Detection of grid participation in a DDoS attack

US 20060107318A1
Filed: 09/14/2004
Published: 05/18/2006
Est. Priority Date: 09/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:

establishing normal traffic usage baselines in the multiprocessor environment;

monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;

thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and

thereupon starting blocking measures to mitigate an apparent denial of service attack.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of, system for, and product for managing a denial of service attack in a multiprocessor environment comprising. The first step is establishing normal traffic usage baselines in the multiprocessor environment. Once the baseline is established the next step is monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline. Next is monitoring ports and protocols to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port. If there is such consistent use of a protocol for all packets for that port as to evidence a denial of service attack, blocking measures are started to mitigate the apparent denial of service attack.

76 Citations

View as Search Results

12 Claims

1. A method of managing a denial of service attack in a multiprocessor environment comprising the steps of:
- establishing normal traffic usage baselines in the multiprocessor environment;
  
  monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
  
  thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
  
  thereupon starting blocking measures to mitigate an apparent denial of service attack.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein the denial of service attack is an outbound denial of service attack.
  - 3. The method of claim 1 comprising the steps of:
    - a. monitoring outgoing traffic with respect to a destination address;
      
      b. if the ratio of (i) number of packets to a particular destination address to (ii) the total number of packets outbound is greater then a present number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols;
      
      c. if the ratio of (i) the number of packets to a port to (ii) the total number of packets to all ports is above a preset value, and if the protocol used is consistent across a large fraction of ports, commencing blocking measures.
  - 4. The method of claim 1 wherein the multiprocessor environment is a grid computer environment.

5. A multiprocessor system comprising a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack by a method comprising the steps of:
- establishing normal traffic usage baselines in the multiprocessor system;
  
  monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
  
  thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
  
  thereupon starting blocking measures to mitigate an apparent denial of service attack.
- View Dependent Claims (6, 7, 8)
- - 6. The multiprocessor system of claim 5 wherein the denial of service attack is an outbound denial of service attack.
  - 7. The multiprocessor system of claim 5 comprising the steps of:
    - a. monitoring outgoing traffic with respect to a destination address;
      
      b. if the ratio of (i) number of packets to a particular destination address to (ii) the total number of packets outbound is greater then a present number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols;
      
      c. if the ratio of (i) the number of packets to a port to (ii) the total number of packets to all ports is above a preset value, and if the protocol used is consistent across a large fraction of ports, commencing blocking measures.
  - 8. The multiprocessor system of claim 5wherein the multiprocessor environment is a grid computer environment.

9. A data storage medium containing computer readable code, said computer readable code adapted to configure and control a multiprocessor environment having a plurality of computers in at least one network, said plurality of computers adapted to simultaneous process a single problem, and further adapted for managing a denial of service attack, said computer readable code directing the steps of:
- establishing normal traffic usage baselines in the multiprocessor environment;
  
  monitoring outgoing traffic to detect a high proportion of packets being sent to a specific destination address, and a high number of outbound packets compared to said baseline;
  
  thereupon monitoring port and protocol to detect a high proportion of packets sent to a specific port, and a consistent use of a protocol for all packets for that port; and
  
  thereupon starting blocking measures to mitigate an apparent denial of service attack.
- View Dependent Claims (10, 11, 12)
- - 10. The data storage medium of claim 9 wherein the denial of service attack is an outbound denial of service attack.
  - 11. The data storage medium of claim 9 comprising the steps of:
    - a. monitoring outgoing traffic with respect to a destination address;
      
      b. if the ratio of (i) number of packets to a particular destination address to (ii) the total number of packets outbound is greater then a present number and the total number of outbound packets is above a preset value, monitoring selected ports and protocols;
      
      c. if the ratio of (i) the number of packets to a port to (ii) the total number of packets to all ports is above a preset value, and if the protocol used is consistent across a large fraction of ports, commencing blocking measures.
  - 12. The data storage medium of claim 9 wherein the multiprocessor environment is a grid computer environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Jeffries, Clark Debs, Himberger, Kevin David, Danford, Robert William, Escamilla, Terry Dwain

Granted Patent

US 8,423,645 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 11/349   for interfaces, buses

G06F 11/3495   for systems

G06F 21/55   Detecting local intrusion o...

G06F 2201/81   Threshold

H04L 2463/141   Denial of service attacks a...

H04L 2463/144   Detection or countermeasure...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Y02D 10/00   Energy efficient computing,...

Detection of grid participation in a DDoS attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of grid participation in a DDoS attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links