Scalable inline behavioral DDOS attack mitigation

US 9,172,721 B2
Filed: 07/16/2013
Issued: 10/27/2015
Est. Priority Date: 07/16/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus capable of enforcing behavioral policies and preventing Distributed Denial of Service (DDoS) attacks, the apparatus comprising:

a plurality of data interfaces configured to receive and forward or drop inbound/outbound packets;

a plurality of DDoS attack mitigation components configured to (i) continuously learn granular rates at a plurality of Open System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time;

(ii) send information regarding the granular rates back to a controlling host;

(iii) receive granular rate thresholds from the controlling host, and (iv) perform adaptive DDoS attack mitigation based on the granular rate thresholds;

a switch, coupled to the plurality of DDoS attack mitigation components, configured to forward the inbound/outbound packets to the plurality of DDoS attack mitigation components and remember a port on which the inbound/outbound packets were received to facilitate forwarding of packets processed by the plurality of DDoS attack mitigation components over a corresponding pair port;

a controlling host configured to (i) receive granular rate data relating to the learned granular rates from the plurality of DDoS attack mitigation components, (ii) aggregate the received granular rate data in accordance with a scaling treatment scheme to generate the granular rate thresholds and (iii) send the granular rate thresholds to the plurality of DDoS attack mitigation components; and

a host interface connecting the plurality of DDoS attack mitigation components to the controlling host.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components.

Citations

20 Claims

1. An apparatus capable of enforcing behavioral policies and preventing Distributed Denial of Service (DDoS) attacks, the apparatus comprising:
- a plurality of data interfaces configured to receive and forward or drop inbound/outbound packets;
  
  a plurality of DDoS attack mitigation components configured to (i) continuously learn granular rates at a plurality of Open System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time;
  
  (ii) send information regarding the granular rates back to a controlling host;
  
  (iii) receive granular rate thresholds from the controlling host, and (iv) perform adaptive DDoS attack mitigation based on the granular rate thresholds;
  
  a switch, coupled to the plurality of DDoS attack mitigation components, configured to forward the inbound/outbound packets to the plurality of DDoS attack mitigation components and remember a port on which the inbound/outbound packets were received to facilitate forwarding of packets processed by the plurality of DDoS attack mitigation components over a corresponding pair port;
  
  a controlling host configured to (i) receive granular rate data relating to the learned granular rates from the plurality of DDoS attack mitigation components, (ii) aggregate the received granular rate data in accordance with a scaling treatment scheme to generate the granular rate thresholds and (iii) send the granular rate thresholds to the plurality of DDoS attack mitigation components; and
  
  a host interface connecting the plurality of DDoS attack mitigation components to the controlling host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein each of the plurality of DDoS attack mitigation components is further operable to maintain data structures in their respective memories responsive to host commands received from the controlling host.
  - 3. The apparatus of claim 1, wherein the plurality of data interfaces comprise one or more of a copper interface and a fiber interface.
  - 4. The apparatus of claim 1, wherein each of the plurality of DDoS attack mitigation components (i) comprises a pair of ports for receiving the inbound/outbound packets from the switch and (ii) are configured to perform behavioral DDoS attack mitigation.
  - 5. The apparatus of claim 1, wherein each of the plurality of DDoS attack mitigation components comprises packet interfaces configured to temporarily store, then forward or drop the inbound/outbound packets based on a decision by a continuous and adaptive granular rate anomaly engine.
  - 6. The apparatus of claim 1, wherein each of the plurality of DDoS attack mitigation components comprises a continuous and adaptive granular rate anomaly engine configured to determine the granular rates based on packet meta information received from the plurality of data interfaces.
  - 7. The apparatus of claim 1, wherein each of the plurality of DDoS attack mitigation components comprises a continuous and adaptive granular rate anomaly engine configured to send granular network layer drop statistics to the controlling host over the host interface.
  - 8. The apparatus of claim 1, wherein each of the plurality of DDoS attack mitigation components comprises a continuous and adaptive granular rate anomaly engine configured to set the granular rates thresholds based on commands received from the controlling host over the host interface.
  - 9. The apparatus of claim 1, wherein the controlling host further combines the granular rates received from the plurality of DDoS attack mitigation components and uses a plurality of scaling treatments to arrive at an effective rate to be used for adaptive threshold calculation.
  - 10. The method of claim 1, wherein a layer 2 granular rate of the granular rates for layer 2 of the OSI model comprises an observed packet rate for Address Resolution Protocol (ARP), Reverse ARP (RARP) or broadcast packets.
  - 11. The method of claim 1, wherein a layer 3 granular rate for layer 3 of the OSI model comprises an observed packet rate for a particular protocol, a particular Internet Protocol (IP) option, fragmented packets or an observed packet rate from a particular source.
  - 12. The method of claim 1, wherein a layer 4 granular rate for layer 4 of the OSI model comprises an observed packet rate for a particular Transmission Control Protocol (TCP) port or a particular User Datagram Protocol (UDP) port.
  - 13. The method of claim 1, wherein a layer 7 granular rate for layer 7 of the OSI model comprises an observed packet rate for a particular Hypertext Transfer Protocol (HTTP) method, a particular HTTP user-agent, a particular Uniform Resource Locator (URL) or an observed rate of Session Initiation Protocol (SIP) registration requests or Domain Name System (DNS) requests.

14. A method comprising:
- receiving, by at least one data interface of a switch, inbound/outbound packets;
  
  distributing, by the switch, the inbound/outbound packets among a plurality of Distributed Denial of Service (DDoS) attack mitigation components;
  
  remembering, by the switch, ports on which the inbound/outbound packets were received to facilitate forwarding of the inbound/outbound packets processed by the plurality of DDoS attack mitigation components on corresponding pair ports;
  
  continuously learning, by the plurality of DDoS attack mitigation components, granular rates at a plurality of Open System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time;
  
  sending, by the plurality of DDoS attack mitigation components, the granular rates to a controlling host;
  
  receiving, by the controlling host, the granular rates from the plurality of DDoS attack mitigation components;
  
  aggregating, by the controlling host, the granular rates in accordance with a scaling treatment scheme to generate granular rate thresholds;
  
  sending, by the controlling host, the granular rate thresholds to the plurality of DDoS attack mitigation components;
  
  receiving, by the plurality of DDoS attack mitigation components, granular rate thresholds from the controlling host;
  
  performing, by the plurality of DDoS attack mitigation components, adaptive DDoS attack mitigation by enforcing the granular rate thresholds; and
  
  forwarding or dropping, by the plurality of DDoS attack mitigation components, the inbound/outbound packets based on results of the adaptive DDoS attack mitigation.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising maintaining by each of the DDoS attack mitigation components, data structures in memory responsive to host commands received from the controlling host.
  - 16. The method of claim 14, further comprising:
    - temporarily storing, by each of the plurality of DDoS attack mitigation components, the inbound/outbound packets; and
      
      forwarding or dropping, by each of the plurality of DDoS attack mitigation components, the inbound/outbound packets based on a decision by a continuous and adaptive granular rate anomaly engine.
  - 17. The method of claim 14, further comprising determining, by a continuous and adaptive granular rate anomaly engine of each of the plurality of DDoS attack mitigation components, the granular rates based on packet meta information received from the at least one data interface.
  - 18. The method of claim 14, further comprising sending, by a continuous and adaptive granular rate anomaly engine of each of the plurality of DDoS attack mitigation components, granular network layer drop statistics to the controlling host over a host interface.
  - 19. The method of claim 14, further comprising setting, by a continuous and adaptive granular rate anomaly engine of each of the plurality of DDoS attack mitigation components, the granular rate thresholds based on commands received from the controlling host over a host interface.
  - 20. The method of claim 14, further comprising combining, by the controlling host, the granular rates from a plurality of DDoS attack mitigation components by using a plurality of scaling treatments to arrive at an effective rate to be used for adaptive threshold calculation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Tran, Baotram

Application Number

US13/943,085
Publication Number

US 20150026800A1
Time in Patent Office

833 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Scalable inline behavioral DDOS attack mitigation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable inline behavioral DDOS attack mitigation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links