Mitigating denial of service attacks
First Claim
Patent Images
1. A method, comprising the steps of:
- a) polling a traffic rate for each Distributed Denial-of-Service (DDoS) Device in a first plurality of DDoS Devices, wherein the first plurality of DDoS Devices is receiving a network traffic entering a network;
b) determining a throughput capability for each DDoS Device in the first plurality of DDoS Devices;
c) determining whether each DDoS Device in the first plurality of DDoS Devices can handle its polled traffic rate without intervention by comparing its polled traffic rate with its throughput capability;
d) for each DDoS Device in the first plurality of DDoS Devices that can handle its polled traffic rate without intervention, removing a past DDoS mitigation;
e) determining a malicious traffic rate for each DDoS Device in the first plurality of DDoS Devices;
f) determining an operational limit capability for each DDoS Device in the first plurality of DDoS Devices;
g) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate approach its operational limit capability within a predetermined amount, sending a notification to a monitor web page; and
h) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate greater than its operational limit capability, sending a notification to the monitor web page and routing traffic from the DDoS Device to a second DDoS Device that has an operational limit capability greater than the malicious traffic rate.
3 Assignments
0 Petitions
Accused Products
Abstract
Several methods are disclosed for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks that are intended to exhaust network resources. The methods use DDoS mitigation devices to detect DDoS attacks using operationally based thresholds. The methods also keep track of ongoing attacks, have an understanding of “protected IP space,” and activate appropriate mitigation tactics based on the severity of the attack and the capabilities of the DDoS mitigation devices.
-
Citations
20 Claims
-
1. A method, comprising the steps of:
-
a) polling a traffic rate for each Distributed Denial-of-Service (DDoS) Device in a first plurality of DDoS Devices, wherein the first plurality of DDoS Devices is receiving a network traffic entering a network; b) determining a throughput capability for each DDoS Device in the first plurality of DDoS Devices; c) determining whether each DDoS Device in the first plurality of DDoS Devices can handle its polled traffic rate without intervention by comparing its polled traffic rate with its throughput capability; d) for each DDoS Device in the first plurality of DDoS Devices that can handle its polled traffic rate without intervention, removing a past DDoS mitigation; e) determining a malicious traffic rate for each DDoS Device in the first plurality of DDoS Devices; f) determining an operational limit capability for each DDoS Device in the first plurality of DDoS Devices; g) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate approach its operational limit capability within a predetermined amount, sending a notification to a monitor web page; and h) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate greater than its operational limit capability, sending a notification to the monitor web page and routing traffic from the DDoS Device to a second DDoS Device that has an operational limit capability greater than the malicious traffic rate. - View Dependent Claims (2, 3)
-
-
4. A method, comprising the step of:
identifying DDoS traffic based upon a traffic flow and a plurality of individual packet payloads utilizing an intrusion detection and prevention engine, the identifying step comprising the steps of; i) determining a validity of a combination of flag values in a Transmission Control Protocol (TCP) header; ii) if the combination of flag values in the TCP header are not valid, activating a first Distributed Denial of Service (DDoS) mitigation; iii) determining a number of TCP flags received over a first period of time; iv) if the number of TCP flags received over the first period of time exceeds a first predetermined threshold, activating a second DDoS mitigation; v) determining a number of packets received over a second period of time; vi) if the number of packets received over the second period of time exceeds a second predetermined threshold, activating a third DDoS mitigation; vii) determining a number of HTTP or DNS activities over a third period of time; and viii) if the number of HTTP or DNS activities over the third period of time exceeds a third predetermined threshold, activating a fourth DDoS mitigation.
-
5. A method, comprising the steps of:
-
a) a plurality of Intrusion Detection Systems (IDS) capturing a plurality of packet data from a network traffic entering a network; b) the plurality of IDS processing the plurality of packet data; c) calculating a first one or more statistics from the plurality of packet data; d) reading a second one or more statistics from a traffic stats database; e) storing the first one or more statistics in the traffic stats database; f) determining a change in the network traffic by comparing the first one or more statistics with the second one or more statistics; and g) activating or modifying DDoS mitigation based on the change in the network traffic. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method, comprising the steps of:
-
a) a plurality of Intrusion Detection Systems (IDS) capturing a data from a network traffic entering a network; b) the plurality of IDS processing the data; c) determining an application corresponding to the data; d) determining an application rate for the application using the data; e) generating a filter that is specific to the application; and f) activating or modifying a DDoS mitigation using the generated filter. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification