Methods and apparatus for detecting and/or dealing with denial of service attacks
First Claim
Patent Images
1. A communications method, comprising:
- receiving a plurality of packets at a first device;
generating, at said first device, for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value generated from at least four of the following;
an IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number;
generating, at said first device, for each received packet of the plurality of received packets, a time value corresponding to the time the packet was received at the first device;
storing in memory, for each received packet of the plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the first device;
monitoring congestion to detect a level of packet processing congestion;
operating said first device in i) a normal mode of operation during at least a first period of time, said operating in said normal mode of operation including passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed and operating said first device in ii) a congestion mode of operation during a second period of time, operating in said congestion mode of operation being performed when said monitoring indicates a level of packet processing congestion over a first threshold, said operating in said congestion mode of operation including dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value.
11 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for detecting and minimizing the effects of Denial Of Service (DOS) attacks in high-speed networks in which packet processing is carried out by multiple processing cores. In one embodiment of the invention a communications method and apparatus detects and deletes denial of service attack packets in a multi-core distributed packet processing system using a lightweight DOS attack packet detection and deletion process.
-
Citations
20 Claims
-
1. A communications method, comprising:
-
receiving a plurality of packets at a first device; generating, at said first device, for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value generated from at least four of the following;
an IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number;generating, at said first device, for each received packet of the plurality of received packets, a time value corresponding to the time the packet was received at the first device; storing in memory, for each received packet of the plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the first device; monitoring congestion to detect a level of packet processing congestion; operating said first device in i) a normal mode of operation during at least a first period of time, said operating in said normal mode of operation including passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed and operating said first device in ii) a congestion mode of operation during a second period of time, operating in said congestion mode of operation being performed when said monitoring indicates a level of packet processing congestion over a first threshold, said operating in said congestion mode of operation including dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A communications apparatus, comprising:
-
an input/output interface including a receiver that receives a plurality of packets; packet value generation circuitry that generates for each received packet of the plurality of received packets, a packet value from packet header information included in the received packet to which the generated value corresponds, said generated packet value being a hash value or CRC value generated from at least four of the following;
an IP source address number, a source port number, an IP destination address number, a destination port number, a VLAN identification number, and a protocol identification number;time stamp generation circuitry that generates, at said communications apparatus, for each received packet of the plurality of received packets, a time value corresponding to the time the packet was received at the communications apparatus; a memory; storage control circuitry configured to store in said memory, for each received packet of the plurality of received packets, the generated packet value corresponding to the packet and the generated time value corresponding to the time the packet was received at the communications apparatus; congestion monitoring circuitry that determines a level of packet processing congestion; and a processor configured to control a denial of service protection device to switch between operating in a normal mode of operation or a congestion mode of operation based on the level of packet processing congestion determined by said congestion circuitry, wherein operating in said normal mode of operation includes passing received packets to a packet classifier or a packet policer without regard to said packet value generated from the packets being passed and wherein operating in said congestion mode of operation is performed when said monitoring indicates a level of packet processing congestion over a first threshold, said operating in said congestion mode of operation including dropping received packets based on the packet value generated from the packets to be dropped matching at least one previously generated packet value stored in said memory and the packets to be dropped generated received time value, said processor controlling said denial of service protection device to operate in said normal mode of operation when it is not operating in said congestion mode of operation. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification