Carrier-independent on-demand distributed denial of service (DDoS) mitigation

US 8,510,826 B1
Filed: 12/06/2005
Issued: 08/13/2013
Est. Priority Date: 12/06/2005
Status: Active Grant

First Claim

Patent Images

1. A computer system having a processor and a memory, the computer system operable to execute a method for providing a service provider-independent on-demand distributed denial of service (DDoS) mitigation, the method comprising:

creating a baseline of normal internet protocol (IP) traffic for a customer wherein the baseline is an ideal or model traffic pattern of a normal traffic behavior of the customer generated from normal IP traffic that is sent to and from the customer;

building a customer profile from the baseline to load into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies the model traffic pattern for normal IP traffic for the customer;

loading the customer profile into the set of mitigation devices;

activating the customer profile in one or more subsets of the set of mitigation devices when a DDoS attack occurs;

implementing one or more protocol configurations in one or more routers to route the IP traffic to the one or more subsets of the set of mitigation devices; and

filtering the IP traffic of a set of DDoS packets based on the customer profile, wherein filtering the IP traffic comprises comparing the IP traffic to the customer profile, determining if one or more members of the IP traffic exceed a limit for a normal traffic pattern for the customer, and if the limit is exceeded, removing the one or more members; and

routing the IP traffic that is filtered to the customer.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Service provider-independent on-demand distributed denial of service (DDoS) mitigation. A mitigation provider provides a service to customers to remove or reduce DDoS attacks regardless of the customer'"'"'s relationship with a service provider. Customer profiles about the customers'"'"' IP traffics are loaded into mitigation devices. When a DDoS attack occurs, customer profiles are activated in a set of the mitigation devices. Routes are also modified to steer customer traffic to the mitigation devices. DDoS packets are removed at the mitigation devices and the “cleaned” IP traffic is subsequently routed to the destination.

50 Citations

View as Search Results

13 Claims

1. A computer system having a processor and a memory, the computer system operable to execute a method for providing a service provider-independent on-demand distributed denial of service (DDoS) mitigation, the method comprising:
- creating a baseline of normal internet protocol (IP) traffic for a customer wherein the baseline is an ideal or model traffic pattern of a normal traffic behavior of the customer generated from normal IP traffic that is sent to and from the customer;
  
  building a customer profile from the baseline to load into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies the model traffic pattern for normal IP traffic for the customer;
  
  loading the customer profile into the set of mitigation devices;
  
  activating the customer profile in one or more subsets of the set of mitigation devices when a DDoS attack occurs;
  
  implementing one or more protocol configurations in one or more routers to route the IP traffic to the one or more subsets of the set of mitigation devices; and
  
  filtering the IP traffic of a set of DDoS packets based on the customer profile, wherein filtering the IP traffic comprises comparing the IP traffic to the customer profile, determining if one or more members of the IP traffic exceed a limit for a normal traffic pattern for the customer, and if the limit is exceeded, removing the one or more members; and
  
  routing the IP traffic that is filtered to the customer.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the baseline includes a data from a statistical reporting of data packets in a network of the customer.
  - 3. The system of claim 1, wherein developing the customer profile comprises converting a set of information in the baseline to another set of information to operate in the set of mitigation devices.
  - 4. The system of claim 1, wherein activating the customer profiles occur at an operations center that monitors one or more networks.
  - 5. The system of claim 1, wherein implementing the one or more protocol configurations comprises at least one of applying route changes to the one or more routers or inputting route advertisements into the one or more routers.
  - 6. The system of claim 5, wherein the one or more protocol configurations include one or more border gateway protocol (BGP) configurations.

7. A computer system having a processor and a memory, the computer system operable to execute a method for implementing a distributed denial of service (DDoS) mitigation network by a mitigation provider, the method comprising:
- providing one or more network connections between the mitigation provider and one or more service providers to provide access from the mitigation provider to one or more customers associated with the one or more service providers;
  
  loading a customer profile for each of the one or more customers into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies a model traffic pattern for normal IP traffic for the customer;
  
  with a DDoS detection method implemented to detect a DDoS attack to a customer, at least one of notifying the mitigation provider of the DDoS attack by the customer or detecting the DDoS attack by the mitigation provider at an equipment of the customer;
  
  activating a subset of the set of mitigation devices by the mitigation provider when the DDoS attack occurs, the subset is activated based on a locality of the mitigation devices in proximity to the DDoS attack, a volume of the DDoS attack, or the locality of the customer in proximity to the mitigation devices; and
  
  routing an internet protocol (IP) traffic destined for the customer to the set of mitigation devices to remove one or more DDoS packets, wherein routing the IP traffic comprises comparing the IP traffic to the customer profile loaded into the set of mitigation devices wherein the customer profile identifies a normal traffic behavior of the customer, determining if one or more members of the IP traffic exceed the normal traffic behavior, and if the normal traffic behavior is exceeded, removing the one or more members, and wherein an analyzed IP traffic is subsequently routed to the customer.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The system of claim 7, wherein the mitigation provider is distinct from the one or more service providers that provide at least one or an Internet access or an Internet service.
  - 9. The system of claim 7, wherein routing IP traffic comprises modifying a set of protocol configurations in a set of routers to route the IP traffic destined for the customer to the set of mitigation devices.
  - 10. The system of claim 9, wherein the set of protocol configurations include a border gateway protocol (BGP) configuration.
  - 11. The system of claim 7, wherein the one or more members include the one or more DDoS packets.

12. One or more non-transitory computer-readable media having computer-readable instructions executable by a computer for causing a computing device to perform a method for providing a service provider-independent on-demand distributed denial of service (DDoS) mitigation, the method comprising:
- creating a baseline of normal internet protocol (IP) traffic for a customer, wherein the baseline is an ideal or model traffic pattern of a normal traffic behavior of the customer generated from normal IP traffic that is sent to and from the customer;
  
  building a customer profile from the baseline to load into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies the model traffic pattern for normal IP traffic for the customer;
  
  loading the customer profile into the set of mitigation devices;
  
  activating the customer profile in one or more subsets of the set of mitigation devices when a DDoS attack occurs;
  
  implementing one or more protocol configurations in one or more routers to route the IP traffic to the one or more subsets of the set of mitigation devices; and
  
  filtering the IP traffic of a set of DDoS packets based on the customer profile, wherein filtering the IP traffic comprises comparing the IP traffic to the customer profile, determining if one or more members of the IP traffic exceed a limit for a normal traffic pattern for the customer, and if the limit is exceeded, removing the one or more members; and
  
  routing the IP traffic that is filtered to the customer.

13. One or more non-transitory computer-readable media having computer-readable instructions executable by a computer for causing a computing device to perform a method for implementing a distributed denial of service (DDoS) mitigation network by a mitigation provider, the method comprising:
- providing one or more network connections between the mitigation provider and one or more service providers to provide access from the mitigation provider to one or more customers associated with the one or more service providers;
  
  loading a customer profile for each of the one or more customers into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies a model traffic pattern for normal IP traffic for the customer;
  
  with a DDoS detection method implemented to detect a DDoS attack to a customer, at least one of notifying the mitigation provider of the DDoS attack by the customer or detecting the DDoS attack by the mitigation provider at an equipment of the customer;
  
  activating a subset of the set of mitigation devices by the mitigation provider when the DDoS attack occurs, the subset is activated based on a locality of the mitigation devices in proximity to the DDoS attack, a volume of the DDoS attack, or the locality of the customer in proximity to the mitigation devices; and
  
  routing an internet protocol (IP) traffic destined for the customer to the set of mitigation devices to remove one or more DDoS packets, wherein routing the IP traffic comprises comparing the IP traffic to the customer profile loaded into the set of mitigation devices wherein the customer profile identifies a normal traffic behavior of the customer, determining if one or more members of the IP traffic exceed the normal traffic behavior, and if the normal traffic behavior is exceeded, removing the one or more members, and wherein an analyzed IP traffic is subsequently routed to the customer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Reams, Orin Paul III, Constantine, Russell Alan
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US11/295,080
Time in Patent Office

2,807 Days
Field of Search

726/1, 726/22, 709/225, 709/235, 709/238, 709/239
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

Carrier-independent on-demand distributed denial of service (DDoS) mitigation

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Carrier-independent on-demand distributed denial of service (DDoS) mitigation

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links