Monitoring network traffic denial of service attacks
First Claim
1. A data collector to sample packet traffic, accumulate, and collect statistical information about network flows comprises:
- a computing device that executes a computer program product stored on a computer readable medium comprising instructions to cause the computing device to;
collect statistical information pertaining to network packets received by the data collector;
monitor a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with instructions to monitor further comprising instructions to;
divide the traffic flow into buckets that track counts of how many packets the data collector examines for a given parameter; and
adjust the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets;
maintain the statistical information in a log; and
wherein the data collector further comprises;
a port to link the data collector over a redundant network that does not carry the packet traffic to deliver collected statistical information about the network packets to a central control center upon demand by the central control center.
21 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
70 Citations
22 Claims
-
1. A data collector to sample packet traffic, accumulate, and collect statistical information about network flows comprises:
-
a computing device that executes a computer program product stored on a computer readable medium comprising instructions to cause the computing device to; collect statistical information pertaining to network packets received by the data collector; monitor a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with instructions to monitor further comprising instructions to; divide the traffic flow into buckets that track counts of how many packets the data collector examines for a given parameter; and adjust the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets; maintain the statistical information in a log; and
wherein the data collector further comprises;a port to link the data collector over a redundant network that does not carry the packet traffic to deliver collected statistical information about the network packets to a central control center upon demand by the central control center. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of collecting data from sampled network traffic, pertaining to network traffic flows comprises:
-
sampling the network traffic and generating statistical information pertaining to the sampled network packets; monitoring a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with monitoring further comprising; dividing the traffic flow into buckets that track counts of how many packets a data collector or gateway examines for a given parameter; and adjusting the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets; communicating the generated statistical information over a redundant network that does not carry the packet traffic to deliver the generated statistical information pertaining to the network packets to a central control center in response to a query for the generated statistical information from the central controller. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer program product residing on a computer readable medium for sampling network packet traffic to accumulate, and collect statistical information about network flows, comprises instructions for causing a device to:
-
collect network packets and produce statistical information pertaining to collected network packets; monitor a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with instructions to monitor further comprising instructions to; divide the traffic flow into buckets that track counts of how many packets a data collector or gateway examines for a given parameter; adjust the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets; parse information in the collected packets and maintain the information in a log; and send the statistical information to a central control center over a redundant network that does not carry the packet traffic in response to a query from the central controller. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification