TWO-STAGE HASH BASED LOGIC FOR APPLICATION LAYER DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACK ATTRIBUTION
First Claim
Patent Images
1. A method comprising:
- receiving, by a distributed denial of service (DDoS) detection module within a network, information regarding a plurality of application layer attributes for which an attack status is to be monitored;
determining the attack status for each of the plurality of monitored attributes by comparing, by the DDoS detection module, granular traffic rates directed to a first hash value of each of the plurality of monitored attributes to a plurality of corresponding adaptive thresholds, wherein the first hash value is calculated based on a first hash algorithm;
when a granular traffic rate for a first hash value of a particular monitored attribute of the plurality of monitored attributes exceeds an adaptive threshold for the particular monitored attribute, the particular monitored attribute is determined to be an under-attack attribute;
storing, by the DDoS monitor module, details regarding the under-attack attribute in a memory of the DDoS detection module; and
notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack attribute.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for a two-stage attribution of application layer DDoS attack are provided. In a first table just a hash index is maintained whereas the second stage table keeps the string parameter corresponding to the application layer attribute under attack. A linked list maintains a plurality of rows if there is hash collision in the first table. The second table is aged out and reported periodically with details of large strings.
-
Citations
22 Claims
-
1. A method comprising:
-
receiving, by a distributed denial of service (DDoS) detection module within a network, information regarding a plurality of application layer attributes for which an attack status is to be monitored; determining the attack status for each of the plurality of monitored attributes by comparing, by the DDoS detection module, granular traffic rates directed to a first hash value of each of the plurality of monitored attributes to a plurality of corresponding adaptive thresholds, wherein the first hash value is calculated based on a first hash algorithm; when a granular traffic rate for a first hash value of a particular monitored attribute of the plurality of monitored attributes exceeds an adaptive threshold for the particular monitored attribute, the particular monitored attribute is determined to be an under-attack attribute; storing, by the DDoS monitor module, details regarding the under-attack attribute in a memory of the DDoS detection module; and notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack attribute. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system comprising:
-
non-transitory storage device having tangibly embodied therein instructions representing a security application; and one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising; receiving, by a distributed denial of service (DDoS) detection module within a network, information regarding a plurality of application layer attributes for which an attack status is to be monitored; determining the attack status for each of the plurality of monitored attributes by comparing, by the DDoS detection module, granular traffic rates directed to a first hash value of each of the plurality of monitored attributes to a plurality of corresponding adaptive thresholds, wherein the first hash value is calculated based on a first hash algorithm; when a granular traffic rate for a first hash value of a particular monitored attribute of the plurality of monitored attributes exceeds an adaptive threshold for the particular monitored attribute, the particular monitored attribute is determined to be an under-attack attribute; storing, by the DDoS monitor module, details regarding the under-attack attribute in a memory of the DDoS detection module; and notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack attribute. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification