Methods and apparatus for detecting and/or dealing with denial of service attacks

US 9,888,033 B1
Filed: 07/21/2014
Issued: 02/06/2018
Est. Priority Date: 06/19/2014
Status: Active Grant

First Claim

Patent Images

1. A communications method, comprising:

receiving a plurality of packets at a first device;

generating, at said first device, for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value generated from at least four of the following;

an IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number;

generating, at said first device, for each received packet of the plurality of received packets, a time value corresponding to the time the packet was received at the first device;

storing in memory, for each received packet of the plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the first device;

monitoring congestion to detect a level of packet processing congestion;

operating said first device in i) a normal mode of operation during at least a first period of time, said operating in said normal mode of operation including passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed and operating said first device in ii) a congestion mode of operation during a second period of time, operating in said congestion mode of operation being performed when said monitoring indicates a level of packet processing congestion over a first threshold, said operating in said congestion mode of operation including dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for detecting and minimizing the effects of Denial Of Service (DOS) attacks in high-speed networks in which packet processing is carried out by multiple processing cores. In one embodiment of the invention a communications method and apparatus detects and deletes denial of service attack packets in a multi-core distributed packet processing system using a lightweight DOS attack packet detection and deletion process.

Citations

20 Claims

1. A communications method, comprising:
- receiving a plurality of packets at a first device;
  
  generating, at said first device, for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value generated from at least four of the following;
  
  an IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number;
  
  generating, at said first device, for each received packet of the plurality of received packets, a time value corresponding to the time the packet was received at the first device;
  
  storing in memory, for each received packet of the plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the first device;
  
  monitoring congestion to detect a level of packet processing congestion;
  
  operating said first device in i) a normal mode of operation during at least a first period of time, said operating in said normal mode of operation including passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed and operating said first device in ii) a congestion mode of operation during a second period of time, operating in said congestion mode of operation being performed when said monitoring indicates a level of packet processing congestion over a first threshold, said operating in said congestion mode of operation including dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - switching from said normal mode of operation to said congestion mode of operation in response to said monitoring detecting the first level of congestion over the first threshold.
  - 3. The method of claim 1, wherein operating in the congestion mode of operation includes:
    - receiving a first additional packet;
      
      generating a packet value corresponding to the first additional received packet;
      
      determining if the packet value corresponding to the first additional received packet is stored more than a threshold number of times in said memory during a pre-determined time interval; and
      
      dropping the first additional received packet when it is determined that the packet value corresponding to the first additional received packet is stored more than said threshold number of times in said memory during a pre-determined time interval.
  - 4. The method of claim 3, further comprising:
    - adding the packet value corresponding to the first additional received packet to a packet drop list when it is determined that said packet value corresponding to the first additional received packet is included more than said threshold number of times in said memory within said pre-determined time interval.
  - 5. The method of claim 3, further comprising:
    - deleting packet values from said memory which are more than a predetermined amount of time from a current time.
  - 6. The method of claim 4, further comprising:
    - while operating in said congestion mode of operation,receiving a second additional packet;
      
      generating a second packet value corresponding to the second additional packet;
      
      dropping said second additional packet if said second packet value is on said drop list;
      
      checking, if said second packet value is not on said drop list, if said second packet value appears more than said threshold number of times in said memory during said pre-determined time interval;
      
      dropping said second additional packet if said second packet value appears more than said threshold number of times in said memory during said pre-determined time interval; and
      
      otherwise passing said packet.
  - 7. The method of claim 4, further comprising:
    - maintaining packet values added to said drop list on said drop list until a switch from the congestion mode of operation to said normal mode of operation.
  - 8. The method of claim 5, further comprising:
    - making a congestion determination at said first device or at a packet policer downstream of said first device; and
      
      controlling the mode of operation of said first device based on said determination.
  - 9. The method of claim 6, wherein passing said packet includes passing said packet to a packet policer with a packet flow classification based on the Internet Protocol header information and UDP header information or Internet Protocol header information and TCP header information of said second additional packet.
  - 10. The method of claim 9, wherein said packet policer applies a bandwidth constraint to a flow to which said second additional packet corresponds but which does not block the flow entirely.
  - 11. The method of claim 1:
    - wherein said step of generating for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value, includes operating a circuit dedicated to performing said packet value generation;
      
      wherein said step of storing in memory, for each of plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the first device includes operating a circuit dedicated to performing said step of storing in memory;
      
      wherein said step of monitoring congestion to detect a level of packet processing congestion includes operating a circuit dedicated to performing said monitoring step;
      
      wherein when operating in said normal mode of operation, said step of passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed includes operating a circuit dedicated to performing said step of passing received packets to a packet classifier or a packet policer; and
      
      wherein when operating in said congestion mode of operation said step of dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value includes operating a circuit dedicated to performing said step of dropping received packets based on the packet value generated from the packets.
  - 12. The method of claim 1 wherein said generating said packet value occurs prior to performing packet policing or classification on said received packet.
  - 13. The method of claim 1 wherein said packet value is a hash or CRC value generated from at least five of the following IPv4 or IPv6 packet header fields:
    - IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number.

14. A communications apparatus, comprising:
- an input/output interface including a receiver that receives a plurality of packets;
  
  packet value generation circuitry that generates for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value generated from at least four of the following;
  
  an IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number;
  
  time stamp generation circuitry that generates, at said communications apparatus, for each received packet of the plurality of received packets, a time value corresponding to the time the packet was received at the communications apparatus;
  
  a memory;
  
  storage control circuitry configured to store in said memory, for each received packet of the plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the communications apparatus;
  
  congestion monitoring circuitry that determines a level of packet processing congestion; and
  
  a processor configured to control a denial of service protection device to switch between operating in a normal mode of operation or a congestion mode of operation based on the level of packet processing congestion determined by said congestion circuitry, wherein operating in said normal mode of operation includes passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed and wherein operating in said congestion mode of operation is performed when said monitoring indicates a level of packet processing congestion over a first threshold, said operating in said congestion mode of operation including dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value, said processor controlling said denial of service protection device to operate in said normal mode of operation when it is not operating in said congestion mode of operation.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein said processor is configured to switch said denial of service protection device from said normal mode of operation to said congestion mode of operation in response to said monitoring detecting a level of congestion over a threshold.
  - 16. The apparatus of claim 14, wherein said processor is configured to control the denial of service protection device, while operating in the congestion mode of operation, to perform the steps of:
    - receiving a first additional packet;
      
      generating a packet value corresponding to the first additional received packet;
      
      determining if the packet value corresponding to the first additional received packet is stored more than a threshold number of times in said memory during a pre-determined time interval; and
      
      dropping the first additional received packet when it is determined that the packet value corresponding to the first additional received packet is stored more than said threshold number of times in said memory during a pre-determined time interval.
  - 17. The apparatus of claim 16, further comprising:
    - packet drop list maintenance circuitry that adds the packet value corresponding to the first additional received packet to a packet drop list when it is determined that said packet value corresponding to the first additional received packet is included more than said threshold number of times in said memory within said pre-determined time interval.
  - 18. The apparatus of claim 16, further comprising:
    - history buffer maintenance circuitry that deletes packet values from said memory which are more than a predetermined amount of time from a current time.
  - 19. The apparatus of claim 17, wherein said processor is further configured to control the denial of service protection device to, while operating in said congestion mode of operation,receive a second additional packet;
    - generate a second packet value corresponding to the second additional packet;
      
      drop said second additional packet if said second packet value is on said drop list;
      
      check, if said second packet value is not on said drop list, if said second packet value appears more than said threshold number of times in said memory during said pre-determined time interval;
      
      drop said second additional packet if said second packet value appears more than said threshold number of times in said memory during said pre-determined time interval; and
      
      otherwise pass said packet.
  - 20. The apparatus of claim 19, wherein passing said packet includes passing said packet to a packet policer with a packet flow classification based on Internet Protocol and UDP header information or Internet Protocol and TCP header information of said second additional packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ribbon Communications Operating Company, Inc. (Ribbon Communications, Inc.)
Original Assignee
Sonus Networks Incorporated (Ribbon Communications, Inc.)
Inventors
Li, Shiping, Yamanishi, Toru Mike, Pilotte, Kevin
Primary Examiner(s)
Louie, Oscar
Assistant Examiner(s)
Forman, James

Application Number

US14/336,622
Time in Patent Office

1,296 Days
Field of Search
US Class Current
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/11   Identifying congestion

H04L 47/20   Traffic policing

H04L 47/24   Traffic characterised by sp...

H04L 47/2441   relying on flow classificat...

H04L 47/25   with rate being modified by...

H04L 47/283   in response to processing d...

H04L 47/323   Discarding or blocking cont...

H04L 63/0236   Filtering by address, proto...

H04L 63/1458   Denial of Service

H04L 69/22   Parsing or analysis of headers

Methods and apparatus for detecting and/or dealing with denial of service attacks

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for detecting and/or dealing with denial of service attacks

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links