Detection of grid participation in a DDoS attack
First Claim
1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:
- establishing baseline values for normal network traffic usage in the multiprocessor environment;
monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values;
in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port;
in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and
in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of, system for, and product for managing a denial of service attack in a multiprocessor environment comprising. The first step is establishing normal traffic usage baselines in the multiprocessor environment. Once the baseline is established the next step is monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline. Next is monitoring ports and protocols to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port. If there is such consistent use of a protocol for all packets for that port as to evidence a denial of service attack, blocking measures are started to mitigate the apparent denial of service attack.
23 Citations
12 Claims
-
1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:
-
establishing baseline values for normal network traffic usage in the multiprocessor environment; monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values; in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack. - View Dependent Claims (2, 3, 4)
-
-
5. A multiprocessor system comprising a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack by a method comprising the steps of:
-
establishing baseline values for normal network traffic usage in the multiprocessor environment; monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values; in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory data storage medium containing computer readable code, said computer readable code adapted to configure and control a multiprocessor environment having a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack, said computer readable code directing the steps of:
-
establishing baseline values for normal network traffic usage in the multiprocessor environment; monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline values; in response to detecting a high proportion of packets being sent to said specific destination address, and a high number of outbound packets compared to said baseline values, monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; in response to detecting a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port, monitoring outgoing traffic to detect a high proportion of timeouts compared to said baseline values coming from a portion of a subnet address space of said network; and in response to detecting a high proportion of timeouts compared to said baseline values coming from said portion of a subnet address space of said network, starting blocking measures to mitigate an apparent denial of service attack. - View Dependent Claims (10, 11, 12)
-
Specification