Monitoring network traffic denial of service attacks

US 7,124,440 B2
Filed: 08/16/2001
Issued: 10/17/2006
Est. Priority Date: 09/07/2000
Status: Active Grant

First Claim

Patent Images

1. A data collector to sample packet traffic, accumulate, and collect statistical information about network flows comprises:

a computing device that executes a computer program product stored on a computer readable medium comprising instructions to cause the computing device to;

collect statistical information pertaining to network packets received by the data collector;

monitor a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with instructions to monitor further comprising instructions to;

divide the traffic flow into buckets that track counts of how many packets the data collector examines for a given parameter; and

adjust the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets;

maintain the statistical information in a log; and

wherein the data collector further comprises;

a port to link the data collector over a redundant network that does not carry the packet traffic to deliver collected statistical information about the network packets to a central control center upon demand by the central control center.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.

70 Citations

View as Search Results

22 Claims

1. A data collector to sample packet traffic, accumulate, and collect statistical information about network flows comprises:
- a computing device that executes a computer program product stored on a computer readable medium comprising instructions to cause the computing device to;
  
  collect statistical information pertaining to network packets received by the data collector;
  
  monitor a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with instructions to monitor further comprising instructions to;
  
  divide the traffic flow into buckets that track counts of how many packets the data collector examines for a given parameter; and
  
  adjust the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets;
  
  maintain the statistical information in a log; and
  
  wherein the data collector further comprises;
  
  a port to link the data collector over a redundant network that does not carry the packet traffic to deliver collected statistical information about the network packets to a central control center upon demand by the central control center.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The data collector of claim 1 wherein the redundant network is a leased line.
  - 3. The data collector of claim 1 wherein the redundant network is a hardened redundant network.
  - 4. The data collector of claim 1 wherein the redundant network is a telephone network.
  - 5. The data collector of claim 1 wherein the statistical information collected by the data collector includes source information and destination information contained in packets received by the data collector.
  - 6. The data collector of claim 5 wherein the data collector collects the statistical information but does not log the sampled packets.
  - 7. The data collector of claim 1 wherein the computer program product in the data collector executes rules to analyze the collected statistical information and produces a message that raises an alarm to the control center.
  - 8. The data collector of claim 1 wherein the data collector further includes instructions to:
    - respond to queries from the control center, the queries querying the data collector for statistical information concerning characteristics of packet traffic on the network.
  - 9. The data collector of claim 8 wherein one of the queries is a query request to download via the redundant network, a portion of the contents of the log maintained by the data collector.

10. A method of collecting data from sampled network traffic, pertaining to network traffic flows comprises:
- sampling the network traffic and generating statistical information pertaining to the sampled network packets;
  
  monitoring a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with monitoring further comprising;
  
  dividing the traffic flow into buckets that track counts of how many packets a data collector or gateway examines for a given parameter; and
  
  adjusting the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets;
  
  communicating the generated statistical information over a redundant network that does not carry the packet traffic to deliver the generated statistical information pertaining to the network packets to a central control center in response to a query for the generated statistical information from the central controller.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10 wherein generating further comprises:
    - applying multi-level analysis to monitor TCP packet ratios, repressor traffic and statistics based on Layer 3–
      
      7 analysis.
  - 12. The method of claim 11 wherein layer 3–
    - 7 analysis comprises;
      
      monitoring network traffic for unusual levels of IP fragmentation, or fragmented IP packets with bad or overlapping fragment offsets.
  - 13. The method of claim 11 wherein layer 3–
    - 7 analysis comprises;
      
      monitoring network traffic for IP packets with bad source addresses or ICMP packets with broadcast destination addresses.
  - 14. The method of claim 11 wherein layer 3–
    - 7 analysis comprises;
      
      monitoring network traffic for transport control protocol (TCP) or user datagram protocol (UDP) packets addressed to unused ports.
  - 15. The method of claim 11 wherein layer 3–
    - 7 analysis comprises;
      
      monitoring network traffic for transmission control protocol (TCP) packets with unusually small window sizes, which indicate server loading due to an attack, or transmission control protocol (TCP) ACK packets that do not belong to a known connection.
  - 16. The method of claim 11 wherein layer 3–
    - 7 analysis comprises;
      
      monitoring network traffic for an indication of a frequency of reload requests that are sustained at a rate higher than plausible for a human user over a persistent HTTP connection.

17. A computer program product residing on a computer readable medium for sampling network packet traffic to accumulate, and collect statistical information about network flows, comprises instructions for causing a device to:
- collect network packets and produce statistical information pertaining to collected network packets;
  
  monitor a parameter of traffic flow at multiple levels of granularity to trace the source of an attack, with instructions to monitor further comprising instructions to;
  
  divide the traffic flow into buckets that track counts of how many packets a data collector or gateway examines for a given parameter;
  
  adjust the number of buckets as the number of buckets approaches a bucket threshold, by combining several buckets into fewer buckets or dividing a bucket into more buckets;
  
  parse information in the collected packets and maintain the information in a log; and
  
  send the statistical information to a central control center over a redundant network that does not carry the packet traffic in response to a query from the central controller.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computer program product of claim 17 further comprising instructions to:
    - apply multi-level analysis to monitor TCP packet ratios, repressor traffic and statistical information based on Layer 3–
      
      7 analysis.
  - 19. The computer program product of claim 18 wherein layer 3–
    - 7 analysis further comprises instructions to;
      
      monitor network traffic for unusual levels of IP fragmentation, or fragmented IP packets with bad or overlapping fragment offsets.
  - 20. The computer program product of claim 18 wherein layer 3–
    - 7 analysis further comprises instructions to;
      
      monitor network traffic for IP packets with bad source addresses or ICMP packets with broadcast destination addresses.
  - 21. The computer program product of claim 18 wherein layer 3–
    - 7 analysis further comprises instructions to;
      
      monitor network traffic for transport control protocol (TCP) or user datagram protocol (UDP) packets addressed to unused ports.
  - 22. The computer program product of claim 17 wherein layer 3–
    - 7 analysis further comprises instructions to;
      
      monitor network traffic for transmission control protocol (TCP) packets with unusually small window sizes, which indicate server loading due to an attack, or transmission control protocol (TCP) ACK packets that do not belong to a known connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Kohler, Edward W. Jr., Poletto, Massimiliano Antonio
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Dinh, Minh

Application Number

US09/931,558
Publication Number

US 20020032880A1
Time in Patent Office

1,888 Days
Field of Search

713150-153, 713/188, 713/201, 709/224
US Class Current

726/23
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 43/00   Arrangements for monitoring...

H04L 43/022   by sampling

H04L 43/026   using flow identification

H04L 43/106   using time related informat...

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Monitoring network traffic denial of service attacks

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

70 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring network traffic denial of service attacks

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links