Methods and apparatus for protecting against overload conditions on nodes of a distributed network

US 7,707,305 B2
Filed: 08/14/2001
Issued: 04/27/2010
Est. Priority Date: 10/17/2000
Status: Active Grant

First Claim

Patent Images

1. A method of responding to an overload condition at a network element (“

victim”

) in a set of one or more potential victims on a network, the method comprising the steps of;

A. responsively to an indication of an anomalous traffic condition, initiating diversion of traffic destined for the victim by a first set of one or more network elements external to the set of one or more potential victims to a second set of one or more network elements external to the set of one or more potential victims,B. the element(s) of the second set filtering traffic diverted in step A (“

diverted traffic”

) and selectively passing a portion thereof to the victim,wherein said filtering step includes detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differs from an expected volume, said expected pattern and said expected volume being determined during a period in which the victim is not at an overload condition, andwherein said detecting step includes determining whether any of the traffic pattern and volume varies statistically significantly from any of the expected pattern and volume, respectively.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.

51 Citations

View as Search Results

39 Claims

1. A method of responding to an overload condition at a network element (“
- victim”
  
  ) in a set of one or more potential victims on a network, the method comprising the steps of;
  
  A. responsively to an indication of an anomalous traffic condition, initiating diversion of traffic destined for the victim by a first set of one or more network elements external to the set of one or more potential victims to a second set of one or more network elements external to the set of one or more potential victims,B. the element(s) of the second set filtering traffic diverted in step A (“
  
  diverted traffic”
  
  ) and selectively passing a portion thereof to the victim,wherein said filtering step includes detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differs from an expected volume, said expected pattern and said expected volume being determined during a period in which the victim is not at an overload condition, andwherein said detecting step includes determining whether any of the traffic pattern and volume varies statistically significantly from any of the expected pattern and volume, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 24, 25)
- - 2. A method according to claim 1, wherein the initiating step includes effecting a path of traffic that differs from a path that traffic would otherwise take to the victim.
  - 3. A method according to claim 1, wherein the filtering step includes detecting suspected malicious traffic.
  - 4. A method according to claim 3, wherein the detecting step includes detecting packets with spoofed source addresses.
  - 5. A method according to claim 4, wherein detecting the packets with spoofed source addresses comprises executing a verification protocol with sources of the diverted traffic, and wherein the passing step includes passing to the victim traffic from a source that correctly complies with the verification protocol.
  - 6. A method according to claim 1, wherein the filtering step includes detecting traffic requiring a selected service from the victim.
  - 7. A method according to claim 6, wherein the filtering step includes discarding traffic not requiring the selected service from the victim.
  - 8. A method according to claim 7, wherein the filtering step includes discarding any of UDP and ICMP packet traffic.
  - 9. A method according to claim 1, comprising operating one or more elements of the first set at points on the network around the set of one or more potential victims.
  - 10. A method according to claim 9, comprising operating one or more elements of the second set any of adjacent to or external to one or more elements of the first set.
  - 11. A method according to claim 9, wherein the anomalous traffic condition is indicative of a distributed denial of service (DDoS) attack.
  - 12. A method according to claim 9, comprising selectively activating the one or more elements of the first set by declaring a network address of the victim to be close in network distance to one or more elements of the second set.
  - 13. A method according to claim 9, comprising associating the victim with first and second addresses, and wherein the filtering step includesdiscarding traffic received external to an area defined by the points directed to the first address, andpassing to the victim traffic received external to an area directed to the second address.
  - 14. A method according to claim 9, wherein the diverting step includes redirecting traffic using Policy Based Routing.
  - 15. A method according to claim 1, wherein the filtering step includes statistically measuring any of a traffic pattern and volume so as to identify any of a source and a type of the overload condition.
  - 16. A method according to claim 15, comprising determining any of the traffic pattern and volume during a period when the victim is not in the overload condition, for comparison with any of the traffic pattern and volume in the filtering step upon detecting the anomalous traffic condition.
  - 24. A method according to claim 1, wherein diverting the traffic comprises diverting all of the traffic destined for the victim upon detecting the anomalous traffic condition.
  - 25. A method according to claim 1, and comprising learning an expected pattern of the traffic while the victim is not under attack, wherein detecting the anomalous traffic condition comprises determining that the traffic differs significantly from the expected pattern.

17. A network element for use in protecting against an overload condition on a network, the network element comprising:
- an input for receiving traffic diverted from the network, the traffic comprising flows of data packets having respective source addresses;
  
  a statistics module that is arranged to perform a statistical analysis of the diverted traffic so as to detect an anomalous pattern of a flow associated with at least one of the source addresses;
  
  a filter, which is operative, responsively to detection of the anomalous pattern, to block at least a portion of the data packets having the at least one of the source addresses; and
  
  an output coupled to the input for selectively passing on to further elements in the network traffic not blocked by the filter,wherein said statistical analysis comprises detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differs from an expected volume, said expected pattern and said expected volume being determined during a period in which the victim is not at an overload condition, and determining whether any of the traffic pattern and volume varies statistically significantly from any of the expected pattern and volume, respectively.
- View Dependent Claims (18, 19)
- - 18. A network element according to claim 17, comprising a termination detection module that at least participates in determining when the overload condition has ended.
  - 19. A network element according to claim 17, comprising an antispoofing element that performs at least one of authenticating and verifying a source of traffic.

20. A system for use in protecting against an overload condition on a network, the system comprising:
- one or more network elements (“
  
  guards”
  
  ) disposed on the network, each network element havingan input for receiving traffic from the network,a filter coupled to the input, the filter selectively blocking traffic originating from a source suspected as potentially causing the overload condition,a statistics module that is coupled to the filter and that identifies the traffic statistically indicative of having originated from the source suspected as potentially causing the overload condition, andan output coupled to the input for selectively passing on to further elements in the network traffic not blocked by the filter,one or more further network elements (“
  
  diverters”
  
  ) disposed on the network and in communication with the guards, the further network elements selectively initiating, responsively to detection of an anomalous traffic condition, diversion to at least one of the guards traffic otherwise destined for a still further network element (“
  
  victim”
  
  ) in a set of one or more potential victims on the network,wherein said statistics module performs statistical analysis comprising detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differs from an expected volume, said expected pattern and said expected volume being determined during a period in which the victim is not at an overload condition, and determining whether any of the traffic pattern and volume varies statistically significantly from any of the expected pattern and volume, respectively.
- View Dependent Claims (21, 22, 23)
- - 21. A system according to claim 20, wherein at least one of the guards comprises a termination detection module that at least participates in determining when the overload condition has ended.
  - 22. A system according to claim 20, wherein at least one of the guards comprises an ingress filter, coupled to the statistics module, that generates and transmits to a further network element on the network rules for blocking traffic on the network.
  - 23. A system according to claim 20, comprising an antispoofing element that any of authenticates and verifies a source of traffic.

26. A method of responding to an overload condition at a network element (“
- victim”
  
  ) in a set of one or more potential victims on a network, the method comprising the steps of;
  
  A. responsively to an indication of an anomalous traffic condition, initiating diversion of traffic destined for the victim by a first set of one or more network elements external to the set of one or more potential victims to a second set of one or more network elements external to the set of one or more potential victims,B. the element(s) of the second set filtering traffic diverted in step A (“
  
  diverted traffic”
  
  ) and selectively passing a portion thereof to the victim,wherein the initiating step includes effecting a path of traffic that differs from a path that traffic would otherwise take to the victim,wherein the first set of one or more network elements comprises network switches having respective ports, comprising at least one switch that is configured to route the traffic to the victim through a first port while the victim is not under attach, and wherein effecting the path comprises instructing the at least one switch to route the traffic destined for the victim through a second port, to which at least one of the network elements in the second set is coupled,wherein said filtering step includes detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differs from an expected volume, said expected pattern and said expected volume being determined during a period in which the victim is not at an overload condition, andwherein said detecting step includes determining whether any of the traffic pattern and volume varies statistically significantly from any of the expected pattern and volume, respectively.

27. A method of responding to an overload condition at a network element (“
- victim”
  
  ) in a set of one or more potential victims on a network, the method comprising;
  
  diverting to a guard machine traffic destined for the victim, the traffic comprising flows of data packets having respective source addresses;
  
  performing a statistical analysis of the diverted traffic at the guard machine so as to detect an anomalous pattern of a flow associated with at least one of the source addresses; and
  
  responsively to detecting the anomalous pattern, preventing at least a portion of the data packets having the at least one of the source addresses from reaching the victim while passing to the victim at least some of the data packets from other source addresses,wherein said performing step includes learning an expected traffic pattern of the flows while said victim is not under attack and is not in an overload condition, and detecting an attack by determining that the anomalous pattern differs statistically significantly from the expected traffic pattern.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. A method according to claim 27, wherein performing the statistical analysis comprises detecting any of a traffic volume, port number distribution, periodicity of requests, packet properties, IP geography, and distribution of packet arrival/size.
  - 29. A method according to claim 27, and comprising processing the diverted traffic so as to detect and discard the data packets that have one or more spoofed source addresses before performing the statistical analysis.
  - 30. A method according to claim 29, wherein processing the diverted traffic comprises initiating a protocol handshake between the guard machine one or more of the source addresses in order to determine that the one or more of the source addresses are spoofed.
  - 31. A method according to claim 27, wherein preventing at least the portion of the data packets comprises filtering out the diverted packets that have the at least one of the source addresses.
  - 32. A method according to claim 31, wherein filtering out the diverted packets comprises discarding the diverted packets that have the at least one of the source addresses before performing the statistical analysis on the diverted traffic that remains after the discarding.
  - 33. A method according to claim 32, and comprising processing the diverted traffic after discarding the diverted packets that have the at least one of the source addresses so as to detect and discard the data packets that have one or more spoofed source addresses before performing the statistical analysis.
  - 34. A method according to claim 27, wherein performing the statistical analysis comprises at least one of analyzing one or more of netflow data, server logs, victim traffic, and traffic volume, and classifying the statistical analysis according to types of users that generated the traffic.
  - 35. A method according to claim 27, wherein performing the statistical analysis comprises classifying the traffic according to types of users that generated it.

36. A method of responding to an overload condition at a network element (“
- victim”
  
  ) in a set of one or more potential victims on a network, the method comprising;
  
  coupling the victim to receive traffic from the network via a first port of a network switch;
  
  actuating the network switch to divert the traffic destined for the victim to a second port to which a guard machine is coupled;
  
  filtering the diverted traffic using the guard machine; and
  
  selectively passing at least a portion of the filtered traffic from the guard machine to the victim,wherein said filtering comprises performing statistical analysis comprising detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differs from an expected volume, said expected pattern and said expected volume being determined during a period in which the victim is not at an overload condition, and determining whether any of the traffic pattern and volume varies statistically significantly from any of the expected pattern and volume, respectively.
- View Dependent Claims (37, 38, 39)
- - 37. A method according to claim 36, wherein the network switch comprises a router.
  - 38. A method according to claim 36, wherein selectively passing at least the portion of the filtered traffic comprises passing the filtered traffic from the guard machine to the network switch, for transmission to the victim via the first port.
  - 39. A method according to claim 36, wherein filtering the diverted traffic comprises performing a statistical analysis of the diverted traffic so as to detect an anomalous pattern of a flow associated with at least one source address of the traffic, and responsively to detecting the anomalous pattern, preventing at least a portion of the data packets having the at least one source address from reaching the victim.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Touitou, Dan, Bremler-Barr, Anat, Afek, Yehuda
Primary Examiner(s)
Jean; Frantz B

Application Number

US09/929,877
Publication Number

US 20020083175A1
Time in Patent Office

3,178 Days
Field of Search

709/225, 709/229, 709/239, 709/235, 709/238, 726/13, 726 22- 25, 713/153, 713/154, 370229-232, 370/235, 370/401, 370/469, 379/219, 379/220.01, 379/221.01, 379/221.02, 379/221.03
US Class Current

709/238
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

H04L 63/1458 Denial of Service

Methods and apparatus for protecting against overload conditions on nodes of a distributed network

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for protecting against overload conditions on nodes of a distributed network

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links