Automatic Adjusting of Reputation Thresholds in Order to Change the Processing of Certain Packets
First Claim
1. A method performed by a particular networked machine, the method comprising:
- rate limiting, by the particular networked machine, of a first plurality of packets of a greater plurality of packets, wherein packets received by the particular networked machine are identified as being in the first plurality of packets when their source has a worse reputation score than a predetermined reputation score threshold; and
wherein packets received by the particular networked machine are not identified as being in the first plurality of packets when their source has a better reputation score than the predetermined reputation score threshold; and
in response to measured traffic of the greater plurality of packets equaling or exceeding one or more predetermined traffic measurement thresholds;
automatically adjusting, by the particular networked machine, the reputation score threshold to a better reputation score thus expanding the first plurality of packets to now include packets associated with a higher reputation score on which the particular networked machines performs said rate limiting.
1 Assignment
0 Petitions
Accused Products
Abstract
A firewall, intrusion prevention or other device automatically and dynamically adjusts packets subjected to certain rate limiting based on the reputation level associated with their source. When measured traffic increases beyond a desired amount, the range of reputation scores causing their associated packets to be subjected to this rate limiting is adjusted to throttle the measured traffic to fall within desired limits. In this manner, packet traffic with a worse reputation can be singled out for this rate limiting during a period of increased traffic. When the measured traffic subsides, the range of reputation scores can be correspondingly changed to allow more measured traffic.
68 Citations
20 Claims
-
1. A method performed by a particular networked machine, the method comprising:
-
rate limiting, by the particular networked machine, of a first plurality of packets of a greater plurality of packets, wherein packets received by the particular networked machine are identified as being in the first plurality of packets when their source has a worse reputation score than a predetermined reputation score threshold; and
wherein packets received by the particular networked machine are not identified as being in the first plurality of packets when their source has a better reputation score than the predetermined reputation score threshold; andin response to measured traffic of the greater plurality of packets equaling or exceeding one or more predetermined traffic measurement thresholds;
automatically adjusting, by the particular networked machine, the reputation score threshold to a better reputation score thus expanding the first plurality of packets to now include packets associated with a higher reputation score on which the particular networked machines performs said rate limiting. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus, comprising:
-
a rate limiter configured for rate limiting of a first plurality of packets of a greater plurality of packets, wherein packets received by the apparatus are identified as being in the first plurality of packets when their source has a worse reputation score than a predetermined reputation score threshold; and
wherein packets received by the apparatus are not identified as being in the first plurality of packets when their source has a better reputation score than the predetermined reputation score threshold;a controller responsive to measured traffic of the greater plurality of packets equaling or exceeding a predetermined traffic measurement threshold, with said response including;
automatically adjusting the reputation score threshold to a better reputation score thus expanding the first plurality of packets to now include packets associated with a higher reputation score on which the particular networked machines performs said rate limiting; andone or more rate monitors configured for determining said measured traffic. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A method performed by a particular networked machine, the method comprising:
-
repeatedly;
receiving a particular packet;
applying firewall functionality to said received particular packet, said firewall functionality including rate limiting of particular packets having a source with a reputation score worse than a current reputation score threshold; and
forwarding non-dropped said received particular packet from the particular networked machine; andrepeatedly;
measuring at least a portion of outbound traffic from the particular networked machine;
in response to determining that said measured outbound traffic exceeds a corresponding predetermined rate threshold value;
dynamically adjusting the current reputation score threshold to a reputation score level better than that current of the current reputation score threshold in order to cause said measured outbound traffic to no longer exceed the corresponding predetermined rate threshold value. - View Dependent Claims (18, 19, 20)
-
Specification