US20160080411A1 - Hardware-logic based flow collector for distributed denial of service (ddos) attack mitigation - Google Patents

Hardware-logic based flow collector for distributed denial of service (ddos) attack mitigation Download PDF

Info

Publication number
US20160080411A1
US20160080411A1 US14/665,523 US201514665523A US2016080411A1 US 20160080411 A1 US20160080411 A1 US 20160080411A1 US 201514665523 A US201514665523 A US 201514665523A US 2016080411 A1 US2016080411 A1 US 2016080411A1
Authority
US
United States
Prior art keywords
layer
granular
flow
traffic
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/665,523
Other versions
US9276955B1 (en
Inventor
Hemant Kumar Jain
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fortinet Inc
Original Assignee
Fortinet Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortinet Inc filed Critical Fortinet Inc
Priority to US14/665,523 priority Critical patent/US9276955B1/en
Priority to US15/055,619 priority patent/US9935974B2/en
Application granted granted Critical
Publication of US9276955B1 publication Critical patent/US9276955B1/en
Publication of US20160080411A1 publication Critical patent/US20160080411A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Definitions

  • Embodiments of the present invention relate generally to intrusion prevention and more particular to a system and method for the prevention of distributed denial of service (DDoS) attacks on Internet Service Provider (ISP) infrastructure.
  • DDoS distributed denial of service
  • ISP Internet Service Provider
  • DDoS attack mitigation appliances have been in use due to increasing distributed denial of service attacks.
  • ISP Internet Service Provider
  • IP Internet Protocol
  • the infrastructure consists of many routers and switches via which Internet Protocol (IP) protocol packets flow.
  • IP Internet Protocol
  • a surge in these packets overloads ISP equipment and causes them to slow down, which in turn slows down the service provided by the ISP.
  • ISPs need to protect their infrastructure from such attacks; and in particular need to protect their core routers from becoming overloaded.
  • ISPs need a way to address DDoS attacks in a such that these attacks are stopped closer to their sources, i.e., closer to the edge routers, thereby better protecting the ISPs' core routers.
  • a method of mitigating DDoS attacks is provided.
  • Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus.
  • the DDoS attack status is determined for the at least one destination based on the information regarding the at least one destination.
  • the flow controller is notified of the DDoS attack status for the at least one destination by the DDoS attack detection module. Responsive thereto, the flow controller directs a route reflector to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network.
  • FIG. 1 illustrates an exemplary system employing a flow collector in accordance with an embodiment of the present invention.
  • FIG. 2 schematically shows architectural details of the flow collector of FIG. 1 in accordance with an embodiment of the present invention.
  • FIG. 3 illustrates further implementation details of packet processing logic and related components in accordance with an embodiment of the present invention.
  • FIG. 4 further illustrates the overall process for the traffic rate collection, breach detection and traffic diversion in accordance with an embodiment of the present invention.
  • FIG. 5 further illustrates an exemplary process for deriving granular traffic statistics from traffic flow statistics in accordance with an embodiment of the present invention.
  • a flow collector is capable of receiving a variety of flow statistics in industry standards from routers and switches. These flow statistics may be in the form of packets in protocols, including, but not limited to, NetFlow, JFlow, SFlow, CFlow and the like.
  • the hardware-based apparatus collects this data and converts them to granular rate statistics in a round robin database for varying periods such as past hour, past day, past week, past month, past year etc. Based on the past granular traffic statistics, the apparatus can determine corresponding rate-thresholds through continuous and adaptive learning.
  • the apparatus can determine the networks being attacked or protocols or transmission control protocol (TCP) or user diagram protocol (UDP) ports under attack once the corresponding adaptive thresholds are violated.
  • TCP transmission control protocol
  • UDP user diagram protocol
  • the router closer to the edge can then be requested to divert the affected traffic to a scrubbing center potentially including multiple scrubbing appliances.
  • the techniques for such diversion and scrubbing are described well in the literature and are thus not elaborated upon further herein.
  • a single hardware-logic based appliance collects traffic statistics data from multiple routers and switches in a service provider network. It then integrates multiple mechanisms to determine the current granular traffic rate to multiple destinations and determines if any of the protected destinations are having a rate anomaly based on behavioral threshold estimation. The collector then informs the route reflector to divert the traffic destined to the destination network via a scrubbing appliance. The scrubbing appliance then forwards the cleansed traffic on to the eventual destination in a way to avoid any routing loops.
  • a packet interface block interfaces with external network via a physical layer (PHY) and switch device that contains the Media Access Control (MAC) layer.
  • PHY physical layer
  • MAC Media Access Control
  • the packet interface block forwards packets to packet processing logic.
  • the packet processing logic gets the flow statistics packets from the packet interface.
  • a network flow can be defined in many ways, for example, Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share the following 7 values: 1. Ingress interface (SNMP ifIndex); 2. Source IP address; 3. Destination IP address; 4. IP protocol; 5. Source port for User Datagram Protocol (UDP) or Transmission Control Protocol (TCP), 0 for other protocols; 6. Destination port for UDP or TCP, type and code for Internet Control Message Protocol (ICMP), or 0 for other protocols; and 7. IP Type of Service.
  • a flow statistics record can contain a wide variety of information about the traffic in a given flow. An exemplary flow statistics record from NetFlow is described below in Table 1.
  • the purpose of the packet processing logic is to determine the instantaneous granular rates and enforce a policy based on the granular rate thresholds. It does this via storing the granular packet rates in an internal or external granular metering memory. Exemplary derived granular rate parameters are described below in Table 2. Rate anomaly meters inside the packet processing logic receive classifier output and maintain the instantaneous packet-rates and compare them against the thresholds set adaptively and continuously by the controlling host.
  • packets of that type and belonging to a destination are diverted to a scrubbing appliance via a message to the route reflector.
  • An object of various embodiments of the present invention is to provide a high-rate hardware based integrated system and method of determining attacks to a destination, the destination having layers 3, 4, and 7 rate anomalies as detected by the system, which is continuously and adaptively adjusting rate thresholds.
  • Another object of various embodiments of the present invention is to provide a mechanism to communicate the affected destination to the route reflector so that it can divert the traffic via an inline attack mitigation device.
  • a still further object of various embodiments of the present invention is to provide a rate anomaly engine capable of continuously calculating the traffic rate on classified granular traffic parameters and estimating the traffic rate thresholds adaptively and thus determining the threshold violations on traffic parameters, such as SYN packets/second, protocol packets/second and/or concurrent connections/destination.
  • FIG. 1 depicts an exemplary flow collector apparatus 106 illustrating the functionality of an integrated system 100 for the mitigation of distributed denial of service attacks on a service provider network in accordance with an embodiment of the present invention.
  • a protected destination 101 is usually behind customer edge router (not shown).
  • the customer edge router is connected to a provider edge router 102 .
  • provider edge router 102 is connected to a core router 103 , which in turn is connected to a peering router 104 .
  • Peering router 104 is in turn connected to a public network, such as the Internet, via a network cloud 105 . Multiple of such peering routers may be connected in a typical network via core router 103 .
  • a flow collector or traffic statistics collector 106 is provided that can determine the attack and request a router reflector 107 to send the traffic destined to protected destination 101 via route reflector 107 such that DDoS attack mitigation appliance 108 cleanses the attack inline and then forwards the traffic via route reflector 107 to protected destination 101 .
  • the traffic returns to normal, the traffic diversion is removed and the traffic is routed to protected destination 101 through core router 103 . In this manner, core router 103 is protected from DDoS attacks.
  • FIG. 2 illustrates further details of flow collector 106 from FIG. 1 in accordance with an embodiment of the present invention.
  • flow packets 201 are processed via a hardware logic board, which may be implemented using one or more Field-Programmable Gate Arrays (FPGAs) and/or Application Specific Integrated Circuits (ASICs).
  • board 202 (which may more generally be referred to herein as a DDoS attack detection module or a hardware module) consists of a PHY and switch 206 that allows interfacing with external connectors, including, but not limited to, RJ-45 or fiber interfaces, and allows forwarding packets to other components on board 202 .
  • Packet interface block 207 receives packets, buffers them in a packet buffer 211 and serially releases them to the subsequent logic.
  • Packet processing logic 208 receives traffic flow statistics packets from packet interface 207 .
  • Packet processing logic 208 uses a granular metering memory 210 to calculate and derive granular packet rates and to determine if there are any threshold violations.
  • granular metering memory 210 may be partially inside FPGA/ASIC based board 202 and large blocks of memory may be external, for example, in a Double Data Rate (DDR) memory.
  • a host computer 203 can read the granular packet rate parameters via host interface 209 .
  • Host computer 203 is connected to board 202 via a Peripheral Component Interconnect Express (PCIe) interface 205 .
  • PCIe Peripheral Component Interconnect Express
  • Host computer 203 can similarly set the granular packet rate thresholds based on past behavior for that granular rate parameter.
  • host computer 203 stores the derived granular traffic statistics in multiple round-robin databases (RRDs) 204 .
  • RRDs 204 allow the statistics to be stored in a round robin way for the last 1 hour, 8 hours, 1 day, 1 week, 1 month and 1 year. Depending upon the particular implementation, the storage timeframes may differ.
  • host computer 203 can use RRDs 204 to forecast future traffic based on past traffic for granular parameters using techniques well known to those skilled in the art. Examples of these techniques include, but are not limited to, exponential smoothing and the Holt-Winters forecasting method. This ensures that the thresholds are continuously and adaptively adjusted if they go above the user configured minimum value. It also ensures that the average, trend and seasonality of the granular rates are used to predict the thresholds over time to match with the traffic.
  • Packet processing logic 208 continuously monitors the packet rates per second on multiple granular parameters based on the threshold set by host computer 203 . When the traffic exceeds the threshold for a particular granular parameter, the affected destination is identified. According to one embodiment, host interface 209 then interrupts host computer 203 . Host computer 203 then sends a message to route reflector 107 . Further, when the traffic returns to normal ranges, host interface 209 may also interrupt host computer 203 so that host computer 203 may inform route reflector 107 .
  • FIG. 3 further illustrates details for FPGA/ASIC board 202 in accordance with an embodiment of the present invention.
  • FIG. 3 also illustrates further details of packet processing logic 208 in accordance with an embodiment of the present invention.
  • a layer 2 classifier 301 receives frames from packet interface 201 and classifies packets based on their layer 2 characteristics and ensures that it is a supported layer 2 packet, such as an Ethernet 802.3 frame. Layer 2 classifier 301 also parses the layer 2 headers and passes that information to subsequent logic blocks over a classification bus 308 .
  • layer 2 classifier 301 block can parse Ethernet frames and IEEE 802.2/3 frames and can determine Address Resolution Protocol (ARP), Reverse ARP (RARP), broadcast, Internet Protocol (IP), multicast, non-IP, virtual local are network (VLAN) tagged frames, and double encapsulated VLAN tagged frames.
  • ARP Address Resolution Protocol
  • RARP Reverse ARP
  • IP Internet Protocol
  • IP Internet Protocol
  • VLAN virtual local are network
  • Layer 3 classifier 302 receives packet data as well as layer 2 classifier information from layer 2 classifier 301 .
  • Layer 3 classifier 302 extracts the layer 3 header information in IP version 4 (IPv4) and IP version 6 (IPv6) headers and passes it on to the subsequent logic over classification bus 308 .
  • IPv4 IP version 4
  • IPv6 IP version 6
  • layer 3 classifier 302 parses IPv4 and IPv6 packets and determines properties, including, but not limited to, type of service (TOS), IP Options, fragmentation, and protocol.
  • TOS type of service
  • Layer 4 classifier 303 similarly, parses the layer 4 information from packets that are guaranteed to be in order with respect to fragmentation.
  • this classifier looks at Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Internet Protocol security (IPSec)-Encapsulating Security Payload (ESP), and IPSec-Authentication Header (AH). This information is passed to the subsequent blocks over classification bus 308 .
  • this classifier can parse layer 4 information, including, but not limited to, TCP Options, TCP ports, UDP Ports, ICMP types/codes, TCP flags, sequence numbers, ACK numbers and the like. Packets that are anomalous may be dropped.
  • Layer 7 classifier 304 similarly, parses the layer 7 information from packets.
  • this classifier looks at TCP, UDP packets and parses layer 7 traffic flow statistics from protocols, including, but not limited to, NetFlow, sFlow, jFlow and CFlow. This information is passed to the subsequent blocks over classification bus 308 .
  • Layer 3 rate anomaly meters 305 utilize the output of layer 3 classifier 302 and derive layer 3 granular rates for identified destinations and enforce layer 3 granular rate thresholds based thereon.
  • Layer 4 rate anomaly meters 306 utilize the output of layer 4 classifier 303 and derive layer 4 granular rates for identified destinations and enforce layer 4 granular rate thresholds based thereon.
  • Layer 7 rate anomaly meters 306 utilize the output of layer 7 classifier logic 304 and derive layer 7 granular rates for identified destinations and enforce layer 7 granular rate thresholds based thereon.
  • FIG. 4 further illustrates an overall process for traffic rate collection, breach detection and traffic diversion in accordance with an embodiment of the present invention.
  • information is received regarding destination IPs and subnets to be monitored.
  • an administrator of the system may input the destination IP addresses and subnets to be monitored.
  • host computer 203 continuously monitors these destination IPs and subnets via granular metering memory 210 , for example. After a representative period, a granular traffic baseline is generated and is used to set the thresholds.
  • host computer 203 continuously adjust the granular thresholds based on the past traffic stored in RRDs 204 .
  • the estimated threshold is used. If the estimated threshold is higher than the adaptive limit configured by the administrator, it is restricted to the adaptive limit.
  • the adaptive threshold set in the hardware logic is always between configured minimum threshold and adaptive limit.
  • FPGA/ASIC board 202 ensures that the granular traffic rate to a monitored destination doesn't exceed the adaptive threshold. In one embodiment, if the traffic exceeds the adaptive threshold, the destination IP or subnet is identified as being under attack.
  • host computer 203 is notified.
  • host interface 209 raises an interrupt that is serviced by host computer 203 .
  • Host computer 203 then causes route reflector 207 to be made aware of same, for example, by sending a message to route reflector 107 .
  • route reflector 107 diverts the traffic destined to the destination under attack via DDoS attack mitigation appliance 108 . Route reflector 107 also ensures that the diversion doesn't cause any routing loops.
  • FPGA/ASIC board 202 determines whether the granular traffic rate to a monitored destination has fallen below the adaptive threshold. If so, then the destination IP or subnet is identified as no longer being under attack/out of attack and host computer 203 is notified of same, for example, by host interface 209 raising an interrupt that is serviced by host computer 203 . The host computer then causes route reflector 107 to be made aware of same, for example, by sending a message to route reflector 107 .
  • route reflector 107 removes the diversion of the traffic destined to the destination. Thus the traffic now once again flows to the destination via core router 103 .
  • Table 2 describes exemplary granular parameters according to an embodiment of this invention.
  • FIG. 5 further illustrates an exemplary process for deriving granular traffic statistics from traffic flow statistics in accordance with an embodiment of the present invention.
  • layer 3 destination meter 506 is part of multiple logic components of layer 3 granular rate anomaly meter 305 .
  • layer 3 destination meter 506 receives the flow statistics classification from classifier bus 308 , it waits for destination IP to be seen, it increments the rate for that destination in a memory table in granular metering memory 210 . As more and more packets come for that destination, the count for the destination increases. If the count exceeds the threshold set by host computer 203 via host interface 209 , it interrupts host computer 203 via host interface 209 .
  • layer 3 destination ager 507 resets the count for the destination to zero. Layer 3 destination ager 507 then stores the packet rate for the destination being monitored. This packet rate can then be read by host computer 203 via host interface 209 and can be used for adaptive threshold estimation.
  • Embodiments of the present disclosure include various steps, which have been described above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware.
  • any digital computer systems can be configured or otherwise programmed to implement the methods and apparatuses disclosed herein, and to the extent that a particular digital computer system is configured to implement the methods and apparatuses of this invention, it is within the scope and spirit of the present invention.
  • a digital computer system is programmed to perform particular functions pursuant to computer-executable instructions from program software that implements the present invention, it in effect becomes a special purpose computer particular to the present invention.
  • the techniques necessary to achieve this are well known to those skilled in the art and thus are not further described herein.
  • Computer executable instructions implementing the methods and techniques of the present invention can be distributed to users on a computer-readable medium and are often copied onto a hard disk or other storage medium. When such a program of instructions is to be executed, it is usually loaded into the random access memory of the computer, thereby configuring the computer to act in accordance with the techniques disclosed herein. All these operations are well known to those skilled in the art and thus are not further described herein.
  • the term “computer-readable medium” encompasses distribution media, intermediate storage media, execution memory of a computer, and any other medium or device capable of storing for later reading by a computer a computer program implementing the present invention.

Abstract

Methods and systems for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure are provided. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is determined for the at least one destination based on the information regarding the at least one destination. When a DDoS attack is detected the flow controller is notified of the DDoS attack status for the at least one destination by the DDoS attack detection module. Responsive thereto, the flow controller directs a route reflector to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network.

Description

    CROSS-REFERENCE TO RELATED PATENTS
  • This application is a continuation of U.S. patent application Ser. No. 14/488,697, filed on Sep. 17, 2014, which is hereby incorporated by reference in its entirety for all purposes.
  • This application may relate to the subject matter of U.S. Pat. No. 7,426,634 entitled, “Method and apparatus for rate based denial of service attack detection and prevention”, U.S. Pat. No. 7,602,731 entitled “System and method for integrated header, state, rate and content anomaly prevention with policy enforcement”, and U.S. Pat. No. 7,626,940 entitled “System and method for integrated header, state, rate and content anomaly prevention for domain name service” all of which are hereby incorporated by reference in their entirety for all purposes.
    • COPYRIGHT NOTICE
  • Contained herein is material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction of the patent disclosure by any person as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights to the copyright whatsoever. Copyright® 2014-2015, Fortinet, Inc.
    • FIELD
  • Embodiments of the present invention relate generally to intrusion prevention and more particular to a system and method for the prevention of distributed denial of service (DDoS) attacks on Internet Service Provider (ISP) infrastructure.
    • DESCRIPTION OF THE BACKGROUND ART
  • Distributed DoS (DDoS) attack mitigation appliances have been in use due to increasing distributed denial of service attacks. As more such attacks are launched, the Internet Service Provider (ISP) network infrastructure bears the brunt of such attacks. The infrastructure consists of many routers and switches via which Internet Protocol (IP) protocol packets flow. A surge in these packets overloads ISP equipment and causes them to slow down, which in turn slows down the service provided by the ISP. ISPs need to protect their infrastructure from such attacks; and in particular need to protect their core routers from becoming overloaded. As such, ISPs need a way to address DDoS attacks in a such that these attacks are stopped closer to their sources, i.e., closer to the edge routers, thereby better protecting the ISPs' core routers.
  • Many systems have been previously designed that collect flow data from routers using software. Such flow collectors can then determine if there is a surge of incoming packets and divert the traffic to scrubbing appliances. As one skilled in the art knows, software appliances have performance limits. Additionally, determining baseline traffic granularly and predicting future traffic adaptively are key missing components in existing solutions. Clearly, a new method and system is needed to collect flow data using hardware logic and determine the presence of such attacks behaviorally and adaptively in a short time and with better performance.
    • SUMMARY
  • Methods and systems are described for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is determined for the at least one destination based on the information regarding the at least one destination. When a DDoS attack is detected the flow controller is notified of the DDoS attack status for the at least one destination by the DDoS attack detection module. Responsive thereto, the flow controller directs a route reflector to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network.
  • Other features of embodiments of the present disclosure will be apparent from accompanying drawings and from detailed description that follows.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an exemplary system employing a flow collector in accordance with an embodiment of the present invention.
  • FIG. 2 schematically shows architectural details of the flow collector of FIG. 1 in accordance with an embodiment of the present invention.
  • FIG. 3 illustrates further implementation details of packet processing logic and related components in accordance with an embodiment of the present invention.
  • FIG. 4 further illustrates the overall process for the traffic rate collection, breach detection and traffic diversion in accordance with an embodiment of the present invention.
  • FIG. 5 further illustrates an exemplary process for deriving granular traffic statistics from traffic flow statistics in accordance with an embodiment of the present invention.
    •  DETAILED DESCRIPTION
  • Methods and systems are described for an integrated solution to rate-based DoS attacks targeting service provider networks. According to one embodiment, a flow collector is capable of receiving a variety of flow statistics in industry standards from routers and switches. These flow statistics may be in the form of packets in protocols, including, but not limited to, NetFlow, JFlow, SFlow, CFlow and the like. The hardware-based apparatus collects this data and converts them to granular rate statistics in a round robin database for varying periods such as past hour, past day, past week, past month, past year etc. Based on the past granular traffic statistics, the apparatus can determine corresponding rate-thresholds through continuous and adaptive learning. Once these granular rate thresholds are breached for any traffic parameter, the apparatus can determine the networks being attacked or protocols or transmission control protocol (TCP) or user diagram protocol (UDP) ports under attack once the corresponding adaptive thresholds are violated. In an exemplary embodiment of this invention, the router closer to the edge can then be requested to divert the affected traffic to a scrubbing center potentially including multiple scrubbing appliances. The techniques for such diversion and scrubbing are described well in the literature and are thus not elaborated upon further herein.
  • In one embodiment, a single hardware-logic based appliance collects traffic statistics data from multiple routers and switches in a service provider network. It then integrates multiple mechanisms to determine the current granular traffic rate to multiple destinations and determines if any of the protected destinations are having a rate anomaly based on behavioral threshold estimation. The collector then informs the route reflector to divert the traffic destined to the destination network via a scrubbing appliance. The scrubbing appliance then forwards the cleansed traffic on to the eventual destination in a way to avoid any routing loops.
  • The new appliance described herein provides copper and optical connectivity. A packet interface block interfaces with external network via a physical layer (PHY) and switch device that contains the Media Access Control (MAC) layer. The packet interface block forwards packets to packet processing logic.
  • The packet processing logic gets the flow statistics packets from the packet interface. A network flow can be defined in many ways, for example, Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share the following 7 values: 1. Ingress interface (SNMP ifIndex); 2. Source IP address; 3. Destination IP address; 4. IP protocol; 5. Source port for User Datagram Protocol (UDP) or Transmission Control Protocol (TCP), 0 for other protocols; 6. Destination port for UDP or TCP, type and code for Internet Control Message Protocol (ICMP), or 0 for other protocols; and 7. IP Type of Service. A flow statistics record can contain a wide variety of information about the traffic in a given flow. An exemplary flow statistics record from NetFlow is described below in Table 1.
  • According to one embodiment, the purpose of the packet processing logic is to determine the instantaneous granular rates and enforce a policy based on the granular rate thresholds. It does this via storing the granular packet rates in an internal or external granular metering memory. Exemplary derived granular rate parameters are described below in Table 2. Rate anomaly meters inside the packet processing logic receive classifier output and maintain the instantaneous packet-rates and compare them against the thresholds set adaptively and continuously by the controlling host.
  • In one embodiment, if a specific type of packets exceeds the rate threshold, packets of that type and belonging to a destination are diverted to a scrubbing appliance via a message to the route reflector.
  • An object of various embodiments of the present invention is to provide a high-rate hardware based integrated system and method of determining attacks to a destination, the destination having layers 3, 4, and 7 rate anomalies as detected by the system, which is continuously and adaptively adjusting rate thresholds.
  • Another object of various embodiments of the present invention is to provide a mechanism to communicate the affected destination to the route reflector so that it can divert the traffic via an inline attack mitigation device.
  • A still further object of various embodiments of the present invention is to provide a rate anomaly engine capable of continuously calculating the traffic rate on classified granular traffic parameters and estimating the traffic rate thresholds adaptively and thus determining the threshold violations on traffic parameters, such as SYN packets/second, protocol packets/second and/or concurrent connections/destination.
  • FIG. 1 depicts an exemplary flow collector apparatus 106 illustrating the functionality of an integrated system 100 for the mitigation of distributed denial of service attacks on a service provider network in accordance with an embodiment of the present invention. A protected destination 101 is usually behind customer edge router (not shown). The customer edge router is connected to a provider edge router 102. In an exemplary embodiment of this invention, provider edge router 102 is connected to a core router 103, which in turn is connected to a peering router 104. Peering router 104 is in turn connected to a public network, such as the Internet, via a network cloud 105. Multiple of such peering routers may be connected in a typical network via core router 103.
  • When there is a distributed denial of service attack on protected destination 101, the packets overload not just protected destination 101, but the intervening routers, including provider edge router 102, core router 103 and peering router 104. In the context of the present example, a flow collector or traffic statistics collector 106 is provided that can determine the attack and request a router reflector 107 to send the traffic destined to protected destination 101 via route reflector 107 such that DDoS attack mitigation appliance 108 cleanses the attack inline and then forwards the traffic via route reflector 107 to protected destination 101. When the traffic returns to normal, the traffic diversion is removed and the traffic is routed to protected destination 101 through core router 103. In this manner, core router 103 is protected from DDoS attacks. Various techniques for traffic diversion, and forwarding via tunnels to avoid routing are known to those skilled in the art and therefore not elaborated upon further herein. Those desiring additional background on such techniques are directed to one or more of: (i) the chapter entitled “Configuring Traffic Diversion” of the Cisco Guard Configuration Guide, Software Release 6.0 dated February 2007 (currently available via the Web at http://www.cisco.com/en/US/docs/security/anomaly_detection_mit igation/appliances/guard/v6.0/configuration/guide/advsn.html); (ii) U.S. Pat. No. 7,225,270; (iii) U.S. Pat. No. 7,665,135; and (iv) U.S. Pat. No. 8,510,826 each of which is hereby incorporated by reference in its entirety for all purposes.
  • FIG. 2 illustrates further details of flow collector 106 from FIG. 1 in accordance with an embodiment of the present invention. In the context of the present example, flow packets 201 are processed via a hardware logic board, which may be implemented using one or more Field-Programmable Gate Arrays (FPGAs) and/or Application Specific Integrated Circuits (ASICs). In one embodiment, board 202 (which may more generally be referred to herein as a DDoS attack detection module or a hardware module) consists of a PHY and switch 206 that allows interfacing with external connectors, including, but not limited to, RJ-45 or fiber interfaces, and allows forwarding packets to other components on board 202. Packet interface block 207 receives packets, buffers them in a packet buffer 211 and serially releases them to the subsequent logic.
  • Packet processing logic 208 receives traffic flow statistics packets from packet interface 207. Packet processing logic 208 uses a granular metering memory 210 to calculate and derive granular packet rates and to determine if there are any threshold violations. In one embodiment, granular metering memory 210 may be partially inside FPGA/ASIC based board 202 and large blocks of memory may be external, for example, in a Double Data Rate (DDR) memory. According to an embodiment of this invention, a host computer 203 can read the granular packet rate parameters via host interface 209. In the present example, Host computer 203 is connected to board 202 via a Peripheral Component Interconnect Express (PCIe) interface 205. Those skilled in the art will appreciate a variety of alternative interfaces may be used. Host computer 203 can similarly set the granular packet rate thresholds based on past behavior for that granular rate parameter.
  • In one embodiment of this invention, host computer 203 stores the derived granular traffic statistics in multiple round-robin databases (RRDs) 204. According to an embodiment of this invention, RRDs 204 allow the statistics to be stored in a round robin way for the last 1 hour, 8 hours, 1 day, 1 week, 1 month and 1 year. Depending upon the particular implementation, the storage timeframes may differ.
  • In one embodiment of this invention, host computer 203 can use RRDs 204 to forecast future traffic based on past traffic for granular parameters using techniques well known to those skilled in the art. Examples of these techniques include, but are not limited to, exponential smoothing and the Holt-Winters forecasting method. This ensures that the thresholds are continuously and adaptively adjusted if they go above the user configured minimum value. It also ensures that the average, trend and seasonality of the granular rates are used to predict the thresholds over time to match with the traffic.
  • Packet processing logic 208 continuously monitors the packet rates per second on multiple granular parameters based on the threshold set by host computer 203. When the traffic exceeds the threshold for a particular granular parameter, the affected destination is identified. According to one embodiment, host interface 209 then interrupts host computer 203. Host computer 203 then sends a message to route reflector 107. Further, when the traffic returns to normal ranges, host interface 209 may also interrupt host computer 203 so that host computer 203 may inform route reflector 107.
  • FIG. 3 further illustrates details for FPGA/ASIC board 202 in accordance with an embodiment of the present invention. FIG. 3 also illustrates further details of packet processing logic 208 in accordance with an embodiment of the present invention.
  • When a flow statistics packet arrives from packet interface 207, a layer 2 classifier 301 receives frames from packet interface 201 and classifies packets based on their layer 2 characteristics and ensures that it is a supported layer 2 packet, such as an Ethernet 802.3 frame. Layer 2 classifier 301 also parses the layer 2 headers and passes that information to subsequent logic blocks over a classification bus 308. In an exemplary embodiment of this invention, layer 2 classifier 301 block can parse Ethernet frames and IEEE 802.2/3 frames and can determine Address Resolution Protocol (ARP), Reverse ARP (RARP), broadcast, Internet Protocol (IP), multicast, non-IP, virtual local are network (VLAN) tagged frames, and double encapsulated VLAN tagged frames.
  • Layer 3 classifier 302 receives packet data as well as layer 2 classifier information from layer 2 classifier 301. Layer 3 classifier 302 extracts the layer 3 header information in IP version 4 (IPv4) and IP version 6 (IPv6) headers and passes it on to the subsequent logic over classification bus 308. In some embodiments of this invention, layer 3 classifier 302 parses IPv4 and IPv6 packets and determines properties, including, but not limited to, type of service (TOS), IP Options, fragmentation, and protocol.
  • Layer 4 classifier 303, similarly, parses the layer 4 information from packets that are guaranteed to be in order with respect to fragmentation. In an exemplary embodiment, this classifier looks at Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Internet Protocol security (IPSec)-Encapsulating Security Payload (ESP), and IPSec-Authentication Header (AH). This information is passed to the subsequent blocks over classification bus 308. In an exemplary embodiment of this invention, this classifier can parse layer 4 information, including, but not limited to, TCP Options, TCP ports, UDP Ports, ICMP types/codes, TCP flags, sequence numbers, ACK numbers and the like. Packets that are anomalous may be dropped.
  • Layer 7 classifier 304, similarly, parses the layer 7 information from packets. In an exemplary embodiment, this classifier looks at TCP, UDP packets and parses layer 7 traffic flow statistics from protocols, including, but not limited to, NetFlow, sFlow, jFlow and CFlow. This information is passed to the subsequent blocks over classification bus 308.
  • Layer 3 rate anomaly meters 305 utilize the output of layer 3 classifier 302 and derive layer 3 granular rates for identified destinations and enforce layer 3 granular rate thresholds based thereon.
  • Layer 4 rate anomaly meters 306 utilize the output of layer 4 classifier 303 and derive layer 4 granular rates for identified destinations and enforce layer 4 granular rate thresholds based thereon.
  • Layer 7 rate anomaly meters 306 utilize the output of layer 7 classifier logic 304 and derive layer 7 granular rates for identified destinations and enforce layer 7 granular rate thresholds based thereon.
  • FIG. 4 further illustrates an overall process for traffic rate collection, breach detection and traffic diversion in accordance with an embodiment of the present invention.
  • At block 401, information is received regarding destination IPs and subnets to be monitored. For example, an administrator of the system may input the destination IP addresses and subnets to be monitored.
  • At block 402, host computer 203 continuously monitors these destination IPs and subnets via granular metering memory 210, for example. After a representative period, a granular traffic baseline is generated and is used to set the thresholds.
  • At block 403, host computer 203 continuously adjust the granular thresholds based on the past traffic stored in RRDs 204. According to one embodiment, if the estimated threshold is higher than the configured minimum threshold, the estimated threshold is used. If the estimated threshold is higher than the adaptive limit configured by the administrator, it is restricted to the adaptive limit. Thus, in one embodiment, the adaptive threshold set in the hardware logic is always between configured minimum threshold and adaptive limit.
  • At block 404, FPGA/ASIC board 202 ensures that the granular traffic rate to a monitored destination doesn't exceed the adaptive threshold. In one embodiment, if the traffic exceeds the adaptive threshold, the destination IP or subnet is identified as being under attack.
  • In block 405, assuming an attack has been identified, host computer 203 is notified. In one embodiment, host interface 209 raises an interrupt that is serviced by host computer 203. Host computer 203 then causes route reflector 207 to be made aware of same, for example, by sending a message to route reflector 107.
  • At block 406, route reflector 107 diverts the traffic destined to the destination under attack via DDoS attack mitigation appliance 108. Route reflector 107 also ensures that the diversion doesn't cause any routing loops.
  • At block 407, FPGA/ASIC board 202 determines whether the granular traffic rate to a monitored destination has fallen below the adaptive threshold. If so, then the destination IP or subnet is identified as no longer being under attack/out of attack and host computer 203 is notified of same, for example, by host interface 209 raising an interrupt that is serviced by host computer 203. The host computer then causes route reflector 107 to be made aware of same, for example, by sending a message to route reflector 107.
  • At block 408, route reflector 107 removes the diversion of the traffic destined to the destination. Thus the traffic now once again flows to the destination via core router 103.
  • TABLE 1
    Exemplary flow statistics format - NetFlow V5 - flow record
    Bytes Contents Description
    0-3 srcaddr Source IP address
    4-7 dstaddr Destination IP address
     8-11 nexthop IP address of next hop router
    12-13 input SNMP index of input interface
    14-15 output SNMP index of output
    interface
    16-19 dPkts Packets in the flow
    20-23 dOctets Total number of Layer 3 bytes
    in the packets of the flow
    24-27 First SysUptime at start of flow
    28-31 Last SysUptime at the time the
    last packet of the flow was
    received
    32-33 srcport TCP/UDP source port number or
    equivalent
    34-35 dstport TCP/UDP destination port
    number or equivalent
    36 pad1 Unused (zero) bytes
    37 tcp_flags Cumulative OR of TCP flags
    38 prot IP protocol type (for
    example, TCP = 6; UDP = 17)
    39 tos IP type of service (ToS)
    40-41 src_as Autonomous system number of
    the source, either origin or
    peer
    42-43 dst_as Autonomous system number of
    the destination, either
    origin or peer
    44 src_mask Source address prefix mask
    bits
    45 dst_mask Destination address prefix
    mask bits
    46-47 pad2 Unused (zero) bytes
  • Table 2 describes exemplary granular parameters according to an embodiment of this invention.
  • TABLE 2
    Exemplary granular behavioral parameters
    extracted from flow statistics
    Name Unit
    TCP SYN Packets per second
    TCP ACK Packets per second
    TCP RST Packets per second
    TCP FIN Packets per second
    Concurrent Connections Count
    New Connections Per second
    Established Connections Count
    Unique sources Count
  • FIG. 5 further illustrates an exemplary process for deriving granular traffic statistics from traffic flow statistics in accordance with an embodiment of the present invention. According to one embodiment, layer 3 destination meter 506 is part of multiple logic components of layer 3 granular rate anomaly meter 305. When layer 3 destination meter 506 receives the flow statistics classification from classifier bus 308, it waits for destination IP to be seen, it increments the rate for that destination in a memory table in granular metering memory 210. As more and more packets come for that destination, the count for the destination increases. If the count exceeds the threshold set by host computer 203 via host interface 209, it interrupts host computer 203 via host interface 209.
  • At a predefined interval, layer 3 destination ager 507 resets the count for the destination to zero. Layer 3 destination ager 507 then stores the packet rate for the destination being monitored. This packet rate can then be read by host computer 203 via host interface 209 and can be used for adaptive threshold estimation.
  • Embodiments of the present disclosure include various steps, which have been described above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware.
  • Although embodiments of the present invention and their various advantages have been described in detail, it should be understood that the present invention is not limited to or defined by what is shown or discussed herein.
  • Moreover, as one skilled in the art will appreciate, any digital computer systems can be configured or otherwise programmed to implement the methods and apparatuses disclosed herein, and to the extent that a particular digital computer system is configured to implement the methods and apparatuses of this invention, it is within the scope and spirit of the present invention. Once a digital computer system is programmed to perform particular functions pursuant to computer-executable instructions from program software that implements the present invention, it in effect becomes a special purpose computer particular to the present invention. The techniques necessary to achieve this are well known to those skilled in the art and thus are not further described herein.
  • Computer executable instructions implementing the methods and techniques of the present invention can be distributed to users on a computer-readable medium and are often copied onto a hard disk or other storage medium. When such a program of instructions is to be executed, it is usually loaded into the random access memory of the computer, thereby configuring the computer to act in accordance with the techniques disclosed herein. All these operations are well known to those skilled in the art and thus are not further described herein. The term “computer-readable medium” encompasses distribution media, intermediate storage media, execution memory of a computer, and any other medium or device capable of storing for later reading by a computer a computer program implementing the present invention.
  • Accordingly, drawings, tables, and description disclosed herein illustrate technologies related to the invention, show examples of the invention, and provide examples of using the invention and are not to be construed as limiting the present invention. Known methods, techniques, or systems may be discussed without giving details, so to avoid obscuring the principles of the invention. As it will be appreciated by one of ordinary skill in the art, the present invention can be implemented, modified, or otherwise altered without departing from the principles and spirit of the present invention. Therefore, the scope of the present invention should be determined by the following claims and their legal equivalents.

Claims (13)

1. (canceled)
2. A system for mitigating rate-based distributed denial of service (DDoS) attacks, the system comprising:
a flow controller; and
a hardware module coupled to flow controller via a host interface, including:
a flow packet interface through which flow statistics packets are received from one or more routers within a network;
a packet interface, coupled to the flow packet interface, configured to receive and buffer the flow statistics packets;
a packet processing module, coupled to the packet interface, configured to (i) determine a DDoS attack status of at least one monitored destination coupled to or within the network based on information regarding the flow statistics packets, (ii) parse the flow statistics packets, (ii) derive a plurality of granular traffic rates and (iii) determine the DDoS attack status of the at least one monitored destination based on the derived granular traffic rates and associated thresholds;
wherein the packet processing module comprises:
a layer 2 classifier module that is configured to parse the flow statistics packets at layer 2 and validate Ethernet frames;
a layer 3 classifier module that is configured to parse the flow statistics packets at layer 3 and validate Internet Protocol (IP) version 4 (IPv4) and IP version 6 (IPv6) packets,
a layer 4 classifier module that is configured to parse the flow statistics packets at layer 3 and validate Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets;
a layer 7 classifier module that is configured to parse the flow statistics packets at layer 7 and validate protocol data units associated with one or more flow statistics protocols;
wherein a rate anomaly meter module within the layer 3 rate anomaly module, the layer 4 rate anomaly module and the layer 7 rate anomaly module further comprises a metering module configured to derive relevant fields from the layer 3 classifier module, the layer 4 classifier module and the layer 7 classifier module, respectively, and increment and calculate the layer 3 granular rates, the layer 4 granular rates and the layer 7 granular rates, respectively, and enforce the layer 3 granular rates, the layer 4 granular rates and the layer 7 granular rates, respectively, using a combination of a meter and an ager;
wherein the host interface is configured to interrupt the flow controller when it is determined by the packet processing module that the at least one monitored destination is under attack;
wherein, responsive to the interrupt, the flow controller informs a route reflector within the network of the DDoS attack status; and
wherein the route reflector is configured to divert traffic destined for the monitored destination to a DDoS attack mitigation appliance within the network.
3. (canceled)
4. The system of claim 1, wherein the flow controller is further configured to:
receive user policies including network and Internet Protocol (IP) addresses to be monitored;
configure the hardware module to monitor for DDoS attacks on the network and IP addresses;
read one or more granular traffic rates of the plurality of granular traffic rates from the hardware module;
calculate granular traffic rate thresholds for the one or more granular traffic rates; and
write the granular traffic rate thresholds to the hardware module.
5. The system of claim 1, wherein the packet interface is further configured to release the flow statistics packets to the packet processing module for inspection.
6. The system of claim 4, wherein the host interface is further configured to:
receive the granular traffic rate thresholds from the flow controller through host commands; and
raise an interrupt that is serviced by the flow controller when one or more of the granular traffic rate thresholds are exceeded or when traffic returns to normal.
7. The system of claim 1, wherein the flow packet interface comprises copper interfaces, fiber interfaces, or a combination of both, through which the flow packet interface receives the flow statistics packets.
8. The system of claim 1, wherein the hardware module is further configured to:
enforce the granular traffic thresholds received from the flow controller; and
interrupt the flow controller when one or more of the granular traffic rate thresholds are exceeded or when traffic returns to normal.
9. The system of claim 1, wherein the packet processing module is further configured to classify the flow statistics packets and retrieve one or more of layer 2, layer 3, layer 4, and layer 7 header information from the flow statistics packets.
10. (canceled)
11. (canceled)
12. The system of claim 1, wherein the hardware module comprises a board implemented using one or more of Field-Programmable Gate Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs).
13. The system of claim 1, wherein the network comprises a service provider network and wherein the route reflector is further configured to stop diverting the traffic and allow the traffic destined for the monitored destination to flow via a core router of the service provider network.
US14/665,523 2014-09-17 2015-03-23 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation Active US9276955B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US14/665,523 US9276955B1 (en) 2014-09-17 2015-03-23 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
US15/055,619 US9935974B2 (en) 2014-09-17 2016-02-28 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201414488697A 2014-09-17 2014-09-17
US14/665,523 US9276955B1 (en) 2014-09-17 2015-03-23 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US201414488697A Continuation 2014-09-17 2014-09-17

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/055,619 Continuation US9935974B2 (en) 2014-09-17 2016-02-28 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

Publications (2)

Publication Number Publication Date
US9276955B1 US9276955B1 (en) 2016-03-01
US20160080411A1 true US20160080411A1 (en) 2016-03-17

Family

ID=55360119

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/665,523 Active US9276955B1 (en) 2014-09-17 2015-03-23 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
US15/055,619 Active 2035-05-13 US9935974B2 (en) 2014-09-17 2016-02-28 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/055,619 Active 2035-05-13 US9935974B2 (en) 2014-09-17 2016-02-28 Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

Country Status (1)

Country Link
US (2) US9276955B1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685962A (en) * 2016-12-29 2017-05-17 广东睿江云计算股份有限公司 System and method for defense of reflective DDOS attack flow
CN107241294A (en) * 2016-03-28 2017-10-10 阿里巴巴集团控股有限公司 The processing method and processing device of network traffics, cleaning equipment, the network equipment
WO2017223104A1 (en) * 2016-06-21 2017-12-28 Imperva, Inc. Infrastructure distributed denial of service protection
US9935974B2 (en) 2014-09-17 2018-04-03 Fortinet, Inc. Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
JP2020503775A (en) * 2016-12-29 2020-01-30 華為技術有限公司Huawei Technologies Co.,Ltd. DDoS attack detection method and device
WO2021055449A1 (en) * 2019-09-17 2021-03-25 Equinix, Inc. Distributed denial-of-service mitigation

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AT517155B1 (en) * 2015-03-05 2018-08-15 Siemens Ag Oesterreich Method of protection against a denial of service attack on a one-chip system
US10341379B2 (en) * 2016-02-12 2019-07-02 Time Warner Cable Enterprises Llc Apparatus and methods for mitigation of network attacks via dynamic re-routing
US11165797B2 (en) 2016-04-22 2021-11-02 Sophos Limited Detecting endpoint compromise based on network usage history
US11277416B2 (en) 2016-04-22 2022-03-15 Sophos Limited Labeling network flows according to source applications
US11102238B2 (en) * 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US10986109B2 (en) 2016-04-22 2021-04-20 Sophos Limited Local proxy detection
US10938781B2 (en) 2016-04-22 2021-03-02 Sophos Limited Secure labeling of network flows
US10673891B2 (en) 2017-05-30 2020-06-02 Akamai Technologies, Inc. Systems and methods for automatically selecting an access control entity to mitigate attack traffic
EP3422659A1 (en) * 2017-06-30 2019-01-02 Thomson Licensing Method of blocking distributed denial of service attacks and corresponding apparatus
US11750622B1 (en) 2017-09-05 2023-09-05 Barefoot Networks, Inc. Forwarding element with a data plane DDoS attack detector
US10735459B2 (en) 2017-11-02 2020-08-04 International Business Machines Corporation Service overload attack protection based on selective packet transmission
US10554675B2 (en) * 2017-12-21 2020-02-04 International Business Machines Corporation Microservice integration fabrics network intrusion detection and prevention service capabilities
WO2019165468A1 (en) 2018-02-26 2019-08-29 Charter Communications Operating, Llc Apparatus and methods for packetized content routing and delivery
US11108812B1 (en) 2018-04-16 2021-08-31 Barefoot Networks, Inc. Data plane with connection validation circuits
DK3654606T3 (en) 2018-11-15 2022-02-14 Ovh METHOD AND DATA PACK CLEANING SYSTEM FOR SCREENING DATA PACKAGES RECEIVED BY A SERVICE INFRASTRUCTURE
KR102014044B1 (en) * 2019-02-18 2019-10-21 한국남동발전 주식회사 Intrusion prevention system and method capable of blocking l2 packet
US11405418B2 (en) 2020-06-16 2022-08-02 Bank Of America Corporation Automated distributed denial of service attack detection and prevention
CN115208594A (en) * 2021-03-29 2022-10-18 中国电信股份有限公司 Method, device and system for relieving denial of service attack

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7418504B2 (en) * 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US7100195B1 (en) * 1999-07-30 2006-08-29 Accenture Llp Managing user information on an e-commerce system
US9444785B2 (en) 2000-06-23 2016-09-13 Cloudshield Technologies, Inc. Transparent provisioning of network access to an application
US9525696B2 (en) * 2000-09-25 2016-12-20 Blue Coat Systems, Inc. Systems and methods for processing data flows
US20110238855A1 (en) * 2000-09-25 2011-09-29 Yevgeny Korsunsky Processing data flows with a data flow processor
US7295516B1 (en) * 2001-11-13 2007-11-13 Verizon Services Corp. Early traffic regulation techniques to protect against network flooding
US8281400B1 (en) 2002-07-23 2012-10-02 Juniper Networks, Inc. Systems and methods for identifying sources of network attacks
US7512787B1 (en) * 2004-02-03 2009-03-31 Advanced Micro Devices, Inc. Receive IPSEC in-line processing of mutable fields for AH algorithm
US7626940B2 (en) * 2004-12-22 2009-12-01 Intruguard Devices, Inc. System and method for integrated header, state, rate and content anomaly prevention for domain name service
CA2531410A1 (en) * 2005-12-23 2007-06-23 Snipe Network Security Corporation Behavioural-based network anomaly detection based on user and group profiling
US8160056B2 (en) * 2006-09-08 2012-04-17 At&T Intellectual Property Ii, Lp Systems, devices, and methods for network routing
US8296838B2 (en) * 2009-12-07 2012-10-23 At&T Intellectual Property I, L.P. Methods, systems, and computer program products for protecting against IP prefix hijacking
US9716659B2 (en) * 2011-03-23 2017-07-25 Hughes Network Systems, Llc System and method for providing improved quality of service over broadband networks
US8955112B2 (en) 2011-08-18 2015-02-10 At&T Intellectual Property I, L.P. Dynamic traffic routing and service management controls for on-demand application services
US9392010B2 (en) 2011-11-07 2016-07-12 Netflow Logic Corporation Streaming method and system for processing network metadata
US20140075557A1 (en) 2012-09-11 2014-03-13 Netflow Logic Corporation Streaming Method and System for Processing Network Metadata
US8646064B1 (en) 2012-08-07 2014-02-04 Cloudflare, Inc. Determining the likelihood of traffic being legitimately received at a proxy server in a cloud-based proxy service
US9692775B2 (en) * 2013-04-29 2017-06-27 Telefonaktiebolaget Lm Ericsson (Publ) Method and system to dynamically detect traffic anomalies in a network
US9276955B1 (en) 2014-09-17 2016-03-01 Fortinet, Inc. Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9935974B2 (en) 2014-09-17 2018-04-03 Fortinet, Inc. Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
CN107241294A (en) * 2016-03-28 2017-10-10 阿里巴巴集团控股有限公司 The processing method and processing device of network traffics, cleaning equipment, the network equipment
WO2017223104A1 (en) * 2016-06-21 2017-12-28 Imperva, Inc. Infrastructure distributed denial of service protection
US10574691B2 (en) 2016-06-21 2020-02-25 Imperva, Inc. Infrastructure distributed denial of service (DDoS) protection
US11277440B2 (en) 2016-06-21 2022-03-15 Imperva, Inc. Infrastructure distributed denial of service protection
US11277441B2 (en) 2016-06-21 2022-03-15 Imperva, Inc. Infrastructure distributed denial of service protection
US11533334B2 (en) 2016-06-21 2022-12-20 Imperva, Inc. Infrastructure distributed denial of service protection
CN106685962A (en) * 2016-12-29 2017-05-17 广东睿江云计算股份有限公司 System and method for defense of reflective DDOS attack flow
JP2020503775A (en) * 2016-12-29 2020-01-30 華為技術有限公司Huawei Technologies Co.,Ltd. DDoS attack detection method and device
US11095674B2 (en) 2016-12-29 2021-08-17 Huawei Technologies Co., Ltd. DDoS attack detection method and device
WO2021055449A1 (en) * 2019-09-17 2021-03-25 Equinix, Inc. Distributed denial-of-service mitigation
US11757928B2 (en) 2019-09-17 2023-09-12 Equinix, Inc. Distributed denial-of-service mitigation

Also Published As

Publication number Publication date
US20160308901A1 (en) 2016-10-20
US9276955B1 (en) 2016-03-01
US9935974B2 (en) 2018-04-03

Similar Documents

Publication Publication Date Title
US9935974B2 (en) Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
US10009373B2 (en) System and method for software defined behavioral DDoS attack mitigation
US20040215976A1 (en) Method and apparatus for rate based denial of service attack detection and prevention
US9929965B1 (en) Traffic-aware sampling rate adjustment within a network device
CN108063765B (en) SDN system suitable for solving network security
US7389537B1 (en) Rate limiting data traffic in a network
US9167004B2 (en) Methods and systems for detecting and mitigating a high-rate distributed denial of service (DDoS) attack
US8819821B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
EP2293513B1 (en) Protecting Against Distributed Network Flood Attacks
US11736440B2 (en) Methods and systems for efficient adaptive logging of cyber threat incidents
JP6599819B2 (en) Packet relay device
Chou et al. Proactive surge protection: a defense mechanism for bandwidth-based attacks
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
Arins Firewall as a service in SDN OpenFlow network
Kim et al. High-speed router filter for blocking TCP flooding under DDoS attack
Sun et al. RateGuard: A robust distributed denial of service (DDoS) defense system
An et al. Packet marking based cooperative attack response service for effectively handling suspicious traffic
Ahmed Detection and Avoidance Technique of Anomalous Congestion at the Network Gateways
Chen et al. A Two-Tier Coordination System against DDoS Attacks.
Xiao et al. Design of secure Diffserv ingress edge routers
Yoohwan Kim High-speed Router Filter for Blocking TCP Flooding under DDoS Attack

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
CC Certificate of correction
MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8