WO2002025402A2 - Systemes et procedes de protection de reseaux et dispositifs contre les attaques de deni de services - Google Patents

Systemes et procedes de protection de reseaux et dispositifs contre les attaques de deni de services Download PDF

Info

Publication number
WO2002025402A2
WO2002025402A2 PCT/US2001/029336 US0129336W WO0225402A2 WO 2002025402 A2 WO2002025402 A2 WO 2002025402A2 US 0129336 W US0129336 W US 0129336W WO 0225402 A2 WO0225402 A2 WO 0225402A2
Authority
WO
WIPO (PCT)
Prior art keywords
packets
dos
attack
dos attack
packet
Prior art date
Application number
PCT/US2001/029336
Other languages
English (en)
Other versions
WO2002025402A3 (fr
Inventor
Robert J. Donaghey
Original Assignee
Bbnt Solutions Llc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bbnt Solutions Llc filed Critical Bbnt Solutions Llc
Priority to AU2002211242A priority Critical patent/AU2002211242A1/en
Publication of WO2002025402A2 publication Critical patent/WO2002025402A2/fr
Publication of WO2002025402A3 publication Critical patent/WO2002025402A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates generally to networks and, more particularly, to systems and methods that protect communication networks and devices from denial of service attacks.
  • DoS attacks represent a major threat to the continuous operations of network devices.
  • DDoS Distributed DoS
  • traffic emanates from a wide range of compromised systems, and packets from these systems are directed at one or more target hosts, e.g., web servers.
  • target hosts e.g., web servers.
  • DoS attacks include smurf attacks, SYN flood attacks, and Ping of Death attacks. All of these may be effected as distributed DoS attacks, where many compromised network devices become the unwitting source of DoS traffic.
  • a smurf attack is an assault on a network that floods the network with excessive messages in order to impede normal traffic.
  • An attacking device sends ping requests to a broadcast address on the target network. The attacking device sets the return address to the victim's address. The broadcast address can generate hundreds of response messages from unwitting network devices that eventually overload the target network.
  • a SYN flood attack is an assault on a network that prevents a Transmission
  • Control Protocol/Internet Protocol (TCP/IP) server from servicing other users.
  • An attacking device sends a counterfeit source address to the server so that a final acknowledgment to the server's SYNchronize-ACKnowledge (SNY-ACK) response in the handshaking sequence is not sent. As a result, the server continues to execute the handshaking sequence until the server either overloads or crashes.
  • a Ping of Death attack is an assault on a target computer.
  • An attacking device causes the target computer to crash by sending a packet having an invalid packet size value in the packet's header.
  • ISPs Ingress packet filtering by ISPs makes tracking attack sources easier, by limiting the range of spoofed source addresses available to DoS traffic generators, but it does not prevent such traffic from reaching targets. Since DoS traffic streams often originate from outside a target's ISP, and because it is currently infeasible to filter traffic at border gateway protocol (BGP) peering points, ingress filtering relies on all other ISPs to provide protection, a bad strategy in the global Internet environment.
  • BGP border gateway protocol
  • DoS attacks With the proliferation of freely available DoS attack software, DoS attacks will become more sophisticated and more frequent and, therefore, produce more far-reaching consequences in the future. Simple filtering, based on examination of IP and TCP layer headers, will become less and less effective against more sophisticated attacks. Even traffic characterization technologies, such as Multi- Protocol Layer Switching (MPLS), that employ high speed header analysis facilities will become inappropriate for filtering DoS traffic, as the rapid reconfiguration required to respond to attacks would impose a serious burden on the backbone traffic engineering system, which is optimized for packet forwarding. Current attempts to prevent DoS attacks involve an ISP's network operations center (NOC) manually attempting to intervene in the attack.
  • NOC network operations center
  • the NOC may not be able to "break into” the network connection to thwart the attack. As a result, the NOC may need to spend many hours trying to filter the attacker's data out of their network, while at the same time calming their customers.
  • DoS attacks Since a successful DoS attack causes the customer's local network, firewall, and possibly web server to become unstable and/or unusable, those customers who rely on electronic commerce are particularly affected by DoS attacks.
  • the most advanced intrusion detection systems look for specific signatures of attacks in a data flow and then send a message to an operator for manual intervention. By the time the operator attempts to intervene, however, damage from the DoS attack may have already occurred.
  • a system protects against DoS attacks.
  • the system includes a service provider and a triage device.
  • the service provider receives a signal indicating detection of a DoS attack, receives one or more packets intended for a victim device, and transmits the one or more packets to the triage device.
  • the triage device determines, for each received packet, whether the packet is part of a DoS attack and forwards any packets that are unrelated to the DoS attack to the victim device.
  • a method protects against DoS attacks.
  • the method includes detecting the occurrence of a DoS attack, determining a target of the DoS attack, intercepting packets destined for the target, and preventing packets that are related to the DoS attack from reaching the target.
  • a device for protecting against DoS attacks includes a memory and a processor that receives, once a DoS attack has been detected, packets from a service provider, determines, for each packet addressed to the intended target, whether a packet is part of the DoS attack, forwards a packet determined not to be part of the DoS attack to a target device, and discards and/ or proxies a reply to a packet determined to be part of the DoS attack.
  • a method that protects against DoS attacks is provided.
  • the method includes passively recording, via an attack detection sensor, packets transmitted in a network, detecting an occurrence of a DoS attack, transferring, in response to the detecting, packets for a target of the DoS attack from a service provider to a triage device, retrieving recently recorded packets from the attack detection sensor, determining, for each transferred packet, whether the packet is part of the DoS attack, forwarding a packet determined not to be part of the DoS attack to the target, and discarding or proxying a reply to a packet determined to be part of the DoS attack.
  • a passive DoS attack sensor is provided.
  • the DoS attack sensor includes a memory that stores instructions and information relating to packets transferred in a network.
  • the DoS attack sensor also includes a processor that monitors the packets, stores the information in the memory, detects a DoS signature in one or more of the packets, sends a signal to a service provider in response to the detecting, and transfers the information in the memory for use in determining a history of the one or more packets.
  • FIG. l illustrates an exemplary network in which systems and methods, consistent with the present invention, that protect against denial of service attacks may be implemented;
  • FIG. 2 illustrates an exemplary triage device or attack detection sensor device configuration consistent with the present invention
  • FIG. 3 illustrates an exemplary database that maybe associated with the triage device or attack detection sensor device of FIG. 2;
  • FIG. 4 illustrates an exemplary denial of service attack scenario
  • FIG. 5 illustrates exemplary processing of an attack detection sensor consistent with the present invention
  • FIGS. 6A and 6B illustrate an exemplary process for protecting communication networks and devices against denial of service attacks in an implementation consistent with the present invention.
  • Systems and methods consistent with the present invention protect communication networks and devices against denial of service attacks.
  • a service provider Upon detection of a DoS attack, a service provider redirects traffic away from a targeted host (or hosts) and toward a triage device, that may use a combination of packet destruction, proxying for the target, other filtering mechanisms and prioritized packet forwarding to protect intended targets from attack.
  • the triage device diverts the brunt of the attack from the targets, allowing them to continue to operate during a DoS attack. Even DoS attacks that might overwhelm the access link capacity of a target can be handled by the triage device, since a service provider can provision very high capacity access links for this service.
  • Network devices can be configured to automatically detect DoS attacks and trigger the invocation of the triage device, and attacked hosts can request the invocation of the triage device through any available communication channels.
  • FIG. l illustrates an exemplary network loo in which systems and methods, consistent with the present invention, that protect against denial of service attacks may be implemented.
  • network loo includes multiple tier one service providers (SPs) 112-116, tier two service providers 122-126, customers 131-136, a triage device 140, and an attack detection sensor (ADS) 145.
  • SPs tier one service providers
  • ADS attack detection sensor
  • the tier one SPs 112-116 may include, for example, large national ISPs.
  • the tier one SPs exchange traffic with each other directly. This is known as peering. Every tier one SP peers with every other tier one SP.
  • the tier two SPs 122-126 may include, for example, regional ISPs or smaller SPs that rely on a tier one SP to provide transit service.
  • the tier two SPs generally connect to one or more tier one SP.
  • the customers 131-136 may include one or more host devices (not shown) that connect to a corresponding tier one or tier two SP 112-126 via a wired, wireless, or optical connection.
  • the host devices may include, for example, a server, personal computer, or the like.
  • the host devices may be directly connected to a SP 112-126 or may be connected to a SP 112-126 through one or more local networks (not shown).
  • the triage device 140 may include, according to an exemplary implementation, a high-end computer, a server or collection of servers, or the like, capable of protecting one or more network devices in response to a DoS attack.
  • the triage device 140 may be connected to, or implemented within, a SP 112-126 or another network device. Connection of the triage device 140 to a SP 112-126 or network device should be of such a capacity so as not to be overwhelmed by the large amount of traffic commonly associated with DoS attacks. As illustrated in FIG. 1, the triage device 140 connects to a SP or network device in such a way as to be out of the regular flow of network traffic. Network traffic may, as will be described in more detail below, be routed through the triage device 140 in those situations where a DoS attack has been detected.
  • the attack detection sensor device 145 may include, according to an exemplary implementation, a personal computer or the like, capable of passively monitoring traffic and detecting the presence of a DoS attack.
  • the attack detection sensor device 145 may be connected to, or implemented within, a SP 112-126 or another network device.
  • the number of components illustrated in FIG. 1 is provided for simplicity.
  • a typical network 100 may include a larger or smaller number of SPs 112-126, customers 131-136, triage devices 140, and attack detection sensor devices 145.
  • FIG. 2 illustrates an exemplary triage device 140 or attack detection sensor device 145 configuration consistent with the present invention.
  • the exemplary triage/ ADS device 140/145 includes a bus 202, a processor 204, a main memory 206, a read only memory (ROM) 208, a storage device 210, an optional input device 212, an optional output device 214, and a communication interface 216.
  • the bus 202 permits communication among the components of the triage/ ADS device 140/145.
  • the processor 204 may include any type of conventional processor or microprocessor that interprets and executes instructions.
  • the main memory 206 may include a random access memory (RAM) or another type of dynamic storage device that stores information and instructions for execution by the processor 204.
  • Main memory 206 may also be used to store temporary variables or other intermediate information during execution of instructions by processor 204.
  • ROM 208 may include a conventional ROM device and/or another type of static storage device that stores static information and instructions for processor 204.
  • the storage device 210 may include a magnetic disk or optical disk and its corresponding drive and/or some other type of magnetic or optical recording medium and its corresponding drive for storing information and/or instructions.
  • the input device 212 may include any conventional mechanism that permits an operator to input information to the triage/ADS device 140/145, such as a keyboard, a mouse, a microphone, a pen, voice recognition and/or biometric mechanisms, etc.
  • the output device 214 may include any conventional mechanism that outputs information to the operator, including a display, a printer, a pair of speakers, etc.
  • the communication interface 216 may include any transceiver-like mechanism that enables the triage/ADS device 140/145 to communicate with other devices and/or systems, such as SPs 112-126 or customers 131-136.
  • the communication interface 216 may include a modem or an Ethernet interface to a network.
  • communication interface 216 may include other mechanisms for communicating via a data network.
  • the triage/ADS device 140/145 protects against denial of service attacks in response to processor 204 executing sequences of instructions contained in a computer-readable medium, such as memory 206.
  • a computer-readable medium may include one or more memory devices and/or carrier waves.
  • the instructions may be read into memory 206 from another computer-readable medium, such as a storage device 210, or from a separate device via communication interface 216. Execution of the sequences of instructions contained in memory 206 causes processor 204 to perform the process steps that will be described hereafter.
  • hardwired circuitry may be used in place of or in combination with software instructions to implement the present invention. Thus, the present invention is not limited to any specific combination of hardware circuitry and software.
  • An ADS device 145 logs all recent traffic (e.g., using a circular buffer) on a continuous basis in order to provide limited audit trail data for later analysis and prosecution.
  • the attack detection sensor device 145 may log this information in an associated database.
  • the database may be stored at the attack detection sensor device 145 (e.g., in main memory 206) or externally from attack detection sensor device 145.
  • a triage device 140 consistent with the present invention, logs all traffic during an attack in order to provide extensive forensics data for later analysis and prosecution.
  • the triage device 140 may log this information in an associated database.
  • the database maybe stored at the triage device 140 (e.g., in main memory 206) or externally from triage device 140.
  • FIG. 3 illustrates an exemplary database 300, consistent with the present invention, that may be associated with triage/ADS device 140/145. While only one database is described below, it will be appreciated that database 300 may consist of multiple databases stored locally at each triage device 140 and ADS device 145 or stored at different locations throughout the network 100.
  • database 300 includes a group of entries 305. Each entry 305 includes information stored in one or more of the following exemplary fields: a source address field 310, a target address field 320, a date field 330, a time field 340, and a log entry field 350. Database 300 may contain additional fields that would aid the triage/ADS device 140/145 in searching, sorting, and/or providing information for analyzing a DoS attack.
  • the source address field 310 stores an address from a packet of information determined to be part of a DoS attack that identifies the network device from where the packet was sent, although this information will typically not be reliable.
  • the target address field 320 stores an address of the target network device to which the packet of information was sent.
  • the date field 330 stores the date on which the packet was received.
  • the time field 340 stores the time at which the packet was received.
  • the log entry field 350 stores additional information relating to the DoS attack that may aid in determining the nature of a DoS attack. This information may be automatically entered by the triage device
  • FIG. 4 illustrates an exemplary scenario 400 in which a group of adversarial network devices 410 participate in a DDoS attack on a host device 420.
  • traffic emanates from a wide range of compromised systems, and packets from these systems are directed at one or more target hosts, e.g., web servers.
  • the number of adversarial devices 410 illustrated in FIG. 4 is provided for simplicity.
  • a typical attack scenario 400 would generally include a larger number of adversarial devices 410.
  • a passive attack detection sensor 145 detects a DDoS attack on host 420 and notifies the SP 412 which invokes the triage service 140.
  • the attack detection sensor 145 maintains a limited audit trail (e.g., circular buffer) on a continuous basis.
  • the attack detection sensor 145 may send its buffer contents to the triage device's database 300 to assist in characterizing the early or precursor phases of an attack.
  • the attack detection sensor 145 maybe implemented as a purely passive system so that it does not impose any delays on traffic, nor would its failure affect normal operation of the target systems.
  • host 420 may detect the DoS attack and notify service provider 116 that an attack is underway.
  • the host 420 may notify the service provider 116 via any conventional technique, such as a telephone call, e-mail, facsimile, etc.
  • routing within the target's SP 116 may be altered to divert all traffic for the target host 420 to the triage device 140.
  • the triage device 140 takes at least one of three possible courses of action: discard the packet, proxy a reply on behalf of the host 420, or forward the packet to the host 420.
  • the triage device 140 logs detailed forensics information in the attached database 300 for later examination.
  • FIG. 5 illustrates exemplary processing of an attack detection sensor 145 consistent with the present invention.
  • the attack detection sensor 145 passively monitors the traffic passing through the service provider 116 to the customers 135 [step 505].
  • the attack detection sensor 145 may analyze each packet passing through the service provider 116 to determine whether a DoS signature is present [step 510].
  • the attack detection sensor 145 may use any conventional DoS signature detection technique.
  • a smurf type of DoS attack as described above, an attacking device causes a host device to crash by sending ping requests to a broadcast address on the host's network.
  • the attacking device sets the return address to the victim's address, causing hundreds of response messages to be generated that eventually overload the network.
  • the attack detection sensor 145 may detect the presence of the ping response messages.
  • the attack detection sensor 145 may also continuously record information regarding the packets passing through the service provider 116 in an associated buffer (or database).
  • the attack detection sensor 145 determines that no such signature exists in the packets passing through the service provider 116 [step 510], the attack detection sensor 145 returns to step 505 and continues to monitor the traffic. If, on the other hand, a DoS signature exists [step 510], then the attack detection sensor 145 may notify the service provider 116 and, possibly, the triage device 140 of the presence of an attack [step 515]. The attack detection sensor 145 may also notify the service provider 116 and triage device 140 of the identity of the intended victim device (e.g., host device 420 in FIG. 4). In an alternative implementation, the service provider 116 may determine the identity of the intended victim device.
  • the intended victim device e.g., host device 420 in FIG. 4
  • the attack detection sensor 145 Upon notifying the service provider 116 and triage device 140 of the attack, the attack detection sensor 145 returns to step 505 and continues to monitor the traffic passing through the service provider 116. At any time during this processing, the attack detection sensor 145 may receive a request from the triage device 140 requesting a recent history of packets transmitted to the target device. In response to such a request, the attack detection sensor 145 may transmit the information recorded in its buffer to the database 300 associated with the triage device 140. This information may be later used to characterize the early or precursor phases of the attack.
  • FIGS. 6A and 6B illustrate an exemplary process, consistent with the present invention, that protects communication networks and devices against denial of service attacks. Processing begins when a service provider, such as service provider 116, receives notification that a DoS attack has been detected [step 605].
  • the service provider 116 may, for example, receive the attack detection notification from an attack detection sensor, such as attack detection sensor 145, from the target device, or from another network device.
  • the service provider 116 In response to the attack notification, the service provider 116 begins to route any information received for the intended victim (i.e., host device 420) to the triage device 140 [step 610]. The service provider 116 determines whether a particular packet is intended for the host device 420 by, for example, examining target address information in the packet's header.
  • the triage device 140 In response to receiving one or more packets, the triage device 140 examines each packet to determine whether the packet is part of the DoS attack [step 615]. In the example above, the triage device 140 may determine whether the packet is a ping response message.
  • the triage device 140 may forward the packet to the host device 420 [step 625] .
  • the triage device 140 may be configured to prioritize or filter packets to be forwarded based on a variety of characteristics, or can forward packets on a first come, first delivered basis.
  • the triage device 140 may, however, drop packets in excess of the host device's 420 rated capacity to prevent a deluge of "good" packets from bringing down the host device 420.
  • the triage device 140 may discard the packet and/or proxy a reply to the attacking device on behalf of the host device 420 [step 630]. By proxying a reply to the attacking device, the attacking device may be left with the impression that the DoS attack was successful. In addition, this may aid in tracking the source of the attack.
  • the triage device 140 may receive a profile from the host device 420 describing the types of packets that the host device normally receives. If such a profile has been received by the triage device 140, the triage device 140 may divert all packets not of the types normally received as likely attack material, even if of an unknown attack variety. Moreover, if the host device 420 is capable of notifying the triage device as to which IP addresses are "good,” then the triage device 140 can filter good packets from attack packets, based on their IP address, even if they fall within the profile of an attack.
  • the triage device 140 For each packet received during the DoS attack, the triage device 140 stores information regarding the packet in database 300 [step 635]. As described above, this information may include the source address, target address, date, time, and other information that may facilitate later analysis of the attack.
  • the triage device 140 may then determine whether the DoS attack has ended [step 640] (FIG. 6B).
  • the triage device 140 may, for example, automatically determine that the attack has ended after a predetermined period of time or after a predetermined number of "good" packets have been received without having received a "bad" packet.
  • the service provider 116 or some other network device may determine that the DoS attack has ended. If the attack has not ended, the service provider 116 continues to route packets intended for the host device to the triage device 140 [step 610] (FIG. 6A).
  • the triage device 140 continues to process packets until the service provider 116 discontinues redirecting packets from the target to the triage device 140.
  • the service provider 116 may then begin to route traffic directly to the host device 420 [step 645] .
  • the triage device 140 may transfer information about the attack from its associated database 300 to a network administrator so that remedial measures maybe commenced. This transfer of information may alternatively occur during the attack. The transfer may occur automatically or in response to a request from the network administrator.
  • a service provider can redirect traffic away from a targeted host (or hosts) and toward a triage device, that may use a combination of packet destruction, proxying for the target, other filtering mechanisms, and prioritized packet forwarding to protect intended targets from attack.
  • the triage device diverts the brunt of the attack from the targets, allowing them to continue to operate during a DoS attack. Due to its modular nature, the triage device provides a flexible base for deploying new DoS attack responses as DoS attack techniques evolve. Moreover, the triage device is capable of being scaled from a single system to a multi-module, multi-homed architecture, providing cost-effective deployment for a growing target base.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention concerne un système qui protège des dispositifs et des réseaux de communication d'attaques de déni de services. Un fournisseur de services (116) reçoit un signal indiquant qu'une attaque de déni de services a été détectée, ainsi qu'au moins un paquet destiné à un dispositif victime (420), il transmet alors le ou les paquet(s) à un dispositif de tri (140). Ce dernier détermine si chacun des paquets fait partie de ladite attaque et ne fait suivre que les paquets qui sont supposés ne pas concernés cette attaque du dispositif victime (420).
PCT/US2001/029336 2000-09-20 2001-09-19 Systemes et procedes de protection de reseaux et dispositifs contre les attaques de deni de services WO2002025402A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002211242A AU2002211242A1 (en) 2000-09-20 2001-09-19 Systems and methods that protect networks and devices against denial of service attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US66611400A 2000-09-20 2000-09-20
US09/666,114 2000-09-20

Publications (2)

Publication Number Publication Date
WO2002025402A2 true WO2002025402A2 (fr) 2002-03-28
WO2002025402A3 WO2002025402A3 (fr) 2002-08-01

Family

ID=24672884

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/029336 WO2002025402A2 (fr) 2000-09-20 2001-09-19 Systemes et procedes de protection de reseaux et dispositifs contre les attaques de deni de services

Country Status (2)

Country Link
AU (1) AU2002211242A1 (fr)
WO (1) WO2002025402A2 (fr)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20030009887A (ko) * 2001-07-24 2003-02-05 주식회사 케이티 서비스거부 공격 차단시스템 및 방법
EP1364297A2 (fr) * 2000-10-17 2003-11-26 Wanwall, Inc. Procedes et appareils de protection contre des conditions de surcharge sur des noeuds d'un reseau distribue
EP1566947A1 (fr) * 2004-02-18 2005-08-24 AT&T Corp. Procédé de mitigation des attaques de deni de service au moyen d'un reroutage sélectif de trafic dans un réseau virtuel privé MPLS
EP1616269A2 (fr) * 2003-04-09 2006-01-18 Riverhead Networks Inc. Detournement et injection selectifs de trafic de communication
WO2006081507A1 (fr) * 2005-01-28 2006-08-03 Broadcom Corporation Procede et systeme d'attenuation de denis de services dans un reseau de communication
EP1691529A1 (fr) * 2005-02-15 2006-08-16 AT&T Corp. Procédé de défense d'un réseau contre des attaques DDoS
EP1705863A1 (fr) * 2005-03-25 2006-09-27 AT&T Corp. Procédé et dispositif de contrôle de trafic pour des attaques de deni de service dans un réseau de communication
EP1744516A1 (fr) * 2005-07-15 2007-01-17 AT&T Corp. Procédé de mitigation des attaques de deni de service au moyen d'un reroutage sélectif de trafic dans un réseau Internet
WO2007019213A1 (fr) * 2005-08-05 2007-02-15 Lucent Technologies Inc. Procede pour se defendre contre des attaques de type denis de service dans des reseaux ip par auto-identification et commande effectuees par la victime cible
WO2007035207A1 (fr) * 2005-08-05 2007-03-29 Lucent Technologies Inc. Procede de defense contre des attaques de deni de service dans des reseaux i, par auto-identification et commande assurees par la victime cible
EP1804446A1 (fr) * 2004-10-12 2007-07-04 Nippon Telegraph and Telephone Corporation Systeme de protection contre une attaque de neutralisation de service, procede de protection contre une attaque de neutralisation de service et programme de protection contre une attaque de neutralisation de service
US7308716B2 (en) 2003-05-20 2007-12-11 International Business Machines Corporation Applying blocking measures progressively to malicious network traffic
WO2008001247A2 (fr) * 2006-06-26 2008-01-03 Nokia Corporation 'machine de lavage' de protocole sip
US7444417B2 (en) 2004-02-18 2008-10-28 Thusitha Jayawardena Distributed denial-of-service attack mitigation by selective black-holing in IP networks
US7464404B2 (en) 2003-05-20 2008-12-09 International Business Machines Corporation Method of responding to a truncated secure session attack
US7617526B2 (en) 2003-05-20 2009-11-10 International Business Machines Corporation Blocking of spam e-mail at a firewall
US7797419B2 (en) * 2003-06-23 2010-09-14 Protego Networks, Inc. Method of determining intra-session event correlation across network address translation devices
US8438241B2 (en) 2001-08-14 2013-05-07 Cisco Technology, Inc. Detecting and protecting against worm traffic on a network
US8478831B2 (en) 2004-08-26 2013-07-02 International Business Machines Corporation System, method and program to limit rate of transferring messages from suspected spammers
US20220030011A1 (en) * 2020-07-23 2022-01-27 Micro Focus Llc Demand management of sender of network traffic flow

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958053A (en) * 1997-01-30 1999-09-28 At&T Corp. Communications protocol with improved security
US6298445B1 (en) * 1998-04-30 2001-10-02 Netect, Ltd. Computer security
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958053A (en) * 1997-01-30 1999-09-28 At&T Corp. Communications protocol with improved security
US6298445B1 (en) * 1998-04-30 2001-10-02 Netect, Ltd. Computer security
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SMITH R., BHATTACHARYA S.: 'Operating firewalls outside the LAN perimeter' MOTOROLA INC. February 1999, ARIZONA, pages 493 - 498, XP000859730 *
VAZHKUDAI S., MAGINNIS T.: 'A high performance communication subsystem for PODOS' MISSISSIPPI UNIVERSITY December 1999, MISSISSIPPI, pages 81 - 91, XP010365647 *

Cited By (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1364297A2 (fr) * 2000-10-17 2003-11-26 Wanwall, Inc. Procedes et appareils de protection contre des conditions de surcharge sur des noeuds d'un reseau distribue
EP1364297A4 (fr) * 2000-10-17 2009-04-08 Wanwall Inc Procedes et appareils de protection contre des conditions de surcharge sur des noeuds d'un reseau distribue
US7707305B2 (en) 2000-10-17 2010-04-27 Cisco Technology, Inc. Methods and apparatus for protecting against overload conditions on nodes of a distributed network
KR20030009887A (ko) * 2001-07-24 2003-02-05 주식회사 케이티 서비스거부 공격 차단시스템 및 방법
US8438241B2 (en) 2001-08-14 2013-05-07 Cisco Technology, Inc. Detecting and protecting against worm traffic on a network
EP1616269A2 (fr) * 2003-04-09 2006-01-18 Riverhead Networks Inc. Detournement et injection selectifs de trafic de communication
EP1616269A4 (fr) * 2003-04-09 2011-01-12 Cisco Tech Inc Detournement et injection selectifs de trafic de communication
EP2977910A1 (fr) * 2003-04-09 2016-01-27 Cisco Technology, Inc. Détournement sélectif et injection de trafic de communication
US7308716B2 (en) 2003-05-20 2007-12-11 International Business Machines Corporation Applying blocking measures progressively to malicious network traffic
US7464404B2 (en) 2003-05-20 2008-12-09 International Business Machines Corporation Method of responding to a truncated secure session attack
US7617526B2 (en) 2003-05-20 2009-11-10 International Business Machines Corporation Blocking of spam e-mail at a firewall
US7797419B2 (en) * 2003-06-23 2010-09-14 Protego Networks, Inc. Method of determining intra-session event correlation across network address translation devices
US7444417B2 (en) 2004-02-18 2008-10-28 Thusitha Jayawardena Distributed denial-of-service attack mitigation by selective black-holing in IP networks
US7925766B2 (en) 2004-02-18 2011-04-12 At&T Intellectual Property Ii, L.P. Method for distributed denial-of-service attack mitigation by selective black-holing in MPLS VPNS
EP1566947A1 (fr) * 2004-02-18 2005-08-24 AT&T Corp. Procédé de mitigation des attaques de deni de service au moyen d'un reroutage sélectif de trafic dans un réseau virtuel privé MPLS
US8478831B2 (en) 2004-08-26 2013-07-02 International Business Machines Corporation System, method and program to limit rate of transferring messages from suspected spammers
EP1804446A4 (fr) * 2004-10-12 2007-11-28 Nippon Telegraph & Telephone Systeme de protection contre une attaque de neutralisation de service, procede de protection contre une attaque de neutralisation de service et programme de protection contre une attaque de neutralisation de service
EP1804446A1 (fr) * 2004-10-12 2007-07-04 Nippon Telegraph and Telephone Corporation Systeme de protection contre une attaque de neutralisation de service, procede de protection contre une attaque de neutralisation de service et programme de protection contre une attaque de neutralisation de service
US8479282B2 (en) 2004-10-12 2013-07-02 Nippon Telegraph And Telephone Corporation Denial-of-service attack defense system, denial-of-service attack defense method, and computer product
WO2006081507A1 (fr) * 2005-01-28 2006-08-03 Broadcom Corporation Procede et systeme d'attenuation de denis de services dans un reseau de communication
US8719446B2 (en) 2005-02-15 2014-05-06 At&T Intellectual Property Ii, L.P. Systems, methods, and devices for defending a network
US9497211B2 (en) 2005-02-15 2016-11-15 At&T Intellectual Property Ii, L.P. Systems, methods, and devices for defending a network
US10367831B2 (en) 2005-02-15 2019-07-30 At&T Intellectual Property Ii, L.P. Systems, methods, and devices for defending a network
EP1691529A1 (fr) * 2005-02-15 2006-08-16 AT&T Corp. Procédé de défense d'un réseau contre des attaques DDoS
US8346960B2 (en) 2005-02-15 2013-01-01 At&T Intellectual Property Ii, L.P. Systems, methods, and devices for defending a network
US8089871B2 (en) 2005-03-25 2012-01-03 At&T Intellectual Property Ii, L.P. Method and apparatus for traffic control of dynamic denial of service attacks within a communications network
EP1705863A1 (fr) * 2005-03-25 2006-09-27 AT&T Corp. Procédé et dispositif de contrôle de trafic pour des attaques de deni de service dans un réseau de communication
EP1744516A1 (fr) * 2005-07-15 2007-01-17 AT&T Corp. Procédé de mitigation des attaques de deni de service au moyen d'un reroutage sélectif de trafic dans un réseau Internet
JP2009504100A (ja) * 2005-08-05 2009-01-29 ルーセント テクノロジーズ インコーポレーテッド IPネットワークにおいて標的被害者自己識別及び制御によってDoS攻撃を防御する方法
JP4768021B2 (ja) * 2005-08-05 2011-09-07 アルカテル−ルーセント ユーエスエー インコーポレーテッド IPネットワークにおいて標的被害者自己識別及び制御によってDoS攻撃を防御する方法
JP4768020B2 (ja) * 2005-08-05 2011-09-07 アルカテル−ルーセント ユーエスエー インコーポレーテッド IPネットワークにおいてターゲット被害者自己識別及び制御によってDoS攻撃を防御する方法
US7889735B2 (en) 2005-08-05 2011-02-15 Alcatel-Lucent Usa Inc. Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs
JP2009504099A (ja) * 2005-08-05 2009-01-29 ルーセント テクノロジーズ インコーポレーテッド IPネットワークにおいてターゲット被害者自己識別及び制御によってDoS攻撃を防御する方法
WO2007035207A1 (fr) * 2005-08-05 2007-03-29 Lucent Technologies Inc. Procede de defense contre des attaques de deni de service dans des reseaux i, par auto-identification et commande assurees par la victime cible
WO2007019213A1 (fr) * 2005-08-05 2007-02-15 Lucent Technologies Inc. Procede pour se defendre contre des attaques de type denis de service dans des reseaux ip par auto-identification et commande effectuees par la victime cible
WO2008001247A3 (fr) * 2006-06-26 2008-04-24 Nokia Corp 'machine de lavage' de protocole sip
WO2008001247A2 (fr) * 2006-06-26 2008-01-03 Nokia Corporation 'machine de lavage' de protocole sip
US20220030011A1 (en) * 2020-07-23 2022-01-27 Micro Focus Llc Demand management of sender of network traffic flow
US11683327B2 (en) * 2020-07-23 2023-06-20 Micro Focus Llc Demand management of sender of network traffic flow

Also Published As

Publication number Publication date
AU2002211242A1 (en) 2002-04-02
WO2002025402A3 (fr) 2002-08-01

Similar Documents

Publication Publication Date Title
US11818167B2 (en) Authoritative domain name system (DNS) server responding to DNS requests with IP addresses selected from a larger pool of IP addresses
WO2002025402A2 (fr) Systemes et procedes de protection de reseaux et dispositifs contre les attaques de deni de services
US7870611B2 (en) System method and apparatus for service attack detection on a network
US8438241B2 (en) Detecting and protecting against worm traffic on a network
US7058976B1 (en) Intelligent feedback loop process control system
US7307999B1 (en) Systems and methods that identify normal traffic during network attacks
US7478429B2 (en) Network overload detection and mitigation system and method
US7627677B2 (en) Process to thwart denial of service attacks on the internet
US20060212572A1 (en) Protecting against malicious traffic
US20050108415A1 (en) System and method for traffic analysis
WO2004070535A2 (fr) Atténuation d'attaques de déni de service
KR20120060655A (ko) 서버 공격을 탐지할 수 있는 라우팅 장치와 라우팅 방법 및 이를 이용한 네트워크
EP1595193B1 (fr) Detection du trafic de vers informatiques et protection contre le trafic de vers informatiques sur un reseau
WO2003050644A2 (fr) Protection contre un trafic malveillant
EP1461704B1 (fr) Protection contre un trafic malveillant
JP2007259223A (ja) ネットワークにおける不正アクセスに対する防御システム、方法およびそのためのプログラム
JP2004248185A (ja) ネットワークベース分散型サービス拒否攻撃防御システムおよび通信装置
JP4084317B2 (ja) ワーム検出方法
JP4326423B2 (ja) 管理装置および不正アクセス防御システム
WO2023175682A1 (fr) Système de commande, routeur, procédé de commande et programme
KR20110080971A (ko) 서비스 거부 공격 방지 방법 및 시스템
JP2004166029A (ja) 分散型サービス拒絶防御方法およびシステム、ならびにそのプログラム
JP2008252221A (ja) DoS攻撃防御システム、DoS攻撃防御システムにおける攻撃防御方法及びDoS攻撃防御装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP