Method and apparatus for limiting denial of service attack by limiting traffic for hosts

US 7,640,591 B1
Filed: 04/22/2005
Issued: 12/29/2009
Est. Priority Date: 04/22/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling a denial of service attack on a host comprising:

receiving a plurality of packets from a network;

identifying an attacking host based on a severity level of the denial of service (DOS) attack from the network;

automatically re-configuring, in response to the identifying, a classifier to forward each of the plurality of packets associated with the attacking host to a temporary data structure associated with the severity level of the DOS attack, wherein the classifier is located on a physical network interface card operatively connected to the host, wherein the temporary data structure is one of a plurality of temporary data structures on the host, wherein each of the plurality of temporary data structures is associated with one of a plurality of severity levels, and wherein the attacking host is identified using an identifying attack characteristic;

identifying, by the classifier, each of the plurality of packets associated with the identifying attack characteristic;

forwarding each of the identified plurality of packets associated with the identifying attack characteristic to the temporary data structure;

requesting, by the host, a number of packets from the temporary data structure to be placed in a virtual serialization queue, wherein the virtual serialization queue is associated with the temporary data structure;

forwarding the number of packets to the virtual serialization queue; and

creating a virtual network stack prior to receiving the plurality of packets from the network, wherein the virtual serialization queue is associated with a virtual network stack matching the severity level;

wherein creating the virtual network stack comprises;

creating the virtual serialization queue;

binding the virtual serialization queue to a central processing unit;

binding the virtual serialization queue to a packet destination;

creating a virtual network interface card (NIC);

binding the virtual serialization queue to the virtual NIC and a virtual protocol stack to obtain the virtual network stack; and

specifying the severity level associated with the virtual serialization queue.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.

Citations

22 Claims

1. A method for controlling a denial of service attack on a host comprising:
- receiving a plurality of packets from a network;
  
  identifying an attacking host based on a severity level of the denial of service (DOS) attack from the network;
  
  automatically re-configuring, in response to the identifying, a classifier to forward each of the plurality of packets associated with the attacking host to a temporary data structure associated with the severity level of the DOS attack, wherein the classifier is located on a physical network interface card operatively connected to the host, wherein the temporary data structure is one of a plurality of temporary data structures on the host, wherein each of the plurality of temporary data structures is associated with one of a plurality of severity levels, and wherein the attacking host is identified using an identifying attack characteristic;
  
  identifying, by the classifier, each of the plurality of packets associated with the identifying attack characteristic;
  
  forwarding each of the identified plurality of packets associated with the identifying attack characteristic to the temporary data structure;
  
  requesting, by the host, a number of packets from the temporary data structure to be placed in a virtual serialization queue, wherein the virtual serialization queue is associated with the temporary data structure;
  
  forwarding the number of packets to the virtual serialization queue; and
  
  creating a virtual network stack prior to receiving the plurality of packets from the network, wherein the virtual serialization queue is associated with a virtual network stack matching the severity level;
  
  wherein creating the virtual network stack comprises;
  
  creating the virtual serialization queue;
  
  binding the virtual serialization queue to a central processing unit;
  
  binding the virtual serialization queue to a packet destination;
  
  creating a virtual network interface card (NIC);
  
  binding the virtual serialization queue to the virtual NIC and a virtual protocol stack to obtain the virtual network stack; and
  
  specifying the severity level associated with the virtual serialization queue.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the packet destination is at least one selected from the group consisting of a container and a service.
  - 3. The method of claim 1, further comprising:
    - processing the number of packets on the virtual serialization queue using a central processing unit bound to the virtual serialization queue.
  - 4. The method of claim 1, wherein the identifying attack characteristic comprises an internet protocol address.
  - 5. The method of claim 1, wherein identifying an attacking host comprises:
    - interacting with the virtual network stack to identify the attacking host using an intrusion detection system; and
      
      informing the virtual network stack of the identifying attack characteristic and the severity level.
  - 6. The method of claim 1, wherein each of the plurality of temporary data structures comprises at least one selected from the group consisting of a virtual network interface card queue and a receive ring.
  - 7. The method of claim 1, wherein the number of packets is limited by an attack control parameter associated with the virtual serialization queue.
  - 8. The method of claim 7, wherein the attack control parameter specifies a maximum number of packets that may be retrieved from the one of the plurality of temporary data structures associated with the virtual serialization queue in a specified period of time based on the severity level of the denial of service attack.
  - 9. The method of claim 7, wherein the attack control parameter specifies a maximum number of bytes that may be retrieved from the one of the plurality of temporary data structures associated with the virtual serialization queue in a specified period of time based on the severity level of the denial of service attack.
  - 10. The method of claim 1, wherein the classifier is one selected from the group consisting of a hardware classifier and a software classifier.
  - 11. The method of claim 1, wherein forwarding the number of packets to the virtual serialization queue comprises:
    - forwarding the number of packets from the one of the plurality of temporary data structures to a virtual protocol stack associated with the virtual serialization queue and the severity level for processing of the number of packets to obtain processed packets; and
      
      forwarding the processed packets from the virtual protocol stack to the virtual serialization queue.

