SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

US 20130198839A1
Filed: 11/07/2012
Published: 08/01/2013
Est. Priority Date: 07/06/2005
Status: Active Grant

First Claim

Patent Images

1. A method for processing network traffic content, comprising:

receiving, via a network communication interface, a packet associated with a new network traffic session;

identifying one or more Internet Protocol (IP) addresses the new network traffic session;

determining a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session;

when the number of concurrent sessions associated with the at least one of the one or more IP addresses associated with the new concurrent network traffic session is greater than a concurrent IP address session threshold, performing flooding attack mitigation processing.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for processing network traffic data includes receiving a packet, and determining whether the packet is a previously dropped packet that is being retransmitted. A method for processing network traffic content includes receiving a plurality of headers, the plurality of headers having respective first field values, and determining whether the first field values of the respective headers form a first prescribed pattern. A method for processing network traffic content includes receiving a plurality of packets, and determining an existence of a flooding attack without tracking each of the plurality of packets with a SYN bit.

119 Citations

12 Claims

1. A method for processing network traffic content, comprising:
- receiving, via a network communication interface, a packet associated with a new network traffic session;
  
  identifying one or more Internet Protocol (IP) addresses the new network traffic session;
  
  determining a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session;
  
  when the number of concurrent sessions associated with the at least one of the one or more IP addresses associated with the new concurrent network traffic session is greater than a concurrent IP address session threshold, performing flooding attack mitigation processing.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the flooding attack mitigation processing includes dropping all packets associated with the new network traffic session.
  - 3. The method of claim 1, wherein the flooding attack mitigation processing includes dropping all packets associated with the at least one IP address.
  - 4. The method of claim 1, wherein:
    - identifying the one or more IP addresses the new network traffic session further includes identifying a packet-type of the received packet;
      
      determining a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session includes determining a number of concurrent sessions of a type of network traffic sessions identified by the identified packet type; and
      
      the concurrent IP address session threshold is network traffic session-type specific.

5. A system, comprising:
- a processor;
  
  a communication interface for communicating over a network;
  
  a memory device including instructions stored thereon which when executed by the processor, cause the system to;
  
  receive, via the communication interface, a packet associated with a new network traffic session;
  
  identify one or more Internet Protocol (IP) addresses the new network traffic session;
  
  determine a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session;
  
  when the number of concurrent sessions associated with the at least one of the one or more IP addresses associated with the new concurrent network traffic session is greater than a concurrent IP address session threshold, perform flooding attack mitigation processing.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein the flooding attack mitigation processing includes dropping all packets associated with the new network traffic session.
  - 7. The system of claim 5, wherein the flooding attack mitigation processing includes dropping all packets associated with the at least one IP address.
  - 8. The system of claim 5, wherein:
    - identifying the one or more IP addresses the new network traffic session further includes identifying a packet-type of the received packet;
      
      determining a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session includes determining a number of concurrent sessions of a type of network traffic sessions identified by the identified packet type; and
      
      the concurrent IP address session threshold is network traffic session-type specific.

9. A computer-readable storage device including a set of instructions stored thereon which when executed by a processor of a computer cause the computer to:
- receive, via a network communication interface, a packet associated with a new network traffic session;
  
  identify one or more Internet Protocol (IP) addresses the new network traffic session;
  
  determine a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session;
  
  when the number of concurrent sessions associated with the at least one of the one or more IP addresses associated with the new concurrent network traffic session is greater than a concurrent IP address session threshold, perform flooding attack mitigation processing.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-readable storage device of claim 9, wherein the flooding attack mitigation processing includes dropping all packets associated with the new network traffic session.
  - 11. The computer-readable storage device of claim 9, wherein the flooding attack mitigation processing includes dropping all packets associated with the at least one IP address.
  - 12. The computer-readable storage device of claim 9, wherein:
    - identifying the one or more IP addresses the new network traffic session further includes identifying a packet-type of the received packet;
      
      determining a number of concurrent sessions associated with at least one of the one or more IP address associated with the new concurrent network traffic session includes determining a number of concurrent sessions of a type of network traffic sessions identified by the identified packet type; and
      
      the concurrent IP address session threshold is network traffic session-type specific.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Wei, Shaohong, Duan, Gang

Granted Patent

US 8,917,725 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 1/1835   Buffer management

H04L 2463/143   Denial of service attacks i...

H04L 41/28   Restricting access to netwo...

H04L 43/16   Threshold monitoring

H04L 63/0236   Filtering by address, proto...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links