Method and system for mitigation of distributed denial of service (DDOS) attacks

US 9,294,483 B2
Filed: 05/05/2014
Issued: 03/22/2016
Est. Priority Date: 05/03/2013
Status: Active Grant

First Claim

Patent Images

1. A system for mitigating malicious network traffic, comprising:

a protected server within a domain;

at least one Authoritative Domain Name System (DNS) server of the domain;

at least one DNS Traffic Analyzer and Firewall (DTAF), wherein network traffic must pass through the at least one DTAF Firewall before accessing the at least one Authoritative DNS server, and wherein the at least one DTAF Firewall analyzes the network traffic attempting to pass through the at least one DTAF Firewall; and

a Central Master DTAF, wherein the at least one DTAF Firewall send network traffic data to the Central Master DTAF, and wherein the Central Master DTAF sends at least one access control list to the at least one DTAF Firewall.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for mitigating the effects of malicious internet traffic, including DDOS attacks, by utilizing a DNS Traffic Analyzer and Firewall to analyze network traffic intended for a DNS server and preventing some network traffic from accessing the DNS server.

8 Citations

16 Claims

1. A system for mitigating malicious network traffic, comprising:
- a protected server within a domain;
  
  at least one Authoritative Domain Name System (DNS) server of the domain;
  
  at least one DNS Traffic Analyzer and Firewall (DTAF), wherein network traffic must pass through the at least one DTAF Firewall before accessing the at least one Authoritative DNS server, and wherein the at least one DTAF Firewall analyzes the network traffic attempting to pass through the at least one DTAF Firewall; and
  
  a Central Master DTAF, wherein the at least one DTAF Firewall send network traffic data to the Central Master DTAF, and wherein the Central Master DTAF sends at least one access control list to the at least one DTAF Firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein network traffic must also pass through the at least one DTAF Firewall before accessing the protected server.
  - 3. The system of claim 1, wherein network traffic must also pass through the at least one DTAF Firewall before accessing public DNS servers.
  - 4. The system of claim 1, wherein the network traffic data includes both historical data and realtime data.
  - 5. The system of claim 1, wherein the protected server sends network traffic data to the Central Master DTAF.
  - 6. The system of claim 1, wherein the at least one Authoritative DNS Server send network traffic data to the Central Master DTAF.
  - 7. The system of claim 1, wherein the access control list(s) include information related to a specific DNS Server and wherein the at least one DTAF Firewall is capable of controlling or analyzing traffic originating from the specific DNS Server.
  - 8. The system of claim 1, further comprising a domain shifting subsystem, wherein the domain shifting subsystem creates at least one New Authoritative DNS server and reroutes at least some network traffic to the at least one New Authoritative DNS server.
  - 9. The system of claim 8, wherein the domain shifting subsystem rotates the at least one New Authoritative DNS Server on a regular basis.
  - 10. The system of claim 8, wherein the at least one New Authoritative DNS server process new network traffic.
  - 11. The system of claim 1, wherein the enhanced and dynamic access control list contains a list of denied IP addresses that are prohibited from passing through to the protected system and allowed IP addresses that are allowed to pass through to the protected system, wherein such allowed and denied IP addresses are based not only upon source address of the attack traffic, but also IP addresses belonging to public and private DNS servers and DNS resolvers identified as relied upon by the attacker(s) to find the target protected system, such identification done via an analysis of network traffic at the attack target as well and at distributed DTAF systems that are not under attack, such as public Internet Service Provider (ISP) DNS servers.
  - 12. The system of claim 11, wherein the access control list further defines wherein the identified IP addresses originating not from the attack source are selectively allowed or denied in accordance with the blocking or redirection strategy currently engaged in the overall DTAF system.

13. A method for mitigating malicious network traffic, comprising the following steps:
- analyzing network traffic intended for at least one Authoritative Domain Name System (DNS) server;
  
  generating network traffic data;
  
  sending the network traffic data to a Central Master DTAF;
  
  receiving an access control list from the Central Master DTAF; and
  
  updating firewall parameters based upon the received access control list.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, further comprising the following steps:
    - determining a particular DNS server utilized by suspicious network traffic;
      
      including DNS server data in the network traffic data; and
      
      including DNS server information in the access control list.
  - 15. The method of claim 13, further comprising the following steps:
    - creating at least one New Authoritative DNS server; and
      
      routing at least some of the network traffic to the at least one New Authoritative DNS serve.
  - 16. The method of claim 13, further comprising the following step:
    - rotating the Authoritative DNS servers on a regular basis.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
John Wong
Original Assignee
John Wong
Inventors
Wong, John
Primary Examiner(s)
Shehni, Ghazal

Application Number

US14/270,133
Publication Number

US 20140331304A1
Time in Patent Office

687 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/101   Access control lists [ACL]

H04L 63/1458   Denial of Service

Method and system for mitigation of distributed denial of service (DDOS) attacks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for mitigation of distributed denial of service (DDOS) attacks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links