System and method for preventing DOS attacks utilizing invalid transaction statistics
First Claim
1. A method for protecting a network from network based attacks, the method comprising:
- monitoring, by a network traffic management device, at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring;
comparing, by the network traffic management device, at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and
entering, by the network traffic management device, a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time;
monitoring, by the network traffic management device, response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices;
comparing, by the network traffic management device, a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
marking, by the network traffic management device, the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and
preventing, by the network traffic management device, the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and network traffic management device to protect a network from network based attacks is disclosed. The method comprises receiving, at a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The method comprises monitoring a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The method comprises comparing a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The method comprises marking the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The method comprises preventing the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
-
Citations
6 Claims
-
1. A method for protecting a network from network based attacks, the method comprising:
-
monitoring, by a network traffic management device, at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring; comparing, by the network traffic management device, at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and entering, by the network traffic management device, a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time; monitoring, by the network traffic management device, response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices; comparing, by the network traffic management device, a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes; marking, by the network traffic management device, the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and preventing, by the network traffic management device, the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode. - View Dependent Claims (2)
-
-
3. A non-transitory computer-readable medium having stored thereon executable instructions for protecting a network from network based attacks, which when executed by at least one processor, cause the processor to perform steps comprising:
-
monitoring at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring; comparing at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and entering a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time; monitoring response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices; comparing a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes; marking the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and preventing the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode. - View Dependent Claims (4)
-
-
5. A network traffic management device comprising at least one processor and a memory coupled to the processor which is configured to be capable of executing programmed instructions comprising and stored in the memory to:
-
monitor at least one of current transactions per second or current latency values for one or more established connections with one or more client devices and generating at least one of a current average transactions per second value or a current average latency value based on the monitoring; compare at least one of the current average transactions per second value or the current average latency value to an average transactions per second value or an average latency value over at least one of a short set period of time or a long set period of time; and enter a prevention mode when at least one of the current average transactions per second value or the current average latency value exceeds the average transactions per second value or the average latency value for the short set period of time or the long set period of time; monitor response codes in a number of server responses for at least one of the client devices or at least one resource requested by one or more of the client devices; compare a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes; mark the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in the prevention mode; and prevent the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode. - View Dependent Claims (6)
-
Specification