Thwarting source address spoofing-based denial of service attacks

US 7,743,134 B2
Filed: 08/16/2001
Issued: 06/22/2010
Est. Priority Date: 09/07/2000
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a data center against a denial of service attack, the method comprising:

sending queries to data collectors, deployed at different points in a network that carries network traffic to the data center, the data collectors collect statistical information on network packets sent over the network, the queries to request the statistical information from at least some of the data collectors;

sending the statistical information from the data collectors in response to the queries; and

processing the statistical information to determine the source of suspicious network traffic sent to the data center by aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.

45 Citations

View as Search Results

33 Claims

1. A method of protecting a data center against a denial of service attack, the method comprising:
- sending queries to data collectors, deployed at different points in a network that carries network traffic to the data center, the data collectors collect statistical information on network packets sent over the network, the queries to request the statistical information from at least some of the data collectors;
  
  sending the statistical information from the data collectors in response to the queries; and
  
  processing the statistical information to determine the source of suspicious network traffic sent to the data center by aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 wherein the network packets from the attacker have faked, random source addresses that change with time, and sending queries further comprises:
    - sending queries to the data collectors for the statistical information based on destination address for the data center.
  - 3. The method of claim 1 wherein processing further comprises:
    - determining, from at least in part, the collected statistical information, what data centers are involved in the attack on the data center.
  - 4. The method of claim 3 wherein determining is performed by a control center that receives the statistical information from the data collectors, and determining further comprises:
    - sending data to/from a gateway device that is associated with the data center.
  - 5. The method of claim 4 wherein the gateway identifies the network address of the data center, via a message to the control center.
  - 6. The method of claim 5 wherein message indicates the type of attack.
  - 7. The method of claim 1 wherein the queries and the statistical information are sent over a redundant network that does not carry the packet traffic to deliver collected statistical information to a central control center in response to the queries sent from the central control center.
  - 8. The method of claim 1 wherein a source of the attack is behind a gateway.
  - 9. The method of claim 8 wherein if a source of the attack is behind a gateway, the control center issues a request to the gateway that the attacking system is behind to prevent the attacking traffic from attacking system from reaching the network.
  - 10. The method of claim 8 wherein if a source of the attack is behind a gateway, the gateway that the attacking system is behind selectively discards traffic that appears to be malicious traffic and that contains the destination address of the data center.
  - 11. The method of claim 1 wherein if a source of the attack is not behind a gateway, a control center queries the data collectors to provide information about possible locations of the attacking system.
  - 12. The method of claim 1 wherein if a source of the attack is not behind a gateway, the method further comprises:
    - contacting administrators at locations involved in the attack to have the administrators take action to filter out packets with a destination address.
  - 13. The method of claim 1 wherein the attack is a low-grade spoofing-type of attack that does not compromise network traffic flow between the data center and Internet.
  - 14. The method of claim 1 wherein the attack is a high-grade attack that compromises network traffic flow between the data center and Internet.
  - 15. The method of claim 1 further comprising:
    - receiving from the victim site a notification that the victim site is under an attack.

16. A method of protecting a victim data center against a denial of service attack, the method comprising:
- receiving packets with faked, random source addresses;
  
  receiving, from a gateway disposed near the victim data center, a notification that the victim data center is under an attack;
  
  sending queries to data collectors deployed at different points in a network that carries network traffic to the victim data center, the data collectors to sample network packets and collect statistical information on network packets sent over the network, the queries being requests for statistical information from data collectors that have examined network traffic with victim destination address; and
  
  determining a data center or centers involved in the attack on the victim data center by analyzing collected statistical information from the data collectors, wherein the analyzing comprises aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 further comprising:
    - communicating statistical information from a control center to/from a gateway device that is disposed with the data center.
  - 18. The method of claim 17 wherein if a source of the attack is behind a gateway, the control center issues a request to the gateway to block the attacking traffic.
  - 19. The method of claim 18 wherein if a source of the attack is behind a gateway, the gateway selectively discards traffic that appears to be malicious traffic and that contains the victim destination address.
  - 20. The method of claim 16 wherein if a source of the attack is not behind a gateway, the method comprises:
    - contacting administrators at locations involved in attack to filter out packets having a destination address.

21. A system to thwart denial of service attacks on a victim data center, the system comprising:
- a plurality of data collectors monitors dispersed throughout a network, the data collectors monitors collecting statistical data on network traffic;
  
  a control center coupled to the plurality of data collectors, the control center, comprisinga memory;
  
  a processor; and
  
  a computer readable medium storing a computer program product, the computer readable medium comprising instructions for causing the control center to;
  
  receive from the data center a notification that the victim data center is under an attack; and
  
  in response to receiving the notification,send queries to data collectors to request statistical information collected by the data collectors based on network traffic, the statistical information used to determine a source of suspicious network traffic being sent to the data center, wherein determining a source of suspicious network traffic comprises aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time;
  
  a gateway device that passes network packets between the network and the data center, the gateway disposed to protect the victim data center, and being coupled to the control center.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21 wherein the data collectors collect statistical information on network packets that pass through points in the network that the data collectors monitor.
  - 23. The system of claim 21 wherein the control center further comprises instructions to:
    - determine a source of the attack on the data center by analyzing collected statistical information from the data collectors.
  - 24. The system of claim 21 wherein the control center and gateway device associated with the data center exchange data including statistical information to thwart the attack.
  - 25. The system of claim 21 wherein data exchanged between the control center and gateway device associated with the victim data center are sent over a redundant network that is a different network than the network that is being monitored by the data collectors.
  - 26. The system of claim 21 wherein if the control center determines that the source of the attack is behind a gateway, the control center issues a request to the gateway that the source of the attack is behind to block the attacking traffic.
  - 27. The system of claim 21 wherein if the control center determines that the source of the attack is behind a gateway, the control center issues a request to the gateway to selectively discard traffic that contains a destination address for the data center.
  - 28. The system of claim 21 wherein if the source of the attack is not behind a gateway, the control center queries the data collectors to provide information about possible locations of the source of the attack.
  - 29. The system of claim 28 wherein if the source of the attack is not behind a gateway, the system includes instructions to contact administrators at locations involved in attack to have the administrators cause filters to be installed in the data center to filter out packets with the victim destination address.

30. A computer program product residing on a computer readable storage media for protecting a victim data center against a denial of service attack, the computer program product, comprising instructions for causing a computing device to:
- receive a notification that the victim data center is under an attack;
  
  send queries to data collectors deployed at different points in a network that carries network traffic to the victim data center, the data collectors to sample network traffic and collect statistical information on packets sent over the network, the queries to request statistical information from data collectors that have examined network traffic with the victim destination address; and
  
  determine a source of the attack on the victim data center by analyzing collected information from the data collectors, wherein the analyzing comprises aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time.
- View Dependent Claims (31, 32, 33)
- - 31. The computer program product of claim 30 further comprising instructions to:
    - send data including statistical information between a gateway device that is disposed with the victim data center and a control center.
  - 32. The computer program product of claim 30 further comprising instructions to:
    - determine whether the source of the attack is behind a gateway and if the source of the attack is behind a gateway,issue a request to the gateway to block the attacking traffic.
  - 33. The computer program product of claim 30 further comprising instructions to:
    - determine whether the source of the attack is behind a gateway and if the source of the attack is not behind a gateway,send a message to contact administrators at locations involved in the attack to filter out packets having the destination address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Kohler, Edward W. Jr., Poletto, Massimiliano Antonio
Primary Examiner(s)
ISMAIL, SHAWKI SAIF

Application Number

US09/931,487
Publication Number

US 20020032774A1
Time in Patent Office

3,232 Days
Field of Search

709/217, 709223-225, 709227-229, 713200-202
US Class Current

709/224
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 43/00   Arrangements for monitoring...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Thwarting source address spoofing-based denial of service attacks

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Thwarting source address spoofing-based denial of service attacks

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links