Methods, systems, and computer program products for detecting and mitigating denial of service attacks in a telecommunications signaling network
First Claim
1. A method for detecting and mitigating a denial of service (DoS) attack in a telecommunications signaling network, the method comprising:
- (a) collecting per link traffic rate information for a plurality of signaling links in a telecommunications signaling network;
(b) determining whether a traffic rate on a first signaling link of the plurality of signaling links exceeds a traffic rate on at least a second signaling link of the plurality of signaling links by a predetermined threshold, wherein the traffic rate on a signaling link includes a total number of signaling messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on at least the second signaling link includes comparing the traffic rate on the first signaling link to the traffic rate on the second signaling link; and
(c) in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold, indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products for detecting and mitigating a denial of service attack in a telecommunications signaling network are provided. According to one method, traffic rate information is monitored on at least two of a plurality of signaling links. If the traffic rate on one of the signaling links exceeds the rate on at least another of the signaling links by a predetermined threshold, a denial of service attack is indicated. In response to indicating a denial of service attack, a user may take mitigating action, such as updating a firewall function to block packets associated with the offending source.
-
Citations
33 Claims
-
1. A method for detecting and mitigating a denial of service (DoS) attack in a telecommunications signaling network, the method comprising:
-
(a) collecting per link traffic rate information for a plurality of signaling links in a telecommunications signaling network; (b) determining whether a traffic rate on a first signaling link of the plurality of signaling links exceeds a traffic rate on at least a second signaling link of the plurality of signaling links by a predetermined threshold, wherein the traffic rate on a signaling link includes a total number of signaling messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on at least the second signaling link includes comparing the traffic rate on the first signaling link to the traffic rate on the second signaling link; and (c) in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold, indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system for detecting and mitigating a denial of service attack in a telecommunications signaling network, the system comprising:
-
(a) a data gateway server for collecting per link traffic rate information for at least first and second signaling links in a network; and (b) a denial of service detector/mitigator for receiving and analyzing the per link traffic rate information and determining whether the rate information the first signaling link exceeds the traffic rate the second signaling link by a predetermined threshold, and, in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by the predetermined threshold, for indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link, wherein the traffic rate on a signaling link includes a total number of messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link includes comparing the traffic rate on the first signaling link to the traffic rate on the second signaling link. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
-
21. The system of 19 wherein the user terminal is adapted to receive input from the user regarding a false positive attack and for updating the DoS detector/mitigator to exclude the false positive from DoS attack detection.
-
22. A non-transitory computer-readable medium containing a program which, when executed by a processor of a computer, controls the computer to perform steps comprising:
-
(a) collecting per link traffic rate information for a plurality of signaling links in a signaling network; (b) determining whether a traffic rate on at least a first signaling link of the plurality of signaling links exceeds a traffic rate on at least a second signaling link of the plurality of signaling links by a predetermined threshold; and (c) in response to determining that the traffic rate on the first signaling link exceeds the traffic rate on the second signaling link by a predetermined threshold, indicating a denial of service attack caused by an attacker gaining access to the first signaling link but not the second signaling link, wherein the traffic rate on a signaling link includes a total number of messages that traverse the signaling link during a time period, the first and second signaling links are members of the same signaling linkset that interconnects a pair of telecommunications network signaling nodes and determining whether the traffic rate on the first signaling link exceeds the traffic rate on at least the second signaling link includes comparing the traffic rate on the first signaling link to the traffic on the second signaling link. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification