Detection of grid participation in a DDoS attack

US 8,423,645 B2
Filed: 09/14/2004
Issued: 04/16/2013
Est. Priority Date: 09/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:

establishing baseline values for normal network traffic usage in the multiprocessor environment;

monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values;

in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port;

in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and

in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of, system for, and product for managing a denial of service attack in a multiprocessor environment comprising. The first step is establishing normal traffic usage baselines in the multiprocessor environment. Once the baseline is established the next step is monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline. Next is monitoring ports and protocols to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port. If there is such consistent use of a protocol for all packets for that port as to evidence a denial of service attack, blocking measures are started to mitigate the apparent denial of service attack.

23 Citations

View as Search Results

12 Claims

1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:
- establishing baseline values for normal network traffic usage in the multiprocessor environment;
  
  monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values;
  
  in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port;
  
  in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and
  
  in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the denial of service attack is an outbound denial of service attack.
  - 3. The method of claim 1 comprising the steps of:
    - a. monitoring outgoing traffic with respect to said specific destination address;
      
      b. if the ratio of (i) number of packets to said specific destination address to (ii) the total number of packets outbound is greater than a preset number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols;
      
      c. if the ratio of (i) the number of packets to one of said selected ports to (ii) the total number of packets to all of said selected ports is above a preset value, and if the protocol used is consistent across a large fraction of said selected ports, commencing blocking measures.
  - 4. The method of claim 1 wherein the multiprocessor environment is a grid computer environment.

5. A multiprocessor system comprising a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack by a method comprising the steps of:
- establishing baseline values for normal network traffic usage in the multiprocessor environment;
  
  monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values;
  
  in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port;
  
  in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and
  
  in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack.
- View Dependent Claims (6, 7, 8)
- - 6. The multiprocessor system of claim 5 wherein the denial of service attack is an outbound denial of service attack.
  - 7. The multiprocessor system of claim 5 comprising the steps of:
    - a. monitoring outgoing traffic with respect to said specific destination address;
      
      b. if the ratio of (i) number of packets to said specific destination address to (ii) the total number of packets outbound is greater than a preset number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols;
      
      c. if the ratio of (i) the number of packets to one of said selected ports to (ii) the total number of packets to all of said selected ports is above a preset value, and if the protocol used is consistent across a large fraction of said selected ports, commencing blocking measures.
  - 8. The multiprocessor system of claim 5 wherein the multiprocessor environment is a grid computer environment.

9. A non-transitory data storage medium containing computer readable code, said computer readable code adapted to configure and control a multiprocessor environment having a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack, said computer readable code directing the steps of:
- establishing baseline values for normal network traffic usage in the multiprocessor environment;
  
  monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values;
  
  in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port;
  
  in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and
  
  in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack.
- View Dependent Claims (10, 11, 12)
- - 10. The non-transitory data storage medium of claim 9 wherein the denial of service attack is an outbound denial of service attack.
  - 11. The non-transitory data storage medium of claim 9 comprising the steps of:
    - a. monitoring outgoing traffic with respect to said specific destination address;
      
      b. if the ratio of (i) number of packets to said specific destination address to (ii) the total number of packets outbound is greater than a preset number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols;
      
      c. if the ratio of (i) the number of packets to one of said selected ports to (ii) the total number of packets to all of said selected ports is above a preset value, and if the protocol used is consistent across a large fraction of said selected ports, commencing blocking measures.
  - 12. The non-transitory data storage medium of claim 9 wherein the multiprocessor environment is a grid computer environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Jeffries, Clark Debs, Danford, Robert William, Himberger, Kevin David, Escamilla, Terry Dwain
Primary Examiner(s)
Bayard, Djenane
Assistant Examiner(s)
RICHARDSON, THOMAS W

Application Number

US10/940,558
Publication Number

US 20060107318A1
Time in Patent Office

3,136 Days
Field of Search

709224-226, 709/239, 726/22, 713/150, 713/151
US Class Current

709/226
CPC Class Codes

G06F 11/349   for interfaces, buses

G06F 11/3495   for systems

G06F 21/55   Detecting local intrusion o...

G06F 2201/81   Threshold

H04L 2463/141   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Y02D 10/00   Energy efficient computing,...

Detection of grid participation in a DDoS attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of grid participation in a DDoS attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links