System and method for detection and mitigation of distributed denial of service attacks

US 7,930,740 B2
Filed: 07/07/2005
Issued: 04/19/2011
Est. Priority Date: 07/07/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting and mitigating denial of service attacks, comprising:

initiating a computer communication session on a communication network between a receiving computer and a sending computer on a network;

executing in a router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router to the receiving computer;

in response to the receiving computer being a victim of an attack by the sending computer, sending an attack notification to an administrator;

establishing a low bandwidth link between said receiving computer and a next hop router;

establishing a high bandwidth link between said next hop router and an edge router to an Internet service provider (ISP) network, wherein the low bandwidth link has a lower bandwidth than the high bandwidth link;

permitting said next hop router to handle both valid and invalid traffic between said next hop router and said ISP network via the high bandwidth link, wherein said invalid traffic is from the attack by the sending computer;

establishing said low bandwidth link as a one and only congestion point for traffic going from the ISP network to the receiving computer;

establishing timing out rules that time out permit rules, wherein the permit rules permitted communication with said receiving computer before termination of a transaction session;

establishing a sequence of exotic port numbers for identifying at least one trusted computer for communication with said receiving computer irrespective of said permit rules, wherein all of the exotic port numbers have values less than a predetermined number;

operating a plurality of small computers that each utilize an instantiation of said low bandwidth link to said next hop router;

recording origination of each session in said next hop router for preventing spoofing of a source of traffic directed to said small computers by other computers;

responsive to initiation of an outbound session by said small computers, operating said next hop router to extract session header information including source address and destination address provided by said small computers;

responsive to said session header information, said next hop router establishing at least one permit rule;

responsive to said outbound session terminating, deleting said permit rule;

maintaining a list of destination devices that have been predetermined to be critical to a selected user computer;

monitoring attack levels experienced at said next hop router with respect to said selected user computer;

responsive to detecting an increasing attack level directed to said selected user computer, utilizing said list of destination devices that have been predetermined to be critical to said selected user computer in order to drop all existing permit rules with respect to said selected user computer and to allow only other rules that have been pre-established for said selected user computer;

determining if a physical port on an incoming packet matches an allocated source address, and if not, blocking said incoming packet;

if said incoming packet is not blocked, determining if a permit rule exists for said incoming packet, and if not, executing a synchronization algorithm to establish said permit rule based on source address, destination address, and destination port of said small computers; and

if said permit rule exists for an incoming packet which is a finish packet, then in response to the receiving computer receiving said finish packet, executing a finish algorithm to remove said permit rule and to allow said finish packet through said next hop router, wherein the finish packet indicates that no more data will be forthcoming from an originator of said finish packet, and wherein the finish algorithm;

obtains a 5-tuple from a 5-tuple list for said selected user, wherein the 5-tuple list identifies trusted packets for said selected user, and wherein the 5-tuple includes and identifies a source Internet Protocol (IP) address of said incoming packet, a destination IP address for said incoming packet, a source port for said incoming packet, a destination port for said incoming packet, and a protocol for said incoming packet;

deletes said permit rules for said selected user; and

allows said finish packet through to finish said computer communication session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A router includes a relatively low bandwidth communication connection to a small computer, a relatively high bandwidth communication connection to a communication network; and a processing unit for executing in the router a set of permit rules for permitting flow of communication packets with respect to the connections for user initiated sessions, the permit rules including a default rule for discarding all packets with respect to the small computer in traffic not pertaining to sessions initiated by the small computer.

Citations

3 Claims

1. A method for detecting and mitigating denial of service attacks, comprising:
- initiating a computer communication session on a communication network between a receiving computer and a sending computer on a network;
  
  executing in a router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router to the receiving computer;
  
  in response to the receiving computer being a victim of an attack by the sending computer, sending an attack notification to an administrator;
  
  establishing a low bandwidth link between said receiving computer and a next hop router;
  
  establishing a high bandwidth link between said next hop router and an edge router to an Internet service provider (ISP) network, wherein the low bandwidth link has a lower bandwidth than the high bandwidth link;
  
  permitting said next hop router to handle both valid and invalid traffic between said next hop router and said ISP network via the high bandwidth link, wherein said invalid traffic is from the attack by the sending computer;
  
  establishing said low bandwidth link as a one and only congestion point for traffic going from the ISP network to the receiving computer;
  
  establishing timing out rules that time out permit rules, wherein the permit rules permitted communication with said receiving computer before termination of a transaction session;
  
  establishing a sequence of exotic port numbers for identifying at least one trusted computer for communication with said receiving computer irrespective of said permit rules, wherein all of the exotic port numbers have values less than a predetermined number;
  
  operating a plurality of small computers that each utilize an instantiation of said low bandwidth link to said next hop router;
  
  recording origination of each session in said next hop router for preventing spoofing of a source of traffic directed to said small computers by other computers;
  
  responsive to initiation of an outbound session by said small computers, operating said next hop router to extract session header information including source address and destination address provided by said small computers;
  
  responsive to said session header information, said next hop router establishing at least one permit rule;
  
  responsive to said outbound session terminating, deleting said permit rule;
  
  maintaining a list of destination devices that have been predetermined to be critical to a selected user computer;
  
  monitoring attack levels experienced at said next hop router with respect to said selected user computer;
  
  responsive to detecting an increasing attack level directed to said selected user computer, utilizing said list of destination devices that have been predetermined to be critical to said selected user computer in order to drop all existing permit rules with respect to said selected user computer and to allow only other rules that have been pre-established for said selected user computer;
  
  determining if a physical port on an incoming packet matches an allocated source address, and if not, blocking said incoming packet;
  
  if said incoming packet is not blocked, determining if a permit rule exists for said incoming packet, and if not, executing a synchronization algorithm to establish said permit rule based on source address, destination address, and destination port of said small computers; and
  
  if said permit rule exists for an incoming packet which is a finish packet, then in response to the receiving computer receiving said finish packet, executing a finish algorithm to remove said permit rule and to allow said finish packet through said next hop router, wherein the finish packet indicates that no more data will be forthcoming from an originator of said finish packet, and wherein the finish algorithm;
  
  obtains a 5-tuple from a 5-tuple list for said selected user, wherein the 5-tuple list identifies trusted packets for said selected user, and wherein the 5-tuple includes and identifies a source Internet Protocol (IP) address of said incoming packet, a destination IP address for said incoming packet, a source port for said incoming packet, a destination port for said incoming packet, and a protocol for said incoming packet;
  
  deletes said permit rules for said selected user; and
  
  allows said finish packet through to finish said computer communication session.

2. A computer program product for detecting and mitigating denial of service attacks, the computer program product comprising:
- a non-transitory computer readable storage device;
  
  first program instructions to initiate a computer communication session on a communication network between a receiving computer and a sending computer on a network;
  
  second program instructions to execute in a router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router to the receiving computer;
  
  third program instructions to, in response to the receiving computer being a victim of an attack by the sending computer, send an attack notification to an administrator;
  
  fourth program instructions to establish a low bandwidth link between said receiving computer and a next hop router;
  
  fifth program instructions to establish a high bandwidth link between said next hop router and an edge router to an Internet service provider (ISP) network, wherein the low bandwidth link has a lower bandwidth than the high bandwidth link;
  
  sixth program instructions to permit said next hop router to handle both valid and invalid traffic between said next hop router and said ISP network via the high bandwidth link, wherein said invalid traffic is from the attack by the sending computer;
  
  seventh program instructions to establish said low bandwidth link as a one and only congestion point for traffic going from the ISP network to the receiving computer;
  
  eighth program instructions to establish timing out rules that time out permit rules, wherein the permit rules permitted communication with said receiving computer before termination of a transaction session;
  
  ninth program instructions to establish a sequence of exotic port numbers for identifying at least one trusted computer for communication with said receiving computer irrespective of said permit rules, wherein all of the exotic port numbers have values less than a predetermined number;
  
  tenth program instructions to operate a plurality of small computers that each utilize an instantiation of said low bandwidth link to said next hop router;
  
  eleventh program instructions to record origination of each session in said next hop router for preventing spoofing of a source of traffic directed to said small computers by other computers;
  
  twelfth program instructions to, responsive to initiation of an outbound session by said small computers, operate said next hop router to extract session header information including source address and destination address provided by said small computers;
  
  thirteenth program instructions to, responsive to said session header information, establish at least one permit rule in said next hop router;
  
  fourteenth program instructions to, responsive to said outbound session terminating, delete said permit rule;
  
  fifteenth program instructions to maintain a list of destination devices that have been predetermined to be critical to a selected user computer;
  
  sixteenth program instructions to monitor attack levels experienced at said next hop router with respect to said selected user computer;
  
  seventeenth program instructions to, responsive to detecting an increasing attack level directed to said selected user computer, utilize said list of destination devices that have been predetermined to be critical to said selected user computer in order to drop all existing permit rules with respect to said selected user computer and to allow only other rules that have been pre-established for said selected user computer;
  
  eighteenth program instructions to determine if a physical port on an incoming packet matches an allocated source address, and if not, to block said incoming packet;
  
  nineteenth program instructions to, if said incoming packet is not blocked, determine if a permit rule exists for said incoming packet, and if not, to execute a synchronization algorithm to establish said permit rule based on source address, destination address, and destination port of said small computers; and
  
  twentieth program instructions to, if said permit rule exists for an incoming packet which is a finish packet, then in response to the receiving computer receiving said finish packet, execute a finish algorithm to remove said permit rule and to allow said finish packet through said next hop router, wherein the finish packet indicates that no more data will be forthcoming from an originator of said finish packet, and wherein the finish algorithm;
  
  obtains a 5-tuple from a 5-tuple list for said selected user, wherein the 5-tuple list identifies trusted packets for said selected user, and wherein the 5-tuple includes and identifies a source Internet Protocol (IP) address of said incoming packet, a destination IP address for said incoming packet, a source port for said incoming packet, a destination port for said incoming packet, and a protocol for said incoming packet;
  
  deletes said permit rules for said selected user; and
  
  allows said finish packet through to finish said computer communication session; and
  
  whereinthe first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth, sixteenth, seventeenth, eighteenth, nineteenth, and twentieth program instructions are stored on the non-transitory computer readable storage device.

3. A computer system comprising:
- a processor, a system memory, and a non-transitory computer readable storage device;
  
  first program instructions to initiate a computer communication session on a communication network between a receiving computer and a sending computer on a network;
  
  second program instructions to execute in a router a set of permit rules for permitting flow of communication packets for user-initiated sessions through said router to the receiving computer;
  
  third program instructions to, in response to the receiving computer being a victim of an attack by the sending computer, send an attack notification to an administrator;
  
  fourth program instructions to establish a low bandwidth link between said receiving computer and a next hop router;
  
  fifth program instructions to establish a high bandwidth link between said next hop router and an edge router to an Internet service provider (ISP) network, wherein the low bandwidth link has a lower bandwidth than the high bandwidth link;
  
  sixth program instructions to permit said next hop router to handle both valid and invalid traffic between said next hop router and said ISP network via the high bandwidth link, wherein said invalid traffic is from the attack by the sending computer;
  
  seventh program instructions to establish said low bandwidth link as a one and only congestion point for traffic going from the ISP network to the receiving computer;
  
  eighth program instructions to establish timing out rules that time out permit rules, wherein the permit rules permitted communication with said receiving computer before termination of a transaction session;
  
  ninth program instructions to establish a sequence of exotic port numbers for identifying at least one trusted computer for communication with said receiving computer irrespective of said permit rules, wherein all of the exotic port numbers have values less than a predetermined number;
  
  tenth program instructions to operate a plurality of small computers that each utilize an instantiation of said low bandwidth link to said next hop router;
  
  eleventh program instructions to record origination of each session in said next hop router for preventing spoofing of a source of traffic directed to said small computers by other computers;
  
  twelfth program instructions to, responsive to initiation of an outbound session by said small computers, operate said next hop router to extract session header information including source address and destination address provided by said small computers;
  
  thirteenth program instructions to, responsive to said session header information, establish at least one permit rule in said next hop router;
  
  fourteenth program instructions to, responsive to said outbound session terminating, delete said permit rule;
  
  fifteenth program instructions to maintain a list of destination devices that have been predetermined to be critical to a selected user computer;
  
  sixteenth program instructions to monitor attack levels experienced at said next hop router with respect to said selected user computer;
  
  seventeenth program instructions to, responsive to detecting an increasing attack level directed to said selected user computer, utilize said list of destination devices that have been predetermined to be critical to said selected user computer in order to drop all existing permit rules with respect to said selected user computer and to allow only other rules that have been pre-established for said selected user computer;
  
  eighteenth program instructions to determine if a physical port on an incoming packet matches an allocated source address, and if not, to block said incoming packet;
  
  nineteenth program instructions to, if said incoming packet is not blocked, determine if a permit rule exists for said incoming packet, and if not, to execute a synchronization algorithm to establish said permit rule based on source address, destination address, and destination port of said small computers; and
  
  twentieth program instructions to, if said permit rule exists for an incoming packet which is a finish packet, then in response to the receiving computer receiving said finish packet, execute a finish algorithm to remove said permit rule and to allow said finish packet through said next hop router, wherein the finish packet indicates that no more data will be forthcoming from an originator of said finish packet, and wherein the finish algorithm;
  
  obtains a 5-tuple from a 5-tuple list for said selected user, wherein the 5-tuple list identifies trusted packets for said selected user, and wherein the 5-tuple includes and identifies a source Internet Protocol (IP) address of said incoming packet, a destination IP address for said incoming packet, a source port for said incoming packet, a destination port for said incoming packet, and a protocol for said incoming packet;
  
  deletes said permit rules for said selected user; and
  
  allows said finish packet through to finish said computer communication session; and
  
  whereinthe first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, fifteenth, sixteenth, seventeenth, eighteenth, nineteenth, and twentieth program instructions are stored on the non-transitory computer readable storage device for execution by the processor via the system memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Davis, John F., Jeffries, Clark D., Himberger, Kevin D., Peyravian, Mohammad
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
King; John B

Application Number

US11/176,079
Publication Number

US 20070011740A1
Time in Patent Office

2,112 Days
Field of Search

726/13, 726 22- 25
US Class Current

726/22
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1458   Denial of Service

System and method for detection and mitigation of distributed denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

3 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detection and mitigation of distributed denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

3 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links