Systems and methods for detecting and preventing flooding attacks in a network environment
First Claim
Patent Images
1. A method for processing network traffic data comprising:
- receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;
taking into account the received packet, determining a rate R at which a number of sessions initiation packets N associated with the IP address are received within a time period t, where R=N÷
t;
storing, on a data storage device, a representation of the rate R;
comparing the rate R with a prescribed session rate threshold T;
allowing the packet to pass when the session rate threshold R is less than the prescribed session rate threshold T (R<
T); and
classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T (R≧
T).
0 Assignments
0 Petitions
Accused Products
Abstract
A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.
-
Citations
20 Claims
-
1. A method for processing network traffic data comprising:
-
receiving a packet to initiate a new session associated with an Internet Protocol (IP) address; taking into account the received packet, determining a rate R at which a number of sessions initiation packets N associated with the IP address are received within a time period t, where R=N÷
t;storing, on a data storage device, a representation of the rate R; comparing the rate R with a prescribed session rate threshold T; allowing the packet to pass when the session rate threshold R is less than the prescribed session rate threshold T (R<
T); andclassifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T (R≧
T). - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory device-readable storage medium including a set of instructions stored thereon which when executed by a processor of a device cause the device to:
-
receive a packet to initiate a new session associated with an Internet Protocol (IP) address; taking into account the received packet, determine a rate R at which a number of sessions initiation packets N associated with the IP address are received within a time period t, where R=N÷
t;store, on a data storage device, a representation of the rate R; compare the rate R with a prescribed session rate threshold T; allow the packet to pass when the session rate threshold R is less than the prescribed session rate threshold T (R<
T); andclassify the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T (R≧
T). - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A device, comprising:
-
a processor; a communication interface for communicating over a network; a memory device including instructions stored thereon which when executed by the processor, cause the device to; receive a packet to initiate a new session associated with an Internet Protocol (IP) address; taking into account the received packet, determine a rate R at which a number of sessions initiation packets N associated with the IP address are received within a time period t, where R=N÷
t;store, on a data storage device, a representation of the rate R; compare the rate R with a prescribed session rate threshold T; allow the packet to pass when the session rate threshold R is less than the prescribed session rate threshold T (R<
T); andclassify the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T (R≧
T). - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeFortinet Inc.
-
Original AssigneeFortinet Inc.
-
InventorsWei, Shaohong, Duan, Gang, Chen, Zhong Qiang, Xie, Bing
-
Primary Examiner(s)Jiang, Charles C
-
Assistant Examiner(s)KAMARA, MOHAMED A
-
Application NumberUS13/795,429Publication NumberTime in Patent Office910 DaysField of Search370252-253, 370/230, 370386-392, 370/401, 370/422, 370466-467, 370/469, 726 22- 25US Class Current1/1CPC Class CodesH04L 1/1835 Buffer managementH04L 2463/143 Denial of service attacks i...H04L 41/28 Restricting access to netwo...H04L 43/16 Threshold monitoringH04L 63/0236 Filtering by address, proto...H04L 63/14 for detecting or protecting...H04L 63/1408 by monitoring network traff...H04L 63/1416 Event detection, e.g. attac...H04L 63/1458 Denial of ServiceH04L 63/1466 Active attacks involving in...
