Methods, systems, and computer program products for detecting and mitigating denial of service attacks in a telecommunications signaling network

US 7,774,849 B2
Filed: 04/15/2005
Issued: 08/10/2010
Est. Priority Date: 04/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and mitigating a denial of service (DoS) attack in a telecommunications signaling network, the method comprising:

(a) collecting per link traffic rate information for a plurality of signaling links in a telecommunications signaling network;

(b) determining whether a traffic rate on a first signaling link of the plurality of signaling links exceeds a traffic rate on at least a second signaling link of the plurality of signaling links by a predetermined threshold, wherein the traffic rate on a signaling link includes a total number of signaling messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on at least the second signaling link includes comparing the traffic rate on the first signaling link to the traffic rate on the second signaling link; and

(c) in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold, indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for detecting and mitigating a denial of service attack in a telecommunications signaling network are provided. According to one method, traffic rate information is monitored on at least two of a plurality of signaling links. If the traffic rate on one of the signaling links exceeds the rate on at least another of the signaling links by a predetermined threshold, a denial of service attack is indicated. In response to indicating a denial of service attack, a user may take mitigating action, such as updating a firewall function to block packets associated with the offending source.

Citations

33 Claims

1. A method for detecting and mitigating a denial of service (DoS) attack in a telecommunications signaling network, the method comprising:
- (a) collecting per link traffic rate information for a plurality of signaling links in a telecommunications signaling network;
  
  (b) determining whether a traffic rate on a first signaling link of the plurality of signaling links exceeds a traffic rate on at least a second signaling link of the plurality of signaling links by a predetermined threshold, wherein the traffic rate on a signaling link includes a total number of signaling messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on at least the second signaling link includes comparing the traffic rate on the first signaling link to the traffic rate on the second signaling link; and
  
  (c) in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold, indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein collecting per link traffic rate information includes collecting signaling system 7 (SS7) traffic rate information for a plurality of SS7 signaling links.
  - 3. The method of claim 2 wherein the plurality of SS7 signaling links includes time division multiplexed (TDM)-based SS7 signaling links.
  - 4. The method of claim 2 wherein the SS7 signaling links includes SS7 over Internet protocol (IP) signaling links.
  - 5. The method of claim 1 wherein collecting per link traffic rate information includes collecting per link traffic rate information for a plurality of Internet protocol (IP) telephony signaling links.
  - 6. The method of claim 1 wherein determining whether the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold includes comparing a measured traffic rate on the first signaling link to a measured traffic rate on the second signaling link.
  - 7. The method of claim 1 wherein indicating a denial of service attack includes sending a denial of service alarm to an operator.
  - 8. The method of claim 1 wherein indicating a denial of service attack includes generating a report including at least one packet in the denial of service attack.
  - 9. The method of claim 1 comprising in response to detecting a denial of service attack, performing a mitigating action.
  - 10. The method of claim 9 wherein performing a mitigating action includes configuring firewalls in network signaling nodes to block packets associated with the denial of service attack.
  - 11. The method of claim 1 comprising determining whether the denial of service attack is valid.
  - 12. The method of claim 11 comprising, in response to determining that the denial of service attack is not valid, indicating that the denial of service attack is a false positive.

13. A system for detecting and mitigating a denial of service attack in a telecommunications signaling network, the system comprising:
- (a) a data gateway server for collecting per link traffic rate information for at least first and second signaling links in a network; and
  
  (b) a denial of service detector/mitigator for receiving and analyzing the per link traffic rate information and determining whether the rate information the first signaling link exceeds the traffic rate the second signaling link by a predetermined threshold, and, in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by the predetermined threshold, for indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link, wherein the traffic rate on a signaling link includes a total number of messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link includes comparing the traffic rate on the first signaling link to the traffic rate on the second signaling link.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The system of claim 13 wherein the data gateway server is adapted to collect traffic rate information for a plurality of signaling system 7 (SS7) signaling links.
  - 15. The system of claim 14 wherein the SS7 signaling links include time division multiplexed (TDM)-based SS7 signaling links.
  - 16. The system of claim 14 wherein the SS7 signaling links includes SS7 over Internet protocol (IP) signaling links.
  - 17. The system of claim 13 wherein the data gateway server is adapted to collect traffic rate information for a plurality of Internet protocol (IP) telephony signaling links.
  - 18. The system of claim 13 wherein the DoS detector/mitigator is adapted to generate an alarm to an operator in response to detecting a denial of service attack.
  - 19. The system of claim 18 comprising a user terminal for receiving the alarm and allowing the user to verify the denial of service attack.
  - 20. The system of claim 19 wherein the user terminal is operatively coupled to at least one firewall, wherein, in response to verifying the denial of service attack, the user terminal is adapted to update the firewall with data for mitigating the denial of service attack in response to input from the user.

21. The system of 19 wherein the user terminal is adapted to receive input from the user regarding a false positive attack and for updating the DoS detector/mitigator to exclude the false positive from DoS attack detection.

22. A non-transitory computer-readable medium containing a program which, when executed by a processor of a computer, controls the computer to perform steps comprising:
- (a) collecting per link traffic rate information for a plurality of signaling links in a signaling network;
  
  (b) determining whether a traffic rate on at least a first signaling link of the plurality of signaling links exceeds a traffic rate on at least a second signaling link of the plurality of signaling links by a predetermined threshold; and
  
  (c) in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold, indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link, wherein the traffic rate on a signaling link includes a total number of messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on at least the second signaling link includes comparing the traffic rate on the first signaling link to the traffic on the second signaling link.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 23. The non-transitory computer-readable medium of claim 22 wherein collecting per link traffic rate information includes collecting signaling system 7 (SS7) traffic rate information for a plurality of SS7 signaling links.
  - 24. The non-transitory computer-readable medium of claim 23 wherein the plurality of SS7 signaling links includes time division multiplexed (TDM)-based SS7 signaling links.
  - 25. The non-transitory computer-readable medium of claim 23 wherein the SS7 signaling links includes SS7 over Internet protocol (IP) signaling links.
  - 26. The non-transitory computer-readable medium of claim 22 wherein collecting per link traffic rate information includes collecting per link traffic rate information for a plurality of Internet protocol (IP) telephony signaling links.
  - 27. The non-transitory computer-readable medium of claim 22 wherein determining whether the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold includes comparing a measured traffic rate on the first signaling link to a measured traffic rate on the second signaling link.
  - 28. The non-transitory computer-readable storage of claim 22 wherein indicating a denial of service attack includes sending a denial of service alarm to an operator.
  - 29. The non-transitory computer-readable storage of claim 22 wherein indicating a denial of service attack includes generating a report including information regarding at least one packet in the denial of service attack.
  - 30. The non-transitory computer-readable storage of claim 22 comprising, in response to detecting a denial of service attack, performing a mitigating action.
  - 31. The non-transitory computer-readable storage of claim 30 wherein performing a mitigating action includes configuring firewalls in network signaling nodes to block packets associated with the denial of service attack.
  - 32. The non-transitory computer-readable storage of claim 22 comprising determining whether the denial of service attack is valid.
  - 33. The non-transitory computer-readable storage of claim 32 comprising, in response to determining that the denial of service attack is not valid, indicating that the denial of service attack is a false positive.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tekelec Global, Inc. (Oracle Corporation)
Original Assignee
Tekelec
Inventors
Marsico, Peter J., Russell, Travis E.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
SCHWARTZ, DARREN B

Application Number

US11/107,413
Publication Number

US 20060236402A1
Time in Patent Office

1,943 Days
Field of Search

370229-236, 709224-225, 709/233, 709/235, 709/239, 709/241, 713152-154, 726 11- 15, 726 22- 23
US Class Current

726/25
CPC Class Codes

H04L 63/1458 Denial of Service

Methods, systems, and computer program products for detecting and mitigating denial of service attacks in a telecommunications signaling network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer program products for detecting and mitigating denial of service attacks in a telecommunications signaling network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links