System and method for denial of service attack mitigation using cloud services

US 9,432,385 B2
Filed: 12/16/2011
Issued: 08/30/2016
Est. Priority Date: 08/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating an attack on a network utilizing a subscriber monitoring device and a service provider mitigation system, the method comprising:

the subscriber monitoring device monitoring network traffic between a subscriber network and a service provider network;

the subscriber monitoring device and service provider mitigation system sending and receiving asynchronous status messages to each other using a stateless protocol;

the subscriber monitoring device determining if the subscriber network is under attack and determining a fingerprint for the attack, wherein the attack fingerprint comprises at least one of one or more source IP addresses of the packets that make up the attack, one or more destination IP addresses of the packets that make up the attack, characteristics of packet payloads related to the packets that make up the attack and port numbers that are under attack;

the subscriber monitoring device requesting mitigation from the service provider mitigation system via a mitigation request when the subscriber network is under attack, wherein said mitigation request includes the attack fingerprint;

the service provider mitigation system providing mitigation, the mitigation including dropping packets generated by attackers based on, at least in part, the attack fingerprint while the subscriber network is under attack, the mitigation being provided in response to the requested mitigation; and

the subscriber monitoring device sending a request to terminate the mitigation in response to an amount of network traffic dropped by the service provider mitigation system as indicated by status messages from the service provider mitigation system and an amount of network traffic received from the service provider mitigation system following the mitigation, wherein the service provider mitigation system further comprises a plurality of sensors and communication devices providing data communication and transmission of packets across the service provider network, wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent,wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method to mitigate attack by an upstream service provider using cloud mitigation services. An edge detection device, which located at the subscriber'"'"'s network edge, is able to communicate information via status messages about attacks to an upstream service provider. The service provider is then able to mitigate attacks based on the status messages. There is a feedback loop whereby the amount of dropped traffic by the service provider is added to the network traffic to keep the mitigation request open and prevent flapping. Likewise, the detection device includes time-to-engage and time-to-disengage timers to further prevent flapping.

Citations

30 Claims

1. A method for mitigating an attack on a network utilizing a subscriber monitoring device and a service provider mitigation system, the method comprising:
- the subscriber monitoring device monitoring network traffic between a subscriber network and a service provider network;
  
  the subscriber monitoring device and service provider mitigation system sending and receiving asynchronous status messages to each other using a stateless protocol;
  
  the subscriber monitoring device determining if the subscriber network is under attack and determining a fingerprint for the attack, wherein the attack fingerprint comprises at least one of one or more source IP addresses of the packets that make up the attack, one or more destination IP addresses of the packets that make up the attack, characteristics of packet payloads related to the packets that make up the attack and port numbers that are under attack;
  
  the subscriber monitoring device requesting mitigation from the service provider mitigation system via a mitigation request when the subscriber network is under attack, wherein said mitigation request includes the attack fingerprint;
  
  the service provider mitigation system providing mitigation, the mitigation including dropping packets generated by attackers based on, at least in part, the attack fingerprint while the subscriber network is under attack, the mitigation being provided in response to the requested mitigation; and
  
  the subscriber monitoring device sending a request to terminate the mitigation in response to an amount of network traffic dropped by the service provider mitigation system as indicated by status messages from the service provider mitigation system and an amount of network traffic received from the service provider mitigation system following the mitigation, wherein the service provider mitigation system further comprises a plurality of sensors and communication devices providing data communication and transmission of packets across the service provider network, wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent,wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, further comprising determining if the subscriber network is under attack in response to the amount network traffic received by the subscriber network.
  - 3. The method according to claim 1, further comprising determining if the subscriber network is under attack in response to the amount of network traffic between the service provider network and subscriber network exceeding a predefined threshold.
  - 4. The method according to claim 1, wherein the service provider mitigation system comprises packet scrubbing systems, and the method further comprising sending packets destined for the subscriber network first to the packet scrubbing systems.
  - 5. The method according to claim 4, further comprising the packet scrubbing system dropping packets identified as attack traffic.
  - 6. The method according to claim 4, wherein sending the packets destined for the subscriber network to the packet scrubbing system comprises tunneling, route injection, Domain Name System modification, and/or Network Address Translation.
  - 7. The method according to claim 4, wherein sending the packets destined for the subscriber network to the packet scrubbing system comprises sending the packets using Generic Routing Encapsulation or Multiprotocol Label Switching.
  - 8. The method according to claim 1, wherein the status messages include internet protocol addresses of a cloud scrubbing device and the subscriber monitoring device.
  - 9. The method according to claim 1, wherein the status messages include a modified internet protocol address of a device under attack within the subscriber network.
  - 10. The method according to claim 1, wherein the attack is a denial of service attack.
  - 11. The method according to claim 1, wherein the subscriber monitoring device utilizes port mirroring to monitor all the network traffic entering and/or leaving the subscriber network via a router.

12. A system for mitigating an attack on a network, the system comprising:
- a subscriber monitoring device monitoring network traffic between a subscriber network and a service provider network, and determining if the subscriber network is under attack and determining a fingerprint for the attack, wherein the attack fingerprint comprises at least one of one or more source IP addresses of the packets that make up the attack, one or more destination IP addresses of the packets that make up the attack, characteristics of packet payloads related to the packets that make up the attack and port numbers that are under attack;
  
  a service provider mitigation system, in which the subscriber monitoring device and the service provider mitigation system send and receive asynchronous status messages to each other using a stateless protocol, the service provider mitigation system providing mitigation, the mitigation including dropping packets generated by attackers based on, at least in part, the attack fingerprint while the subscriber network is under attack, the mitigation being in response to a requested mitigation via a mitigation request from the subscriber monitoring system, wherein said mitigation request includes the attack fingerprint and wherein the subscriber monitoring device sends a request to terminate the mitigation in response to an amount of network traffic dropped by the service provider mitigation system as indicated by status messages from the service provider mitigation system and an amount of network traffic received from the service provider mitigation system following the mitigation, wherein the service provider mitigation system further comprises a plurality of sensors and communication devices providing data communication and transmission of packets across the service provider network,wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system according to claim 12, wherein the subscriber monitoring device determines if the subscriber network is under attack in response to the amount network traffic received by the subscriber network.
  - 14. The system according to claim 12, wherein the subscriber monitoring device determines if the subscriber network is under attack in response to the amount network traffic between the service provider network and subscriber network exceeding a predefined threshold.
  - 15. The system according to claim 12, further comprising a packet scrubbing system, wherein the packets destined for the subscriber network are first sent to the packet scrubbing systems.
  - 16. The system according to claim 15, wherein the packet scrubbing system drops packets identified as attack traffic.
  - 17. The system according to claim 15, wherein sending the packets destined for the subscriber network to the packet scrubbing system comprises tunneling, route injection, Domain Name System modification, and/or Network Address Translation.
  - 18. The system according to claim 15, further comprising sending packets to the packet scrubbing system using Generic Routing Encapsulation or Multiprotocol Label Switching.
  - 19. The system according to claim 12, wherein the status messages include internet protocol addresses of a cloud scrubbing system and the subscriber monitoring device.
  - 20. The system according to claim 12, wherein the status messages include a modified internet protocol address of a device under attack within the subscriber network.
  - 21. The system according to claim 12, wherein the attack is a denial of service attack.
  - 22. The system according to claim 12, wherein the subscriber monitoring device utilizes port mirroring to monitor all the network traffic entering and/or leaving the subscriber network via a router.

23. A networking system, comprising:
- a subscriber monitoring device monitoring network traffic between a subscriber network and a service provider network, and determining if the subscriber network is under attack and determining a fingerprint for the attack, wherein the attack fingerprint comprises at least one of one or more source IP addresses of the packets that make up the attack, one or more destination IP addresses of the packets that make up the attack, characteristics of packet payloads related to the packets that make up the attack and port numbers that are under attack; and
  
  a mitigation system, in which the subscriber monitoring device and the service provider mitigation system send and receive asynchronous status messages to each other using a stateless protocol, the mitigation system including a scrubbing system for providing mitigation by dropping packets that are part of a denial of service attack based on, at least in part, the attack fingerprint, wherein the mitigation system, in response to the subscriber monitoring system signaling an attack via a mitigation request that includes the attack fingerprint, directing traffic destined for the subscriber network first to the scrubbing center and then back to the subscriber network, wherein the mitigation system further comprises a plurality of sensors and communication devices providing data communication and transmission of packets across the service provider network, andwherein the subscriber monitoring device sends a request to terminate the mitigation in response to an amount of network traffic dropped by the scrubbing system as indicated by status messages from the mitigation system and an amount of network traffic directed from the scrubbing center back to the subscriber network,wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The system according to claim 23, wherein mitigation system directs traffic to the scrubbing center and back to the subscriber network using tunneling.
  - 25. The system according to claim 23, wherein mitigation system directs traffic to the scrubbing center and back to the subscriber network using route injection.
  - 26. The system according to claim 23, wherein mitigation system directs traffic to the scrubbing center and back to the subscriber network using Domain Name System modification.
  - 27. The system according to claim 23, wherein mitigation system directs traffic to the scrubbing center and back to the subscriber network using Network Address Translation.
  - 28. The system according to claim 23, wherein mitigation system directs traffic to the scrubbing center through an internet service provider network.
  - 29. The system according to claim 23, wherein the subscriber monitoring device utilizes port mirroring to monitor all the network traffic entering and/or leaving the subscriber network via a router.

30. A networking system, comprising:
- a subscriber monitoring device monitoring network traffic between a subscriber network and a service provider network and determining if the subscriber network is under attack and a fingerprint for the attack, wherein the attack fingerprint comprises at least one of one or more source IP addresses of the packets that make up the attack, one or more destination IP addresses of the packets that make up the attack, characteristics of packet payloads related to the packets that make up the attack and port numbers that are under attack; and
  
  a mitigation system, in which the subscriber monitoring device and the service provider mitigation system send and receive asynchronous status messages to each other using a stateless protocol, the mitigations system including a scrubbing system, for providing mitigation by dropping packets that are part of a denial of service attack based on the fingerprint, wherein the mitigation system further comprises a plurality of sensors and communication devices providing data communication and transmission of packets across the service provider network, andwherein the subscriber monitoring device terminates the mitigation in response to a total of an amount of network traffic dropped by the scrubbing system as indicated by status messages from the mitigation system and an amount of network traffic directed from the mitigation system to the subscriber network via the service provider network,wherein each status message sent between the subscriber monitoring device and the service provider monitoring system includes an arrival time of a most recently received status message and a timestamp of when the respective status message was sent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Kustarz, Chester, Huston, Lawrence Bruce III, Simpson, James A., Winquist, James Edward, Barnes, Olan Patrick, Jackson, Eric
Primary Examiner(s)
GEORGANDELLIS, ANDREW C

Application Number

US13/328,206
Publication Number

US 20130055374A1
Time in Patent Office

1,719 Days
Field of Search

726/13
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

System and method for denial of service attack mitigation using cloud services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for denial of service attack mitigation using cloud services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links