Scalable inline behavioral DDOS attack mitigation
First Claim
1. An apparatus capable of enforcing behavioral policies and preventing Distributed Denial of Service (DDoS) attacks, the apparatus comprising:
- a plurality of data interfaces configured to receive and forward or drop inbound/outbound packets;
a plurality of DDoS attack mitigation components configured to (i) continuously learn granular rates at a plurality of Open System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time;
(ii) send information regarding the granular rates back to a controlling host;
(iii) receive granular rate thresholds from the controlling host, and (iv) perform adaptive DDoS attack mitigation based on the granular rate thresholds;
a switch, coupled to the plurality of DDoS attack mitigation components, configured to forward the inbound/outbound packets to the plurality of DDoS attack mitigation components and remember a port on which the inbound/outbound packets were received to facilitate forwarding of packets processed by the plurality of DDoS attack mitigation components over a corresponding pair port;
a controlling host configured to (i) receive granular rate data relating to the learned granular rates from the plurality of DDoS attack mitigation components, (ii) aggregate the received granular rate data in accordance with a scaling treatment scheme to generate the granular rate thresholds and (iii) send the granular rate thresholds to the plurality of DDoS attack mitigation components; and
a host interface connecting the plurality of DDoS attack mitigation components to the controlling host.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components.
-
Citations
20 Claims
-
1. An apparatus capable of enforcing behavioral policies and preventing Distributed Denial of Service (DDoS) attacks, the apparatus comprising:
-
a plurality of data interfaces configured to receive and forward or drop inbound/outbound packets; a plurality of DDoS attack mitigation components configured to (i) continuously learn granular rates at a plurality of Open System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time;
(ii) send information regarding the granular rates back to a controlling host;
(iii) receive granular rate thresholds from the controlling host, and (iv) perform adaptive DDoS attack mitigation based on the granular rate thresholds;a switch, coupled to the plurality of DDoS attack mitigation components, configured to forward the inbound/outbound packets to the plurality of DDoS attack mitigation components and remember a port on which the inbound/outbound packets were received to facilitate forwarding of packets processed by the plurality of DDoS attack mitigation components over a corresponding pair port; a controlling host configured to (i) receive granular rate data relating to the learned granular rates from the plurality of DDoS attack mitigation components, (ii) aggregate the received granular rate data in accordance with a scaling treatment scheme to generate the granular rate thresholds and (iii) send the granular rate thresholds to the plurality of DDoS attack mitigation components; and a host interface connecting the plurality of DDoS attack mitigation components to the controlling host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
receiving, by at least one data interface of a switch, inbound/outbound packets; distributing, by the switch, the inbound/outbound packets among a plurality of Distributed Denial of Service (DDoS) attack mitigation components; remembering, by the switch, ports on which the inbound/outbound packets were received to facilitate forwarding of the inbound/outbound packets processed by the plurality of DDoS attack mitigation components on corresponding pair ports; continuously learning, by the plurality of DDoS attack mitigation components, granular rates at a plurality of Open System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time; sending, by the plurality of DDoS attack mitigation components, the granular rates to a controlling host; receiving, by the controlling host, the granular rates from the plurality of DDoS attack mitigation components; aggregating, by the controlling host, the granular rates in accordance with a scaling treatment scheme to generate granular rate thresholds; sending, by the controlling host, the granular rate thresholds to the plurality of DDoS attack mitigation components; receiving, by the plurality of DDoS attack mitigation components, granular rate thresholds from the controlling host; performing, by the plurality of DDoS attack mitigation components, adaptive DDoS attack mitigation by enforcing the granular rate thresholds; and forwarding or dropping, by the plurality of DDoS attack mitigation components, the inbound/outbound packets based on results of the adaptive DDoS attack mitigation. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification