TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION

US 20170180415A1
Filed: 12/21/2015
Published: 06/22/2017
Est. Priority Date: 12/21/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a distributed denial of service (DDoS) detection module within a network, information regarding a plurality of application layer attributes for which an attack status is to be monitored;

determining the attack status for each of the plurality of monitored attributes by comparing, by the DDoS detection module, granular traffic rates directed to a first hash value of each of the plurality of monitored attributes to a plurality of corresponding adaptive thresholds, wherein the first hash value is calculated based on a first hash algorithm;

when a granular traffic rate for a first hash value of a particular monitored attribute of the plurality of monitored attributes exceeds an adaptive threshold for the particular monitored attribute, the particular monitored attribute is determined to be an under-attack attribute;

storing, by the DDoS monitor module, details regarding the under-attack attribute in a memory of the DDoS detection module; and

notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack attribute.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.

Citations

22 Claims

1. A method comprising:
- receiving, by a distributed denial of service (DDoS) detection module within a network, information regarding a plurality of application layer attributes for which an attack status is to be monitored;
  
  determining the attack status for each of the plurality of monitored attributes by comparing, by the DDoS detection module, granular traffic rates directed to a first hash value of each of the plurality of monitored attributes to a plurality of corresponding adaptive thresholds, wherein the first hash value is calculated based on a first hash algorithm;
  
  when a granular traffic rate for a first hash value of a particular monitored attribute of the plurality of monitored attributes exceeds an adaptive threshold for the particular monitored attribute, the particular monitored attribute is determined to be an under-attack attribute;
  
  storing, by the DDoS monitor module, details regarding the under-attack attribute in a memory of the DDoS detection module; and
  
  notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - storing, by the DDoS monitor module, the first hash value of each of the plurality of monitored attributes in a first stage table in the memory;
      
      storing, by the DDoS monitor module, the details of the under-attack attribute in a second stage table in the memory after the under-attack attribute is determined.
  - 3. The method of claim 2, further comprising:
    - calculating, by the DDoS monitor module, a second hash value of the under-attack attribute based on a second hash algorithm;
      
      calculating, by the DDoS monitor module, a drop count for the second hash value of the under-attack attribute.
  - 4. The method of claim 3, further comprising when the drop count for the second hash value of the under-attack attribute does not exceed an adaptive threshold for the under-attack attribute, the under-attack attribute is determined to be a victim attribute.
  - 5. The method of claim 2, further comprising:
    - scanning, by an ager logic of the DDoS monitor module, the second stage table; and
      
      removing, by the ager logic, an entry from the second stage table if the entry is not in use within a pre-determined time period.
  - 6. The method of claim 5, further comprising reporting, by the ager logic, the entries of the second stage table with the details of under-attack attributes at an end of a pre-determined blocking period.
  - 7. The method of claim 6, wherein the pre-determined blocking period is from 0 to 15 seconds.
  - 8. The method of claim 2, further comprising:
    - when a collision between the first hash value occurs between multiple of the plurality of monitored attributes, generating, by the DDoS monitor module, multiple second hash values for the multiple monitored attributes;
      
      storing, by the DDoS monitor module, the multiple second hash values of the multiple monitored attributes within multiple entries of the second stage table; and
      
      linking, by the DDoS monitor module, the multiple entries of the second hash values with the collided first hash value in the second stage table.
  - 9. The method of claim 1, wherein the details of the under-attack attribute comprise a full-length string representing the under-attack attribute.
  - 10. The method of claim 1, wherein the first hash value of each of the plurality of monitored attributes is less than 20 bits.
  - 11. The method of claim 1, wherein the first hash algorithm is selected from any one of MD5, Secure Hash Algorithm (SHA), cyclic redundancy check (CRC).

12. A computer system comprising:
- non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  receiving, by a distributed denial of service (DDoS) detection module within a network, information regarding a plurality of application layer attributes for which an attack status is to be monitored;
  
  determining the attack status for each of the plurality of monitored attributes by comparing, by the DDoS detection module, granular traffic rates directed to a first hash value of each of the plurality of monitored attributes to a plurality of corresponding adaptive thresholds, wherein the first hash value is calculated based on a first hash algorithm;
  
  when a granular traffic rate for a first hash value of a particular monitored attribute of the plurality of monitored attributes exceeds an adaptive threshold for the particular monitored attribute, the particular monitored attribute is determined to be an under-attack attribute;
  
  storing, by the DDoS monitor module, details regarding the under-attack attribute in a memory of the DDoS detection module; and
  
  notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack attribute.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer system of claim 12, wherein the method further comprises:
    - storing, by the DDoS monitor module, the first hash value of each of the plurality of monitored attributes in a first stage table in the memory;
      
      storing, by the DDoS monitor module, the details of the under-attack attribute in a second stage table in the memory after the under-attack attribute is determined.
  - 14. The computer system of claim 13, wherein the method further comprises:
    - calculating, by the DDoS monitor module, a second hash value of the under-attack attribute based on a second hash algorithm;
      
      calculating, by the DDoS monitor module, a drop count for the second hash value of the under-attack attribute.
  - 15. The computer system of claim 14, wherein the method further comprises when the drop count for the second hash value of the under-attack attribute does not exceed an adaptive threshold for the under-attack attribute, the under-attack attribute is determined to be a victim attribute.
  - 16. The computer system of claim 14, wherein the method further comprises:
    - scanning, by an ager logic of the DDoS monitor module, the second stage table; and
      
      removing, by the ager logic, an entry from the second stage table if the entry is not in use within a pre-determined time period.
  - 17. The computer system of claim 16, wherein the method further comprises reporting, by the ager logic, the entries of the second stage table with the details of under-attack attributes at an end of a pre-determined blocking period.
  - 18. The computer system of claim 17, wherein the pre-determined blocking period is from 0 to 15 seconds.
  - 19. The computer system of claim 13, wherein the method further comprises:
    - when a collision between the first hash value occurs between multiple of the plurality of monitored attributes, generating, by the DDoS monitor module, multiple second hash values for the multiple monitored attributes;
      
      storing, by the DDoS monitor module, the multiple second hash values of the multiple monitored attributes within multiple entries of the second stage table; and
      
      linking, by the DDoS monitor module, the multiple entries of the second hash values with the collided first hash value in the second stage table.
  - 20. The computer system of claim 12, wherein the details of the under-attack attribute comprise a full-length string representing the under-attack attribute.
  - 21. The computer system of claim 12, wherein the first hash value of each of the plurality of monitored attributes is less than 20 bits.
  - 22. The computer system of claim 12, wherein the first hash algorithm is selected from any one of MD5, Secure Hash Algorithm (SHA), cyclic redundancy check (CRC).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar

Granted Patent

US 9,973,528 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links