Systems and methods for detecting and preventing flooding attacks in a network environment
First Claim
Patent Images
1. A method for processing network traffic data comprising:
- receiving a packet to initiate a new session from an Internet Protocol (IP) address;
determining a concurrent session counter N for active concurrent sessions associated with the IP address;
comparing the concurrent session counter N for active concurrent sessions associated with the IP address with a prescribed concurrent session threshold T;
allowing the packet to pass when the concurrent session counter N for active concurrent sessions associated with the IP address is less than the prescribed concurrent session threshold T (N<
T); and
classifying the packet as possibly associated with a flooding attack when the concurrent session counter N for active concurrent sessions associated with the IP address is greater than or equal to the prescribed concurrent session threshold T (N>
=T).
0 Assignments
0 Petitions
Accused Products
Abstract
A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.
39 Citations
20 Claims
-
1. A method for processing network traffic data comprising:
-
receiving a packet to initiate a new session from an Internet Protocol (IP) address; determining a concurrent session counter N for active concurrent sessions associated with the IP address; comparing the concurrent session counter N for active concurrent sessions associated with the IP address with a prescribed concurrent session threshold T; allowing the packet to pass when the concurrent session counter N for active concurrent sessions associated with the IP address is less than the prescribed concurrent session threshold T (N<
T); andclassifying the packet as possibly associated with a flooding attack when the concurrent session counter N for active concurrent sessions associated with the IP address is greater than or equal to the prescribed concurrent session threshold T (N>
=T). - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory device-readable storage medium including a set of instructions stored thereon which when executed by a processor of a device cause the device to perform data processing activities comprising:
-
receiving a packet to initiate a new session from an Internet Protocol (IP) address; determining a concurrent session counter N for active concurrent sessions associated with the IP address; comparing the concurrent session counter N for active concurrent sessions associated with the IP address with a prescribed concurrent session threshold T; allowing the packet to pass when the concurrent session counter N for active concurrent sessions associated with the IP address is less than the prescribed concurrent session threshold T (N<
T); andclassifying the packet as possibly associated with a flooding attack when the concurrent session counter N for active concurrent sessions associated with the IP address is greater than or equal to the prescribed concurrent session threshold T (N>
=T). - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A device, comprising:
-
a processor; a communication interface for communicating over a network; a memory device including instructions stored thereon which when executed by the processor, cause the device to perform data processing activities comprising; receiving a packet to initiate a new session from an Internet Protocol (IP) address; determining a concurrent session counter N for active concurrent sessions associated with the IP address; comparing the concurrent session counter N for active concurrent sessions associated with the IP address with a prescribed concurrent session threshold T; allowing the packet to pass when the concurrent session counter N for active concurrent sessions associated with the IP address is less than the prescribed concurrent session threshold T (N<
T); andclassifying the packet as possibly associated with a flooding attack when the concurrent session counter N for active concurrent sessions associated with the IP address is greater than or equal to the prescribed concurrent session threshold T (N>
=T). - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification