer-readable storage medium having instructions stored thereon, the instructions when executed by one or more central processing units (CPUs) are operable to:
- receive, at an intrusion detection system (IDS) module, a copy of one or more incoming packets from a main central processing unit (CPU), the IDS module having an IDS CPU;
  
  determine that the IDS CPU has reached a particular threshold indicating that the IDS module is low on a resource;
  
  identify a volume associated with the incoming packets in response to the determination;
  
  communicate feedback information to the main CPU, the feedback information signaling that the IDS module is low on the resource; and
  
  respond to the feedback information by restricting a number of additional incoming packets that are received by the main CPU.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The medium of claim 22, the instructions further operable to:
    - identify a plurality of thresholds, one or more of which are operable to trigger the feedback information to be communicated to the main CPU by the IDS module, the one or more thresholds each representing volume levels of incoming packets that are received by the IDS module.
  - 24. The medium of claim 22, wherein the IDS module communicates with the main CPU based on a selected one of a router blade control protocol (RBCP) and a simple network management protocol (SNMP).
  - 25. The medium of claim 22, the instructions further operable to:
    - communicate an alarm to a network management element that signals that the IDS module has reached a certain volume level associated with an amount of incoming packets received.
  - 26. The medium of claim 22, the instructions further operable to:
    - execute a transmission control protocol (TCP) reset in order to indicate an attack is being seen from a source address such that a connection corresponding to the source address may be torn down.
  - 27. The medium of claim 22, the instructions further operable to:
    - block a source location by establishing an access control list (ACL) that includes the source location, wherein communications associated with the source location are restricted as a result of being included on the ACL.
  - 28. The medium of claim 22, the instructions further operable to:
    - increase the volume associated with the incoming packets based on additional feedback being received from the IDS module, the additional feedback reflecting a reduced volume associated with the incoming packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Cao, Jue, Marcais, Philippe J.
Primary Examiner(s)
JEAN GILLES, JUDE

Application Number

US10/680,945
Time in Patent Office

2,050 Days
Field of Search

709203-204, 709223-224, 709/229
US Class Current

709/223
CPC Class Codes

H04L 45/00   Routing or path finding of ...

H04L 63/0263   Rule management

H04L 63/1408   by monitoring network traff...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

System and method for implementing traffic management based on network resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing traffic management based on network resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links