Protecting networks from cyber attacks and overloading
First Claim
1. A method comprising:
- at each packet-filtering device of a plurality of packet-filtering devices interfacing a plurality of different autonomous system networks;
receiving, via a communication interface of the packet-filtering device, a plurality of packets;
responsive to a determination, by at least one processor of the packet-filtering device, that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous system networks has occurred, applying, by the packet-filtering device and to at least some of the plurality of packets, a first group of packet-filtering rules stored in a memory of the packet-filtering device, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the first group of packet-filtering rules comprises allowing at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations;
responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a first degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a second group of packet-filtering rules stored in the memory, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the second group of packet-filtering rules comprises allowing at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and
responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a second degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a third group of packet-filtering rules stored in the memory, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the third group of packet-filtering rules comprises allowing at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree.
4 Assignments
0 Petitions
Accused Products
Abstract
Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations.
120 Citations
20 Claims
-
1. A method comprising:
at each packet-filtering device of a plurality of packet-filtering devices interfacing a plurality of different autonomous system networks; receiving, via a communication interface of the packet-filtering device, a plurality of packets; responsive to a determination, by at least one processor of the packet-filtering device, that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous system networks has occurred, applying, by the packet-filtering device and to at least some of the plurality of packets, a first group of packet-filtering rules stored in a memory of the packet-filtering device, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the first group of packet-filtering rules comprises allowing at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations; responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a first degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a second group of packet-filtering rules stored in the memory, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the second group of packet-filtering rules comprises allowing at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a second degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a third group of packet-filtering rules stored in the memory, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the third group of packet-filtering rules comprises allowing at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A system comprising:
a plurality of packet-filtering devices configured to interface a plurality of different autonomous system networks, wherein each packet-filtering device of the plurality of packet-filtering devices comprises; at least one processor; a communication interface; and a memory comprising instructions that when executed by the at least one processor cause the packet-filtering device to; receive, via the communication interface, a plurality of packets; responsive to a determination, by the at least one processor, that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous systems networks has occurred; apply, to at least some of the plurality of packets, a first group of packet-filtering rules stored in the memory, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations; and allow at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations; responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a first degree; apply, to at least some of the plurality of packets, a second group of packet-filtering rules stored in the memory, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations; and allow at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a second degree; apply, to at least some of the plurality of packets, a third group of packet-filtering rules stored in the memory, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations; and allow at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. One or more non-transitory computer-readable media comprising instructions that when executed by each packet-filtering device of a plurality of packet-filtering devices interfacing a plurality of different autonomous system networks cause the packet-filtering device to:
-
receive a plurality of packets; responsive to a determination that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous systems networks has occurred; apply, to at least some of the plurality of packets, a first group of packet-filtering rules, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations; and allow at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations; responsive to a determination that the network-overload condition has been mitigated to a first degree; apply, to at least some of the plurality of packets, a second group of packet-filtering rules, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations; and allow at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and responsive to a determination that the network-overload condition has been mitigated to a second degree; apply, to at least some of the plurality of packets, a third group of packet-filtering rules, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations; and allow at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification