IP prioritization and scoring system for DDoS detection and mitigation

US 8,935,785 B2
Filed: 09/23/2011
Issued: 01/13/2015
Est. Priority Date: 09/24/2010
Status: Active Grant

First Claim

Patent Images

1. A method for controlling network traffic, comprising:

receiving, at a network server, client machine data for a plurality of client machines, the client machine data relating to a confidence score for each of the plurality of client machines, the client machine data comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information;

determining a plurality of threshold values;

relating each of the plurality of threshold values to an action to be taken for request network traffic;

receiving a request associated with a client machine, wherein the association is determined using identification data found in the request;

determining a confidence score associated with the client machine based on the client machine data; and

acting on the request based on comparing the confidence score to the threshold values and related actions to be taken.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system to mitigate an attack over the Internet includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information to determine confidence scores for the plurality of client IP addresses. The method and system also include receiving network traffic from the Internet and limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold. The method, and system further include determining a level of the network traffic and limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold.

102 Citations

View as Search Results

24 Claims

1. A method for controlling network traffic, comprising:
- receiving, at a network server, client machine data for a plurality of client machines, the client machine data relating to a confidence score for each of the plurality of client machines, the client machine data comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information;
  
  determining a plurality of threshold values;
  
  relating each of the plurality of threshold values to an action to be taken for request network traffic;
  
  receiving a request associated with a client machine, wherein the association is determined using identification data found in the request;
  
  determining a confidence score associated with the client machine based on the client machine data; and
  
  acting on the request based on comparing the confidence score to the threshold values and related actions to be taken.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the threshold values are adjusted based on current network traffic information.
  - 3. The method of claim 2 wherein the current network traffic information is evidence of an attack, and the adjusting increases the threshold values.
  - 4. The method of claim 1 wherein an action related to one or more of the threshold values comprises at least one of:
    - applying a rate limit to the requests by the client machine or performing an additional check on the request by a client IP network address associated with the request.
  - 5. The method of claim 1 wherein the data relating to a confidence score received from the central server includes the confidence score.
  - 6. The method of claim 1 wherein the confidence score is calculated at the network server based in part on the data received from the central server.
  - 7. The method of claim 1 wherein the identification data comprises client IP addresses and wherein the identification data found in the request comprises a client IP address associated with the request.

8. A method for computing a confidence score for an IP address, the method comprising:
- storing information about a plurality of client IP addresses, the information comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information;
  
  analyzing the stored information about the client IP addresses,computing a confidence score for each of the plurality of client IP addresses based on the analysis of the stored information, wherein the confidence score is granular.
- View Dependent Claims (9)
- - 9. The method of claim 8 wherein the stored information includes IP addresses that are identified as malicious.

10. A method of mitigating an attack over the Internet, the method comprising:
- collecting information related to a plurality of client IP addresses from a plurality of sources, the information comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information;
  
  analyzing the collected information to determine confidence scores for the plurality of client IP addresses;
  
  receiving network traffic from the Internet;
  
  limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold;
  
  determining a level of the network traffic; and
  
  in response to determining the level of network traffic, limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 wherein limiting the network traffic comprises applying at least a four-level threshold to block a portion of the network traffic.
  - 12. The method of claim 10 further comprising assigning a weighting to each of the plurality of sources prior to analyzing the collected information to determine confidence scores for the plurality of client IP addresses.
  - 13. The method of claim 10 further comprising receiving data from a second source, wherein determining the confidence scores for the plurality of client IP addresses comprises aggregating the information and the data.

14. A system for controlling network traffic, comprising:
- a central server containing data for a plurality of client machines, the data comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information, the data relating to a confidence score of each of the plurality of client machine;
  
  a network server including a processor and non-transitory computer-readable memory containing instructions which, when executed on the processor, perform a method comprising;
  
  receiving, at the network server, client machine data for a plurality of client machines;
  
  determining a plurality of threshold values;
  
  relating each of the plurality of threshold values to an action to be taken for request network traffic;
  
  receiving a request associated with a client machine, wherein the association is determined using identification data found in the request;
  
  determining, based on the data, a confidence score associated with the client machine; and
  
  acting on the request based on the confidence score in relation to the threshold values and related actions to be taken.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14 wherein the threshold values are adjusted based on current network traffic information.
  - 16. The system of claim 15 wherein the current network traffic information is evidence of an attack, and the adjusting increases the threshold values.
  - 17. The system of claim 14 wherein an action related to one or more of the threshold values comprises at least one of:
    - applying a rate limit to the requests by the client machine or performing an additional check on the request by a client IP network address associated with the request.
  - 18. The system of claim 14 wherein the data relating to a confidence score received from the central server includes the confidence score.
  - 19. The system of claim 14 wherein the confidence score is calculated at the network server based in part on the data received from the central server.
  - 20. The system of claim 14 wherein the identification data comprises client IP addresses and wherein the identification data found in the request comprises a client IP address associated with the request.

21. A system of mitigating an attack over the Internet, comprising:
- a processor; and
  
  memory storing instructions, which when executed on a processor, perform a method comprising;
  
  collecting information related to a plurality of client IP addresses from a plurality of sources, the information comprising network traffic information, blacklist information, IP address to location mapping information, a number of connections information, and a time of connections information;
  
  analyzing the collected information to determine confidence scores for the plurality of client IP addresses;
  
  receiving network traffic from the Internet;
  
  limiting network traffic from a first subset of the plurality of client IP addresses characterized by a confidence score less than a first threshold;
  
  determining a level of the network traffic; and
  
  in response to determining the level of network traffic, limiting network traffic from a second subset of the plurality of client IP addresses characterized by a confidence score less than a second threshold greater than the first threshold.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21 wherein limiting the network traffic comprises applying at least a four-level threshold to block a portion of the network traffic.
  - 23. The system of claim 21 wherein the method further comprises:
    - assigning a weighting to each of the plurality of sources prior to analyzing the collected information to determine confidence scores for the plurality of client IP addresses.
  - 24. The system of claim 21 wherein the method further comprises:
    - receiving data from a second source, wherein determining the confidence scores for the plurality of client IP addresses comprises aggregating the information and the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Pandrangi, Ramakant
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/243,714
Publication Number

US 20120079592A1
Time in Patent Office

1,208 Days
Field of Search

None
US Class Current

726/23
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

IP prioritization and scoring system for DDoS detection and mitigation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

102 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

IP prioritization and scoring system for DDoS detection and mitigation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links