12. A computer readable storage medium comprising instructions, which when executed by a processor perform a method for controlling a denial of service attack on a host, the method comprising:
- receiving a plurality of packets from a network;
  
  identifying an attacking host based on a severity level of the denial of service (DOS) attack from the network;
  
  automatically re-configuring, in response to the identifying, a classifier to forward each of the plurality of packets associated with the attacking host to a temporary data structure associated with the severity level of the DOS attack, wherein the classifier is located on a physical network interface card operatively connected to the host, wherein the temporary data structure is one of a plurality of temporary data structures on the host, wherein each of the plurality of temporary data structures is associated with one of a plurality of severity levels, and wherein the attacking host is identified using an identifying attack characteristic;
  
  identifying, by the classifier, each of the plurality of packets associated with the identifying attack characteristic;
  
  forwarding each of the identified plurality of packets associated with the identifying attack characteristic to the temporary data structure;
  
  requesting, by the host, a number of packets from the temporary data structure to be placed in a virtual serialization queue, wherein the virtual serialization queue is associated with the temporary data structure;
  
  forwarding the number of packets to the virtual serialization queue; and
  
  creating a virtual network stack prior to receiving the plurality of packets from the network, wherein the virtual serialization queue is associated with a virtual network stack matching the severity level;
  
  wherein creating the virtual network stack comprises;
  
  creating the virtual serialization queue;
  
  binding the virtual serialization queue to a central processing unit;
  
  binding the virtual serialization queue to a packet destination;
  
  creating a virtual network interface card (NIC);
  
  binding the virtual serialization queue to the virtual NIC and a virtual protocol stack to obtain the virtual network stack; and
  
  specifying the severity level associated with the virtual serialization queue.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer readable storage medium of claim 12, wherein the packet destination is at least one selected from the group consisting of a container and a service.
  - 14. The computer readable storage medium of claim 12, the method further comprising:
    - processing the number of packets on the virtual serialization queue using a central processing unit bound to the virtual serialization queue.
  - 15. The computer readable storage medium of claim 12, wherein the identifying attack characteristic comprises an internet protocol address.
  - 16. The computer readable storage medium of claim 12, wherein identifying an attacking host comprises:
    - interacting with the virtual network stack to identify the attacking host using an intrusion detection system; and
      
      informing the virtual network stack of the identifying attack characteristic and the severity level.
  - 17. The computer readable storage medium of claim 12, wherein each of the plurality of temporary data structures comprises at least one selected from the group consisting of a virtual network interface card queue and a receive ring.
  - 18. The computer readable storage medium of claim 12, wherein the number of packets is limited by an attack control parameter associated with the virtual serialization queue.
  - 19. The computer readable storage medium of claim 18, wherein the attack control parameter specifies a maximum number of packets that may be retrieved from the one of the plurality of temporary data structures associated with the virtual serialization queue in a specified period of time based on the severity level of the denial of service attack.
  - 20. The computer readable storage medium of claim 18, wherein the attack control parameter specifies a maximum number of bytes that may be retrieved from the one of the plurality of temporary data structures associated with the virtual serialization queue in a specified period of time based on the severity level of the denial of service attack.
  - 21. The computer readable storage medium of claim 12, wherein the classifier is one selected from the group consisting of a hardware classifier and a software classifier.
  - 22. The computer readable storage medium of claim 12, wherein forwarding the number of packets to the virtual serialization queue comprises:
    - forwarding the number of packets from the one of the plurality of temporary data structures to a virtual protocol stack associated with the virtual serialization queue and the severity level for processing of the number of packets to obtain processed packets; and
      
      forwarding the processed packets from the virtual protocol stack to the virtual serialization queue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Droux, Nicolas G., Tripathi, Sunay, Watanabe, Yuzo
Primary Examiner(s)
Dada; Beemnet W
Assistant Examiner(s)
Schwartz; Darren

Application Number

US11/112,328
Time in Patent Office

1,712 Days
Field of Search

713/187, 713/188, 713/193, 713/194, 726 22- 25
US Class Current

726/25
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

Method and apparatus for limiting denial of service attack by limiting traffic for hosts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for limiting denial of service attack by limiting traffic for hosts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links