Method and apparatus for limiting denial of service attack by limiting traffic for hosts
First Claim
1. A method for controlling a denial of service attack on a host comprising:
- receiving a plurality of packets from a network;
identifying an attacking host based on a severity level of the denial of service (DOS) attack from the network;
automatically re-configuring, in response to the identifying, a classifier to forward each of the plurality of packets associated with the attacking host to a temporary data structure associated with the severity level of the DOS attack, wherein the classifier is located on a physical network interface card operatively connected to the host, wherein the temporary data structure is one of a plurality of temporary data structures on the host, wherein each of the plurality of temporary data structures is associated with one of a plurality of severity levels, and wherein the attacking host is identified using an identifying attack characteristic;
identifying, by the classifier, each of the plurality of packets associated with the identifying attack characteristic;
forwarding each of the identified plurality of packets associated with the identifying attack characteristic to the temporary data structure;
requesting, by the host, a number of packets from the temporary data structure to be placed in a virtual serialization queue, wherein the virtual serialization queue is associated with the temporary data structure;
forwarding the number of packets to the virtual serialization queue; and
creating a virtual network stack prior to receiving the plurality of packets from the network, wherein the virtual serialization queue is associated with a virtual network stack matching the severity level;
wherein creating the virtual network stack comprises;
creating the virtual serialization queue;
binding the virtual serialization queue to a central processing unit;
binding the virtual serialization queue to a packet destination;
creating a virtual network interface card (NIC);
binding the virtual serialization queue to the virtual NIC and a virtual protocol stack to obtain the virtual network stack; and
specifying the severity level associated with the virtual serialization queue.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.
-
Citations
22 Claims
-
1. A method for controlling a denial of service attack on a host comprising:
-
receiving a plurality of packets from a network; identifying an attacking host based on a severity level of the denial of service (DOS) attack from the network; automatically re-configuring, in response to the identifying, a classifier to forward each of the plurality of packets associated with the attacking host to a temporary data structure associated with the severity level of the DOS attack, wherein the classifier is located on a physical network interface card operatively connected to the host, wherein the temporary data structure is one of a plurality of temporary data structures on the host, wherein each of the plurality of temporary data structures is associated with one of a plurality of severity levels, and wherein the attacking host is identified using an identifying attack characteristic; identifying, by the classifier, each of the plurality of packets associated with the identifying attack characteristic; forwarding each of the identified plurality of packets associated with the identifying attack characteristic to the temporary data structure; requesting, by the host, a number of packets from the temporary data structure to be placed in a virtual serialization queue, wherein the virtual serialization queue is associated with the temporary data structure; forwarding the number of packets to the virtual serialization queue; and creating a virtual network stack prior to receiving the plurality of packets from the network, wherein the virtual serialization queue is associated with a virtual network stack matching the severity level; wherein creating the virtual network stack comprises; creating the virtual serialization queue; binding the virtual serialization queue to a central processing unit; binding the virtual serialization queue to a packet destination; creating a virtual network interface card (NIC); binding the virtual serialization queue to the virtual NIC and a virtual protocol stack to obtain the virtual network stack; and specifying the severity level associated with the virtual serialization queue. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer readable storage medium comprising instructions, which when executed by a processor perform a method for controlling a denial of service attack on a host, the method comprising:
-
receiving a plurality of packets from a network; identifying an attacking host based on a severity level of the denial of service (DOS) attack from the network; automatically re-configuring, in response to the identifying, a classifier to forward each of the plurality of packets associated with the attacking host to a temporary data structure associated with the severity level of the DOS attack, wherein the classifier is located on a physical network interface card operatively connected to the host, wherein the temporary data structure is one of a plurality of temporary data structures on the host, wherein each of the plurality of temporary data structures is associated with one of a plurality of severity levels, and wherein the attacking host is identified using an identifying attack characteristic; identifying, by the classifier, each of the plurality of packets associated with the identifying attack characteristic; forwarding each of the identified plurality of packets associated with the identifying attack characteristic to the temporary data structure; requesting, by the host, a number of packets from the temporary data structure to be placed in a virtual serialization queue, wherein the virtual serialization queue is associated with the temporary data structure; forwarding the number of packets to the virtual serialization queue; and creating a virtual network stack prior to receiving the plurality of packets from the network, wherein the virtual serialization queue is associated with a virtual network stack matching the severity level; wherein creating the virtual network stack comprises; creating the virtual serialization queue; binding the virtual serialization queue to a central processing unit; binding the virtual serialization queue to a packet destination; creating a virtual network interface card (NIC); binding the virtual serialization queue to the virtual NIC and a virtual protocol stack to obtain the virtual network stack; and specifying the severity level associated with the virtual serialization queue. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification