Mitigating denial of service attacks

US 9,141,789 B1
Filed: 07/16/2013
Issued: 09/22/2015
Est. Priority Date: 07/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the steps of:

a) polling a traffic rate for each Distributed Denial-of-Service (DDoS) Device in a first plurality of DDoS Devices, wherein the first plurality of DDoS Devices is receiving a network traffic entering a network;

b) determining a throughput capability for each DDoS Device in the first plurality of DDoS Devices;

c) determining whether each DDoS Device in the first plurality of DDoS Devices can handle its polled traffic rate without intervention by comparing its polled traffic rate with its throughput capability;

d) for each DDoS Device in the first plurality of DDoS Devices that can handle its polled traffic rate without intervention, removing a past DDoS mitigation;

e) determining a malicious traffic rate for each DDoS Device in the first plurality of DDoS Devices;

f) determining an operational limit capability for each DDoS Device in the first plurality of DDoS Devices;

g) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate approach its operational limit capability within a predetermined amount, sending a notification to a monitor web page; and

h) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate greater than its operational limit capability, sending a notification to the monitor web page and routing traffic from the DDoS Device to a second DDoS Device that has an operational limit capability greater than the malicious traffic rate.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Several methods are disclosed for detecting and mitigating Distributed Denial-of-Service (DDoS) attacks that are intended to exhaust network resources. The methods use DDoS mitigation devices to detect DDoS attacks using operationally based thresholds. The methods also keep track of ongoing attacks, have an understanding of “protected IP space,” and activate appropriate mitigation tactics based on the severity of the attack and the capabilities of the DDoS mitigation devices.

105 Citations

View as Search Results

20 Claims

1. A method, comprising the steps of:
- a) polling a traffic rate for each Distributed Denial-of-Service (DDoS) Device in a first plurality of DDoS Devices, wherein the first plurality of DDoS Devices is receiving a network traffic entering a network;
  
  b) determining a throughput capability for each DDoS Device in the first plurality of DDoS Devices;
  
  c) determining whether each DDoS Device in the first plurality of DDoS Devices can handle its polled traffic rate without intervention by comparing its polled traffic rate with its throughput capability;
  
  d) for each DDoS Device in the first plurality of DDoS Devices that can handle its polled traffic rate without intervention, removing a past DDoS mitigation;
  
  e) determining a malicious traffic rate for each DDoS Device in the first plurality of DDoS Devices;
  
  f) determining an operational limit capability for each DDoS Device in the first plurality of DDoS Devices;
  
  g) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate approach its operational limit capability within a predetermined amount, sending a notification to a monitor web page; and
  
  h) for each DDoS Device in the first plurality of DDoS Devices that has its malicious traffic rate greater than its operational limit capability, sending a notification to the monitor web page and routing traffic from the DDoS Device to a second DDoS Device that has an operational limit capability greater than the malicious traffic rate.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising the steps of:
    - i) determining a malicious traffic rate for the first plurality of DDoS Devices;
      
      j) determining an operational limit capability for the first plurality of DDoS Devices; and
      
      k) if the malicious traffic rate for the first plurality of DDoS Devices approaches the operational limit capability for the first plurality of DDoS Devices within a predetermined amount, sending a notification to the monitor web page.
  - 3. The method of claim 2, further comprising the step of:
    - i) if the malicious traffic rate for the first plurality of DDoS Devices is greater than the operational limit capability for the first plurality of DDoS Devices, sending a notification to the monitor web page and swinging the network traffic from the first plurality of DDoS Devices to a second plurality of DDoS Devices.

4. A method, comprising the step of:
- identifying DDoS traffic based upon a traffic flow and a plurality of individual packet payloads utilizing an intrusion detection and prevention engine, the identifying step comprising the steps of;
  
  i) determining a validity of a combination of flag values in a Transmission Control Protocol (TCP) header;
  
  ii) if the combination of flag values in the TCP header are not valid, activating a first Distributed Denial of Service (DDoS) mitigation;
  
  iii) determining a number of TCP flags received over a first period of time;
  
  iv) if the number of TCP flags received over the first period of time exceeds a first predetermined threshold, activating a second DDoS mitigation;
  
  v) determining a number of packets received over a second period of time;
  
  vi) if the number of packets received over the second period of time exceeds a second predetermined threshold, activating a third DDoS mitigation;
  
  vii) determining a number of HTTP or DNS activities over a third period of time; and
  
  viii) if the number of HTTP or DNS activities over the third period of time exceeds a third predetermined threshold, activating a fourth DDoS mitigation.

5. A method, comprising the steps of:
- a) a plurality of Intrusion Detection Systems (IDS) capturing a plurality of packet data from a network traffic entering a network;
  
  b) the plurality of IDS processing the plurality of packet data;
  
  c) calculating a first one or more statistics from the plurality of packet data;
  
  d) reading a second one or more statistics from a traffic stats database;
  
  e) storing the first one or more statistics in the traffic stats database;
  
  f) determining a change in the network traffic by comparing the first one or more statistics with the second one or more statistics; and
  
  g) activating or modifying DDoS mitigation based on the change in the network traffic.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The method of claim 5, further comprising the step of:
    - h) determining a high delta based on the first one or more statistics and the second one or more statistics.
  - 7. The method of claim 5, wherein the processing the plurality of packet data is done in real time.
  - 8. The method of claim 5, wherein the calculating the first one or more statistics is performed by one or more of the IDS.
  - 9. The method of claim 5, wherein the calculating the first one or more statistics is performed by a server.
  - 10. The method of claim 5, wherein the determining the change in the network traffic comprises the steps of:
    - i) calculating a first mean for a running collection of samples;
      
      ii) collecting a new sample;
      
      iii) calculating a standard deviation of the new sample;
      
      iv) if the standard deviation of the new sample is above a set deviation derived from the running collection of samples and the new sample is higher than the first mean, then starting a mitigation on an end point; and
      
      v) if the standard deviation of the new sample is lower than the set deviation derived from the running collection of samples, then adding the new sample to the running collection of samples to produce a second mean.
  - 11. The method of claim 5, wherein the calculating the first one or more statistics from the plurality of packet data uses Open Systems Interconnection (OSI) Model layer 3.
  - 12. The method of claim 5, wherein the calculating the first one or more statistics from the plurality of packet data uses Open Systems Interconnection (OSI) Model layer 4.
  - 13. The method of claim 5, wherein the calculating the first one or more statistics from the plurality of packet data uses Open Systems Interconnection (OSI) Model layer 7.

14. A method, comprising the steps of:
- a) a plurality of Intrusion Detection Systems (IDS) capturing a data from a network traffic entering a network;
  
  b) the plurality of IDS processing the data;
  
  c) determining an application corresponding to the data;
  
  d) determining an application rate for the application using the data;
  
  e) generating a filter that is specific to the application; and
  
  f) activating or modifying a DDoS mitigation using the generated filter.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising the steps of:
    - g) calculating a first one or more statistics from the data;
      
      h) reading a second one or more statistics from a traffic stats database; and
      
      i) storing the first one or more statistics in the traffic stats database.
  - 16. The method of claim 14, further comprising the steps of:
    - g) calculating a plurality of long term statistics using at least the second one or more statistics; and
      
      h) determining a plurality of high application rates with low variation based on the plurality of long term statistics.
  - 17. The method of claim 14, wherein generating the filter that is specific to the application is done in real time.
  - 18. The method of claim 14, wherein the data from the network traffic is taken from an Open Systems Interconnection (OSI) Model layer 3.
  - 19. The method of claim 14, wherein the data from the network traffic is taken from an Open Systems Interconnection (OSI) Model layer 4.
  - 20. The method of claim 14, wherein the data from the network traffic is taken from an Open Systems Interconnection (OSI) Model layer 7.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Go Daddy Operating Company LLC (GoDaddy, Inc.)
Original Assignee
Go Daddy Operating Company LLC (GoDaddy, Inc.)
Inventors
LeBert, Don, Gerlach, Scott
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US13/943,429
Time in Patent Office

798 Days
Field of Search

726/23
US Class Current

1/1
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 2463/142   Denial of service attacks a...

H04L 63/0254   Stateful filtering

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Mitigating denial of service attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

105 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Mitigating denial of service attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

105 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others