Carrier-independent on-demand distributed denial of service (DDoS) mitigation
First Claim
1. A computer system having a processor and a memory, the computer system operable to execute a method for providing a service provider-independent on-demand distributed denial of service (DDoS) mitigation, the method comprising:
- creating a baseline of normal internet protocol (IP) traffic for a customer wherein the baseline is an ideal or model traffic pattern of a normal traffic behavior of the customer generated from normal IP traffic that is sent to and from the customer;
building a customer profile from the baseline to load into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies the model traffic pattern for normal IP traffic for the customer;
loading the customer profile into the set of mitigation devices;
activating the customer profile in one or more subsets of the set of mitigation devices when a DDoS attack occurs;
implementing one or more protocol configurations in one or more routers to route the IP traffic to the one or more subsets of the set of mitigation devices; and
filtering the IP traffic of a set of DDoS packets based on the customer profile, wherein filtering the IP traffic comprises comparing the IP traffic to the customer profile, determining if one or more members of the IP traffic exceed a limit for a normal traffic pattern for the customer, and if the limit is exceeded, removing the one or more members; and
routing the IP traffic that is filtered to the customer.
6 Assignments
0 Petitions
Accused Products
Abstract
Service provider-independent on-demand distributed denial of service (DDoS) mitigation. A mitigation provider provides a service to customers to remove or reduce DDoS attacks regardless of the customer'"'"'s relationship with a service provider. Customer profiles about the customers'"'"' IP traffics are loaded into mitigation devices. When a DDoS attack occurs, customer profiles are activated in a set of the mitigation devices. Routes are also modified to steer customer traffic to the mitigation devices. DDoS packets are removed at the mitigation devices and the “cleaned” IP traffic is subsequently routed to the destination.
50 Citations
13 Claims
-
1. A computer system having a processor and a memory, the computer system operable to execute a method for providing a service provider-independent on-demand distributed denial of service (DDoS) mitigation, the method comprising:
-
creating a baseline of normal internet protocol (IP) traffic for a customer wherein the baseline is an ideal or model traffic pattern of a normal traffic behavior of the customer generated from normal IP traffic that is sent to and from the customer; building a customer profile from the baseline to load into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies the model traffic pattern for normal IP traffic for the customer; loading the customer profile into the set of mitigation devices; activating the customer profile in one or more subsets of the set of mitigation devices when a DDoS attack occurs; implementing one or more protocol configurations in one or more routers to route the IP traffic to the one or more subsets of the set of mitigation devices; and filtering the IP traffic of a set of DDoS packets based on the customer profile, wherein filtering the IP traffic comprises comparing the IP traffic to the customer profile, determining if one or more members of the IP traffic exceed a limit for a normal traffic pattern for the customer, and if the limit is exceeded, removing the one or more members; and routing the IP traffic that is filtered to the customer. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system having a processor and a memory, the computer system operable to execute a method for implementing a distributed denial of service (DDoS) mitigation network by a mitigation provider, the method comprising:
-
providing one or more network connections between the mitigation provider and one or more service providers to provide access from the mitigation provider to one or more customers associated with the one or more service providers; loading a customer profile for each of the one or more customers into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies a model traffic pattern for normal IP traffic for the customer; with a DDoS detection method implemented to detect a DDoS attack to a customer, at least one of notifying the mitigation provider of the DDoS attack by the customer or detecting the DDoS attack by the mitigation provider at an equipment of the customer; activating a subset of the set of mitigation devices by the mitigation provider when the DDoS attack occurs, the subset is activated based on a locality of the mitigation devices in proximity to the DDoS attack, a volume of the DDoS attack, or the locality of the customer in proximity to the mitigation devices; and routing an internet protocol (IP) traffic destined for the customer to the set of mitigation devices to remove one or more DDoS packets, wherein routing the IP traffic comprises comparing the IP traffic to the customer profile loaded into the set of mitigation devices wherein the customer profile identifies a normal traffic behavior of the customer, determining if one or more members of the IP traffic exceed the normal traffic behavior, and if the normal traffic behavior is exceeded, removing the one or more members, and wherein an analyzed IP traffic is subsequently routed to the customer. - View Dependent Claims (8, 9, 10, 11)
-
-
12. One or more non-transitory computer-readable media having computer-readable instructions executable by a computer for causing a computing device to perform a method for providing a service provider-independent on-demand distributed denial of service (DDoS) mitigation, the method comprising:
-
creating a baseline of normal internet protocol (IP) traffic for a customer, wherein the baseline is an ideal or model traffic pattern of a normal traffic behavior of the customer generated from normal IP traffic that is sent to and from the customer; building a customer profile from the baseline to load into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies the model traffic pattern for normal IP traffic for the customer; loading the customer profile into the set of mitigation devices; activating the customer profile in one or more subsets of the set of mitigation devices when a DDoS attack occurs; implementing one or more protocol configurations in one or more routers to route the IP traffic to the one or more subsets of the set of mitigation devices; and filtering the IP traffic of a set of DDoS packets based on the customer profile, wherein filtering the IP traffic comprises comparing the IP traffic to the customer profile, determining if one or more members of the IP traffic exceed a limit for a normal traffic pattern for the customer, and if the limit is exceeded, removing the one or more members; and routing the IP traffic that is filtered to the customer.
-
-
13. One or more non-transitory computer-readable media having computer-readable instructions executable by a computer for causing a computing device to perform a method for implementing a distributed denial of service (DDoS) mitigation network by a mitigation provider, the method comprising:
-
providing one or more network connections between the mitigation provider and one or more service providers to provide access from the mitigation provider to one or more customers associated with the one or more service providers; loading a customer profile for each of the one or more customers into a set of mitigation devices prior to a DDoS attack, wherein the customer profile includes information that identifies a model traffic pattern for normal IP traffic for the customer; with a DDoS detection method implemented to detect a DDoS attack to a customer, at least one of notifying the mitigation provider of the DDoS attack by the customer or detecting the DDoS attack by the mitigation provider at an equipment of the customer; activating a subset of the set of mitigation devices by the mitigation provider when the DDoS attack occurs, the subset is activated based on a locality of the mitigation devices in proximity to the DDoS attack, a volume of the DDoS attack, or the locality of the customer in proximity to the mitigation devices; and routing an internet protocol (IP) traffic destined for the customer to the set of mitigation devices to remove one or more DDoS packets, wherein routing the IP traffic comprises comparing the IP traffic to the customer profile loaded into the set of mitigation devices wherein the customer profile identifies a normal traffic behavior of the customer, determining if one or more members of the IP traffic exceed the normal traffic behavior, and if the normal traffic behavior is exceeded, removing the one or more members, and wherein an analyzed IP traffic is subsequently routed to the customer.
-
Specification