Detection of grid participation in a DDoS attack
First Claim
1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:
- establishing normal traffic usage baselines in the multiprocessor environment;
monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
thereupon starting blocking measures to mitigate an apparent denial of service attack.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of, system for, and product for managing a denial of service attack in a multiprocessor environment comprising. The first step is establishing normal traffic usage baselines in the multiprocessor environment. Once the baseline is established the next step is monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline. Next is monitoring ports and protocols to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port. If there is such consistent use of a protocol for all packets for that port as to evidence a denial of service attack, blocking measures are started to mitigate the apparent denial of service attack.
76 Citations
12 Claims
-
1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:
-
establishing normal traffic usage baselines in the multiprocessor environment;
monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
thereupon starting blocking measures to mitigate an apparent denial of service attack. - View Dependent Claims (2, 3, 4)
-
-
5. A multiprocessor system comprising a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack by a method comprising the steps of:
-
establishing normal traffic usage baselines in the multiprocessor system;
monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
thereupon starting blocking measures to mitigate an apparent denial of service attack. - View Dependent Claims (6, 7, 8)
-
-
9. A data storage medium containing computer readable code, said computer readable code adapted to configure and control a multiprocessor environment having a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack, said computer readable code directing the steps of:
-
establishing normal traffic usage baselines in the multiprocessor environment;
monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
thereupon starting blocking measures to mitigate an apparent denial of service attack. - View Dependent Claims (10, 11, 12)
-
Specification