Thwarting source address spoofing-based denial of service attacks
First Claim
1. A method of protecting a data center against a denial of service attack, the method comprising:
- sending queries to data collectors, deployed at different points in a network that carries network traffic to the data center, the data collectors collect statistical information on network packets sent over the network, the queries to request the statistical information from at least some of the data collectors;
sending the statistical information from the data collectors in response to the queries; and
processing the statistical information to determine the source of suspicious network traffic sent to the data center by aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time.
21 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
45 Citations
33 Claims
-
1. A method of protecting a data center against a denial of service attack, the method comprising:
-
sending queries to data collectors, deployed at different points in a network that carries network traffic to the data center, the data collectors collect statistical information on network packets sent over the network, the queries to request the statistical information from at least some of the data collectors; sending the statistical information from the data collectors in response to the queries; and processing the statistical information to determine the source of suspicious network traffic sent to the data center by aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method of protecting a victim data center against a denial of service attack, the method comprising:
-
receiving packets with faked, random source addresses; receiving, from a gateway disposed near the victim data center, a notification that the victim data center is under an attack; sending queries to data collectors deployed at different points in a network that carries network traffic to the victim data center, the data collectors to sample network packets and collect statistical information on network packets sent over the network, the queries being requests for statistical information from data collectors that have examined network traffic with victim destination address; and determining a data center or centers involved in the attack on the victim data center by analyzing collected statistical information from the data collectors, wherein the analyzing comprises aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A system to thwart denial of service attacks on a victim data center, the system comprising:
- a plurality of data collectors monitors dispersed throughout a network, the data collectors monitors collecting statistical data on network traffic;
a control center coupled to the plurality of data collectors, the control center, comprising a memory; a processor; and a computer readable medium storing a computer program product, the computer readable medium comprising instructions for causing the control center to; receive from the data center a notification that the victim data center is under an attack; and
in response to receiving the notification,send queries to data collectors to request statistical information collected by the data collectors based on network traffic, the statistical information used to determine a source of suspicious network traffic being sent to the data center, wherein determining a source of suspicious network traffic comprises aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time; a gateway device that passes network packets between the network and the data center, the gateway disposed to protect the victim data center, and being coupled to the control center. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- a plurality of data collectors monitors dispersed throughout a network, the data collectors monitors collecting statistical data on network traffic;
-
30. A computer program product residing on a computer readable storage media for protecting a victim data center against a denial of service attack, the computer program product, comprising instructions for causing a computing device to:
-
receive a notification that the victim data center is under an attack; send queries to data collectors deployed at different points in a network that carries network traffic to the victim data center, the data collectors to sample network traffic and collect statistical information on packets sent over the network, the queries to request statistical information from data collectors that have examined network traffic with the victim destination address; and determine a source of the attack on the victim data center by analyzing collected information from the data collectors, wherein the analyzing comprises aggregating statistical information of traffic flows from a source address and source port to a destination address and destination port, measured over different periods of time. - View Dependent Claims (31, 32, 33)
-
Specification