System and method for preventing DOS attacks utilizing invalid transaction statistics

US 9,282,116 B1
Filed: 09/18/2013
Issued: 03/08/2016
Est. Priority Date: 09/27/2012
Status: Active Grant

First Claim

Patent Images

1. A method for protecting a network from network based attacks, the method comprising:

monitoring, by a network traffic management device, at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring;

comparing, by the network traffic management device, at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and

entering, by the network traffic management device, a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time;

monitoring, by the network traffic management device, response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices;

comparing, by the network traffic management device, a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;

marking, by the network traffic management device, the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and

preventing, by the network traffic management device, the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and network traffic management device to protect a network from network based attacks is disclosed. The method comprises receiving, at a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The method comprises monitoring a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The method comprises comparing a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The method comprises marking the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The method comprises preventing the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.

Citations

6 Claims

1. A method for protecting a network from network based attacks, the method comprising:
- monitoring, by a network traffic management device, at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring;
  
  comparing, by the network traffic management device, at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and
  
  entering, by the network traffic management device, a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time;
  
  monitoring, by the network traffic management device, response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices;
  
  comparing, by the network traffic management device, a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
  
  marking, by the network traffic management device, the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and
  
  preventing, by the network traffic management device, the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising entering, by the network traffic management device, into the prevention mode upon detecting a network attack.

3. A non-transitory computer-readable medium having stored thereon executable instructions for protecting a network from network based attacks, which when executed by at least one processor, cause the processor to perform steps comprising:
- monitoring at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring;
  
  comparing at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and
  
  entering a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time;
  
  monitoring response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices;
  
  comparing a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
  
  marking the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and
  
  preventing the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
- View Dependent Claims (4)
- - 4. The non-transitory computer-readable medium of claim 3, further having stored thereon executable instructions which when executed by the processor further cause the processor to perform at least one additional step comprising entering into the prevention mode upon detecting a network attack.

5. A network traffic management device comprising at least one processor and a memory coupled to the processor which is configured to be capable of executing programmed instructions comprising and stored in the memory to:
- monitor at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring;
  
  compare at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and
  
  enter a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time;
  
  monitor response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices;
  
  compare a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
  
  mark the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and
  
  prevent the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
- View Dependent Claims (6)
- - 6. The network traffic management device of claim 5, wherein the processor coupled to the memory is further configured to be capable of executing at least one additional programmed instruction to enter into the prevention mode upon detecting a network attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Rovniaguin, Dmitry
Primary Examiner(s)
Pyzocha, Michael

Application Number

US14/030,685
Time in Patent Office

902 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 2463/142   Denial of service attacks a...

H04L 43/0852   Delays

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 67/01   Protocols

System and method for preventing DOS attacks utilizing invalid transaction statistics

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for preventing DOS attacks utilizing invalid transaction statistics

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links