Systems and methods for detecting and preventing flooding attacks in a network environment
First Claim
Patent Images
1. A method for processing network traffic content performed on a network switching device, comprising:
- receiving, via a network interface of the network switching device, a packet associated with a new network traffic session;
identifying, on the network switching device, one or more Internet Protocol (IP) addresses associated with the new network traffic session;
determining, on the network switching device, a number of concurrent sessions associated with at least one of the one or more IP address associated with the new network traffic session; and
when the determined number of concurrent sessions is greater than a concurrent IP address session threshold, performing flooding attack mitigation processing at least in part on the network switching device, wherein the concurrent IP address session threshold is learned based on processing of stored packet history log data that determines the concurrent IP address session threshold.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for processing network traffic data includes receiving a packet, and determining whether the packet or a session of the packet is associated with a flooding attack. Some embodiments are implemented on network switching devices.
-
Citations
20 Claims
-
1. A method for processing network traffic content performed on a network switching device, comprising:
-
receiving, via a network interface of the network switching device, a packet associated with a new network traffic session; identifying, on the network switching device, one or more Internet Protocol (IP) addresses associated with the new network traffic session; determining, on the network switching device, a number of concurrent sessions associated with at least one of the one or more IP address associated with the new network traffic session; and when the determined number of concurrent sessions is greater than a concurrent IP address session threshold, performing flooding attack mitigation processing at least in part on the network switching device, wherein the concurrent IP address session threshold is learned based on processing of stored packet history log data that determines the concurrent IP address session threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network switching device, comprising:
-
a processor; a set of network interfaces for communicating over at least one network; a memory device including instructions stored thereon which when executed by the processor, cause the network switching device to; receive, via a network interface of the set of network interfaces, a packet associated with a new network traffic session; identify one or more Internet Protocol (IP) addresses associated with the new network traffic session; determine a number of concurrent sessions associated with at least one of the one or more IP address associated with the new network traffic session; and when the number of concurrent sessions associated with the at least one of the one or more IP addresses associated with the new network traffic session is greater than a concurrent IP address session threshold, perform flooding attack mitigation processing, wherein the concurrent IP address session threshold is learned based on processing of stored packet history log data that determines the concurrent IP address session threshold. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer-readable storage device including a set of instructions stored thereon which when executed by a processor of a network switching device cause the network switching device to:
-
receive, on the network switching device via a network interface of a plurality of network interfaces of the network switching device, a packet associated with a new network traffic session; identify, on the network switching device, one or more Internet Protocol (IP) addresses associated with the new network traffic session; determine, on the network switching device, a number of concurrent sessions associated with at least one of the one or more IP address associated with the new network traffic session; and when the number of concurrent sessions associated with the at least one of the one or more IP addresses associated with the new network traffic session is greater than a concurrent IP address session threshold, perform flooding attack mitigation processing on the network switching device, wherein the concurrent IP address session threshold is learned based on processing of stored packet history log data that determines the concurrent IP address session threshold. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification