Systems and methods for detecting and preventing flooding attacks in a network environment

US 9,363,277 B2
Filed: 04/21/2015
Issued: 06/07/2016
Est. Priority Date: 07/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method for processing network traffic data, comprising:

receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;

when the packet is not a previously dropped packet being retransmitted, dropping the packet;

when the packet is a previously dropped packet being retransmitted and when a number N of concurrent sessions for active concurrent sessions associated with the IP address is less than a concurrent session threshold T₁, passing the packet toward an intended recipient;

when the packet is a previously dropped packet being retransmitted and when the number N of concurrent sessions for active concurrent sessions associated with the IP address is greater than a concurrent session threshold T₁;

determining a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷

t;

when the session rate threshold R is less than the prescribed session rate threshold T₂(R<

T₂), passing the packet toward the intended recipient; and

classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T₂(R>

T₂) and performing a preventative action with regard to the packet.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.

Citations

20 Claims

1. A method for processing network traffic data, comprising:
- receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;
  
  when the packet is not a previously dropped packet being retransmitted, dropping the packet;
  
  when the packet is a previously dropped packet being retransmitted and when a number N of concurrent sessions for active concurrent sessions associated with the IP address is less than a concurrent session threshold T₁, passing the packet toward an intended recipient;
  
  when the packet is a previously dropped packet being retransmitted and when the number N of concurrent sessions for active concurrent sessions associated with the IP address is greater than a concurrent session threshold T₁;
  
  determining a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷
  
  t;
  
  when the session rate threshold R is less than the prescribed session rate threshold T₂(R<
  
  T₂), passing the packet toward the intended recipient; and
  
  classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T₂(R>
  
  T₂) and performing a preventative action with regard to the packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining whether the packet is not a previously dropped packet being retransmitted comprises:
    - comparing the received packet against log records, each log record associating with a previously received packet;
      
      when the packet has been previously received;
      
      identifying a transmission time of the received packet;
      
      identifying a transmission time of the previously received packet;
      
      calculating a period between the transmission times of the received and previously received packets; and
      
      determining whether the period is within a prescribed threshold, the received packet determined to be a previously dropped packet when the calculated period is within a retransmission threshold.
  - 3. The method of claim 1, wherein the concurrent session threshold rate T₁is adaptive to a time of day to allow for a higher concurrent session threshold rate T₁during higher demand periods and a lower concurrent session threshold rate T₁during lower demand periods.
  - 4. The method of claim 3, further comprising:
    - maintaining a log of packet processing activity; and
      
      wherein the threshold rate T₁is determined based at least in part on the log of packet processing activity.
  - 5. The method of claim 4, wherein determining the concurrent session threshold rate T₁based at least in part on the log of packet processing activity determines a plurality of concurrent session threshold rates T₁, each of the plurality concurrent session threshold rates T₁associated with a source network address from which sessions were initiated, an applicable concurrent threshold rate T₁identified for a current session based on a source network address from which the packet was received.
  - 6. The method of claim 1, wherein the prescribed session rate threshold T₂is selected for comparison based on a type of the received packet.
  - 7. The method of claim 1, wherein the prescribed session rate threshold T₂is configured with regard to at least two parameters including two or more of packet type, session, packet source, and time of day.
  - 8. The method of claim 1, wherein performing a preventative action with regard to the packet includes at least one of forwarding the packet for additional flooding attack consideration processing and forwarding the packet to a content detection module.

9. A non-transitory device-readable storage medium including a set of instructions stored thereon which when executed by a processor of a network switching device cause the network switching device to perform data processing activities comprising:
- receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;
  
  when the packet is not a previously dropped packet being retransmitted, dropping the packet;
  
  when the packet is a previously dropped packet being retransmitted and when a number N of concurrent sessions for active concurrent sessions associated with the IP address is less than a concurrent session threshold T₁, passing the packet toward an intended recipient;
  
  when the packet is a previously dropped packet being retransmitted and when the number N of concurrent sessions for active concurrent sessions associated with the IP address is greater than a concurrent session threshold T₁;
  
  determining a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷
  
  t;
  
  when the session rate threshold R is less than the prescribed session rate threshold T₂(R<
  
  T₂), passing the packet toward the intended recipient; and
  
  classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T₂(R>
  
  T₂) and performing a preventative action with regard to the packet.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory device-readable storage medium of claim 9, wherein determining whether the packet is not a previously dropped packet being retransmitted comprises:
    - comparing the received packet against log records, each log record associating with a previously received packet;
      
      when the packet has been previously received;
      
      identifying a transmission time of the received packet;
      
      identifying a transmission time of the previously received packet;
      
      calculating a period between the transmission times of the received and previously received packets; and
      
      determining whether the period is within a prescribed threshold, the received packet determined to be a previously dropped packet when the calculated period is within a retransmission threshold.
  - 11. The non-transitory device-readable storage medium of claim 9, wherein the concurrent session threshold rate T₁is adaptive to a time of day to allow for a higher concurrent session threshold rate T₁during higher demand periods and a lower concurrent session threshold rate T₁during lower demand periods.
  - 12. The non-transitory device-readable storage medium of claim 11, further comprising:
    - maintaining a log of packet processing activity; and
      
      wherein the threshold rate T₁is determined based at least in part on the log of packet processing activity.
  - 13. The non-transitory device-readable storage medium of claim 12, wherein determining the concurrent session threshold rate T₁based at least in part on the log of packet processing activity determines a plurality of concurrent session threshold rates T₁, each of the plurality concurrent session threshold rates T₁associated with a source network address from which sessions were initiated, an applicable concurrent threshold rate T₁identified for a current session based on a source network address from which the packet was received.
  - 14. The non-transitory device-readable storage medium of claim 9, wherein the prescribed session rate threshold T₂is selected for comparison based on a type of the received packet.
  - 15. The non-transitory device-readable storage medium of claim 9, wherein the prescribed session rate threshold T₂is configured with regard to at least two parameters including two or more of packet type, session, packet source, and time of day.
  - 16. The non-transitory device-readable storage medium of claim 9, wherein performing a preventative action with regard to the packet includes at least one of forwarding the packet for additional flooding attack consideration processing and forwarding the packet to a content detection module.

17. A network switching device, comprising:
- a processor;
  
  a communication interface for communicating over a network;
  
  a memory device including instructions stored thereon which when executed by the processor, cause the device to perform data processing activities comprising;
  
  receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;
  
  when the packet is not a previously dropped packet being retransmitted, dropping the packet;
  
  when the packet is a previously dropped packet being retransmitted and when a number N of concurrent sessions for active concurrent sessions associated with the IP address is less than a concurrent session threshold T₁, passing the packet toward an intended recipient;
  
  when the packet is a previously dropped packet being retransmitted and when the number N of concurrent sessions for active concurrent sessions associated with the IP address is greater than a concurrent session threshold T₁;
  
  determining a rate R at which the number of sessions N are received within a time period t including a session of the received packet, where R=N÷
  
  t;
  
  when the session rate threshold R is less than the prescribed session rate threshold T₂(R<
  
  T₂), passing the packet toward the intended recipient; and
  
  classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or equal to the prescribed session rate threshold T₂(R>
  
  T₂) and performing a preventative action with regard to the packet.
- View Dependent Claims (18, 19, 20)
- - 18. The network switching device of claim 17, wherein determining whether the packet is not a previously dropped packet being retransmitted comprises:
    - comparing the received packet against log records, each log record associating with a previously received packet;
      
      when the packet has been previously received;
      
      identifying a transmission time of the received packet;
      
      identifying a transmission time of the previously received packet;
      
      calculating a period between the transmission times of the received and previously received packets; and
      
      determining whether the period is within a prescribed threshold, the received packet determined to be a previously dropped packet when the calculated period is within a retransmission threshold.
  - 19. The network switching device of claim 17, further comprising:
    - maintaining a log of packet processing activity; and
      
      wherein;
      
      the concurrent session threshold rate T₁is adaptive to a time of day to allow for a higher concurrent session threshold rate T₁during higher demand periods and a lower concurrent session threshold rate T₁during lower demand periods;
      
      the threshold rate T₁is determined based at least in part on the log of packet processing activity.
  - 20. The network switching device of claim 17, wherein:
    - the prescribed session rate threshold T₂is selected for comparison based on a type of the received packet;
      
      the prescribed session rate threshold T₂is configured with regard to at least two parameters including two or more of packet type, session, packet source, and time of day; and
      
      performing a preventative action with regard to the packet includes at least one of forwarding the packet for additional flooding attack consideration processing and forwarding the packet to a content detection module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Wei, Shaohong, Duan, Gang, Chen, Zhong Qiang, Xie, Bing
Primary Examiner(s)
KAMARA, MOHAMED A

Application Number

US14/692,707
Publication Number

US 20150229670A1
Time in Patent Office

413 Days
Field of Search

370252-253, 370/230, 370386-392, 370/401, 370/422, 370466-467, 370/469, 726 22- 25
US Class Current

1/1
CPC Class Codes

H04L 1/1835   Buffer management

H04L 2463/143   Denial of service attacks i...

H04L 41/28   Restricting access to netwo...

H04L 43/16   Threshold monitoring

H04L 63/0236   Filtering by address, proto...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Systems and methods for detecting and preventing flooding attacks in a network environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting and preventing flooding attacks in a network environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links