System and method for software defined behavioral DDoS attack mitigation
First Claim
1. A method for mitigating distributed denial of service (DDoS) attacks, comprising:
- decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies and wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances;
receiving, by a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances, the DDoS attack mitigation policies through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance; and
mitigating a DDoS attack based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received mitigation policies. The mitigation policies are generated by the controller based on granular behavioral packet rate thresholds estimated based on granular traffic rate information collected from one or more of the multiple mitigation appliances controlled by the controller.
19 Citations
18 Claims
-
1. A method for mitigating distributed denial of service (DDoS) attacks, comprising:
-
decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies and wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances; receiving, by a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances, the DDoS attack mitigation policies through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance; and mitigating a DDoS attack based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A distributed denial of service (DDoS) attack mitigation appliance comprising:
-
a non-transitory storage device having embodied therein instructions representing a security application; and one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising; receiving, by the DDoS attack mitigation appliance, DDoS attack mitigation policies through a network connecting a DDoS attack mitigation central controller and the DDoS attack mitigation appliance; and mitigating a DDoS attack based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on granular traffic rate information collected from a plurality of DDoS attack mitigation appliances; wherein the DDoS attach mitigation appliance is one of the plurality of DDoS attack mitigation appliances and the DDoS mitigation central controller and the plurality of DDoS attack mitigation appliances facilitate decoupling of control plane functionality, responsible for storage of behavioral data and creation of the DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies; wherein the control plane functionality is implemented within the DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies; and wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of the granular traffic rate information. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification