US20160021137A1 - Proactive network attack demand management - Google Patents

Proactive network attack demand management Download PDF

Info

Publication number
US20160021137A1
US20160021137A1 US14/803,987 US201514803987A US2016021137A1 US 20160021137 A1 US20160021137 A1 US 20160021137A1 US 201514803987 A US201514803987 A US 201514803987A US 2016021137 A1 US2016021137 A1 US 2016021137A1
Authority
US
United States
Prior art keywords
attack
network
requests
request
suspected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/803,987
Inventor
Robert Carpenter
Hong Li
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel Corp
Original Assignee
Intel Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corp filed Critical Intel Corp
Priority to US14/803,987 priority Critical patent/US20160021137A1/en
Publication of US20160021137A1 publication Critical patent/US20160021137A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Definitions

  • a distributed denial of service attack occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually a web server.
  • DDoS distributed denial of service attack
  • a web server For example, one type of DDoS mechanism is triggered on a specific date and time. At that specific date and time, thousands of compromised machines on the internet will access a target web server at the same time, which brings the web server down due to resource exhaustion.
  • FIG. 1 is a logical block diagram of a system according to an example embodiment.
  • FIG. 2 is a time-demand graph depicting a grace period for detection of a network attack.
  • FIG. 3 is a flow diagram of a method according to an example embodiment.
  • FIG. 4 is a block flow diagram of method according to an example embodiment.
  • Various embodiments described and illustrated herein provide one or more of systems, methods, software, and firmware to handle attack generated demand proactively using distributed virtualization.
  • One goal of some such embodiments is to provide a time window of stable operational response within which an intrusion detection system may detect an attack and/or cause a countermeasure against the attacks to be activated.
  • Demand excursions which are not caused by an attack are supported during the variability of demand providing transparent response to legitimate users of the system.
  • the functions or algorithms described herein are implemented in hardware, software or a combination of software and hardware in one embodiment.
  • the software comprises computer executable instructions stored on computer readable media such as memory or other type of storage devices. Further, described functions may correspond to modules, which may be software, hardware, firmware, or any combination thereof. Multiple functions are performed in one or more modules as desired, and the embodiments described are merely examples.
  • the software is executed on a digital signal processor, ASIC, microprocessor, or other type of processor operating on a system, such as a personal computer, server, a router, or other device capable of processing data including network interconnection devices.
  • Some embodiments implement the functions in two or more specific interconnected hardware modules or devices with related control and data signals communicated between and through the modules, or as portions of an application-specific integrated circuit.
  • the exemplary process flow is applicable to software, firmware, and hardware implementations.
  • FIG. 1 is a logical block diagram of a system 100 according to an example embodiment.
  • the system 100 is an environment within which an acceptable level of service may be sustained in the face of a potential attack, such as a DDoS, and the potential attack may be contained with minimum impact to legitimate service.
  • a managed window of time within which a potential, or suspected, attack may be evaluated to determine if an attack is actually taking place. This window of time enables detection algorithms to examine a larger and more optimal set of data, such as from increased demand, which decreases the likelihood of false positives and consequent over reaction.
  • the system 100 includes a requests 102 being received over a network 104 , such as the Internet.
  • the requests 102 are funneled over the network 104 to a first network device or appliance of an organization, such as a load balancer 106 .
  • This device forwards received requests to a firewall 110 .
  • the firewall 110 in some embodiments, is a standalone network appliance-type device.
  • the firewall 110 may be part of load balancer 106 , instantiated within a virtual machine or virtual machine monitor operating on a server 108 , or a process on another computing device.
  • the firewall 110 as included in the example system 100 is instantiated as a virtual machine monitor on a server 108 which may also include one or more web servers 112 instantiated within virtual machines.
  • the firewall 110 includes a traffic classification engine.
  • the traffic classification engine performs preliminary filtering on all incoming traffic based on usage rules. Some usage rules may specify that request from a particular IP address or other source identifier are trusted requests. Other usage rules may specify a thermometer threshold for identical or similar requests over a period. If such as thermometer threshold is reached or exceeded, such requests may be classified by the traffic classification engine as suspect requests that may be part of an attack, such as a DDoS.
  • the traffic classification engine may distribute the abnormal requests to distributed virtual machines 124 that may be instantiated on one or more servers 122 across a trusted network 120 .
  • the trusted network 120 may be, in various embodiments, a virtual machine overlay, a local area network subnet, a virtual local area network, or other similar network type.
  • Other requests not classified as part of a suspected attack may be serviced normally, such as by web servers 112 of one or more virtual machines of the server 108 , another server 114 , or other web servers available over a network.
  • one or more web servers 124 may be instantiated on demand on one or more servers of the trusted network 120 . As demand for resources of a suspected attack increase, more web servers 124 may be instantiated on demand until the attack is verified as an attack by detection algorithms, such as attack analytic processes or other processes.
  • the traffic classification engine may take one or more actions. These actions may include one or more of silently disregarding suspect requests, deflecting abnormal, suspect traffic to a virtual local area network to help detection, or continue to distribute traffic load to virtual machines that may be instantiated in other locations if resources are available.
  • the traffic classification engine may just ignore subsequently received requests. If a suspect attack is determined not to be an attack, subsequent requests may be handled by normal load balancing techniques and the web servers instantiated to handle the suspect attacks may be destroyed to free up servers 122 to handle other or future suspect attacks.
  • the system 100 provides many advantages. Some such advantages include avoidance of “hard” problems such as ingress filtering at network firewalls and tracing back to attackers while allowing adaptive load distribution based on diagnostics in the traffic classification engine and other processes that may receive traffic data from the traffic classification to perform analytics on the traffic data to determine if suspect requests are in fact, or assumed to be, an actual attack, such as a DDoS. Such embodiments also provide increased abilities to sustain system 100 operability in the face of an attack to buy critical time for attack detection and countermeasure identification through distributed virtualization across a trusted network. This may allow dynamic utilization of unused or underused resources.
  • Some embodiments further are able to ensure quality of service, such as to meet service level agreements/objectives in the face of an attack, which typically may not be achieved with simple network traffic load balancing approaches. Additional, through use of virtual machines and virtual local area networks, suspect requests may be segregated to help ensure system 100 security and enable workload distribution.
  • FIG. 2 is a time-demand graph depicting a grace period for detection of a network attack.
  • various embodiments when faced with a potential attack, provide a grace period within which potential attacks may be evaluated while operability is maintained. For example as the traffic classification engine as described above, evaluates requests, suspect requests are processed separately, such as through the use of web servers on virtual machines over a trusted network. The trusted network and virtual machines are segregated from other system resources so as not to affect system performance in servicing non-suspect requests.
  • a threshold may be reached. For example, 500 requests for a seldom requested resource may be received within one minute. Such requests may be classified by the traffic classification engine as suspect requests of a potential attack. The traffic classification engine may then instantiate one or more web servers, depending on the level of demand of an available resource, on one or more virtual machines over a virtual local area network. This grey portion of FIG. 2 has now been entered. This may be thought of as a grace period where the suspect requests will be handled as best as possible in view of the available resources. If necessary, and resources are available, the traffic classification engine may cause more web servers to be instantiated on the virtual machines.
  • the traffic classification engine may continue to feed demand data to one or more analytical processes which operate on the data to identify whether or not the suspect requests are part of an attack.
  • the grace period allows demand to be met, at least as best as system resources allow, while the analytical processes execute.
  • the suspect requests are segregated from other portions of the system. Thus, non-suspect requests are serviced in a normal fashion. Processing of the segregated, suspect requests does not affect the processing of non-suspect requests.
  • the grace period ends when the one or more analytic processes resolve the demand data to identify the requests as part of an attack or normal increased demand.
  • FIG. 2 illustrates a scenario where the suspect requests are part of an attack.
  • the analytic processes may communicate the identification of an attack to the traffic classification engine at which time future requests determined to be part of the attack may simply be quietly ignored.
  • demand falls off drastically.
  • FIG. 3 is a flow diagram of a method 300 according to an example embodiment.
  • the method 300 is a method which may be performed by a traffic classification engine.
  • the first perception by the web server is a sudden increase in application requests, which is abnormal but at that moment the nature of the increase is unknown. It may be just legitimate traffic or it may be an attack.
  • the approach of the method 300 is to utilize an edge piece of a web servicing environment, such as a traffic classification engine in a firewall, contain bandwidth usage within a virtual machine or virtualized network, provide a control point for the analysis, and support business service quality of service during detection, analysis, and response.
  • the approach also defines and isolates the locus for remedial action if required. More detail of such an embodiment is illustrated in the method 300 .
  • the method 300 includes receiving incoming requests 302 and determining 304 if the requests are abnormal. If the requests are not abnormal, the method 300 includes applying normal load balancing rules 306 and the method ends 324 . However, if it is determined 304 that a request is abnormal, a further determination is made to determine 308 if a request threshold has been reached, such as a number of requests for a specific URL over a certain period.
  • a determination 314 is made if an attack has been previously detected or diagnosed that is applicable to the current request. If yes, corresponding actions as specified by an analytic process are taken 316 and the method 300 ends 324 .
  • a segregated network such as a virtual local area network
  • a segregated network is available to sustain processing of continued requests for the resource 318 . If not, future requests for the resource are disregarded 322 and the method 300 ends 324 . If a segregated network and resources thereon are available to service the current abnormal request, the request is redirected to the segregated network and resources and the method 300 ends 324 .
  • a determination 310 is made as to whether request saturation for the abnormal request has been reached. For example, if the number of requests exceed the processing capabilities available, that is the request has not reached saturation, such as on a local virtual machine, the request may be redirected 312 to a distributed virtual machine web server, such as within an underutilized server. That server may then determine 308 if a request threshold has been reached. The method 300 continues in an identical fashion from that point until the request is either serviced, disregarded, or otherwise times out.
  • FIG. 4 is a block flow diagram of method 400 according to an example embodiment.
  • the example method 400 includes receiving a request over a network for a network resource 402 and applying one or more attack detection rules to the received request 404 .
  • the method 400 further includes ignoring the request if the request is part of a detected attack 406 or segregating the request to a virtual local area network if the request is suspected to be part of an attack 408 .
  • the method 400 then services the request from the virtual local area network utilizing resources segregated to the virtual local area network 410 .
  • the resources segregated to the virtual local area network 408 include one or more virtual machines instantiated on demand as needed to service requests suspected to be a part of one or more identified potential attacks.
  • Each of the one or more virtual machines may include a server process operating within the virtual machine to service requests.
  • an attack detection rule may include a threshold level, which when reached, causes requests to be classified as part of a specific suspected attack and an action rule, the application of which specifies how to handle requests classified as part of the specific suspected attack.
  • a threshold level which when reached, causes requests to be classified as part of a specific suspected attack
  • an action rule the application of which specifies how to handle requests classified as part of the specific suspected attack.
  • a saturation point may be a number of requests the virtual local area network is able to service over a particular period.
  • inventions, and others may be implemented in virtually any networked environment including servers that serve content to requestors.
  • One such networked environment may include a web server farm environment.

Abstract

Various embodiments described and illustrated herein provide one or more of systems, methods, software, and firmware to handle attack generated demand proactively using distributed virtualization. One goal of some such embodiments is to provide a time window of stable operational response within which an intrusion detection system may detect an attack and/or cause a countermeasure against the attacks to be activated. Demand excursions which are not caused by an attack are supported during the variability of demand providing transparent response to legitimate users of the system. These embodiments, and others, are described in greater detail below.

Description

    Priority Application
  • This application is a continuation of U.S. application Ser. No. 11/857,709, filed Sep. 19, 2007, which is incorporated herein by reference in its entirety.
    • BACKGROUND INFORMATION
  • A distributed denial of service attack (“DDoS”) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually a web server. For example, one type of DDoS mechanism is triggered on a specific date and time. At that specific date and time, thousands of compromised machines on the internet will access a target web server at the same time, which brings the web server down due to resource exhaustion. There are several defense mechanisms being used or researched today. These mechanisms include ingress filtering to stop the attack at the target, trace back to catch and stop the attacker at the source, and resource management and congestion control. All these defense techniques face increasing challenges as attack detection and trace back become more and more difficult.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a logical block diagram of a system according to an example embodiment.
  • FIG. 2 is a time-demand graph depicting a grace period for detection of a network attack.
  • FIG. 3 is a flow diagram of a method according to an example embodiment.
  • FIG. 4 is a block flow diagram of method according to an example embodiment.
    •  DETAILED DESCRIPTION
  • Various embodiments described and illustrated herein provide one or more of systems, methods, software, and firmware to handle attack generated demand proactively using distributed virtualization. One goal of some such embodiments is to provide a time window of stable operational response within which an intrusion detection system may detect an attack and/or cause a countermeasure against the attacks to be activated. Demand excursions which are not caused by an attack are supported during the variability of demand providing transparent response to legitimate users of the system. These embodiments, and others, are described in greater detail below.
  • In the following detailed description, reference is made to the accompanying drawings that form a part hereof, and in which is shown by way of illustration specific embodiments in which the inventive subject matter may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice them, and it is to be understood that other embodiments may be utilized and that structural, logical, and electrical changes may be made without departing from the scope of the inventive subject matter. Such embodiments of the inventive subject matter may be referred to, individually and/or collectively, herein by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept if more than one is in fact disclosed.
  • The following description is, therefore, not to be taken in a limited sense, and the scope of the inventive subject matter is defined by the appended claims.
  • The functions or algorithms described herein are implemented in hardware, software or a combination of software and hardware in one embodiment. The software comprises computer executable instructions stored on computer readable media such as memory or other type of storage devices. Further, described functions may correspond to modules, which may be software, hardware, firmware, or any combination thereof. Multiple functions are performed in one or more modules as desired, and the embodiments described are merely examples. The software is executed on a digital signal processor, ASIC, microprocessor, or other type of processor operating on a system, such as a personal computer, server, a router, or other device capable of processing data including network interconnection devices.
  • Some embodiments implement the functions in two or more specific interconnected hardware modules or devices with related control and data signals communicated between and through the modules, or as portions of an application-specific integrated circuit. Thus, the exemplary process flow is applicable to software, firmware, and hardware implementations.
  • FIG. 1 is a logical block diagram of a system 100 according to an example embodiment. The system 100 is an environment within which an acceptable level of service may be sustained in the face of a potential attack, such as a DDoS, and the potential attack may be contained with minimum impact to legitimate service. As a result, a managed window of time within which a potential, or suspected, attack may be evaluated to determine if an attack is actually taking place. This window of time enables detection algorithms to examine a larger and more optimal set of data, such as from increased demand, which decreases the likelihood of false positives and consequent over reaction.
  • The system 100 includes a requests 102 being received over a network 104, such as the Internet. The requests 102 are funneled over the network 104 to a first network device or appliance of an organization, such as a load balancer 106. This device forwards received requests to a firewall 110.
  • The firewall 110 in some embodiments, is a standalone network appliance-type device. The firewall 110 may be part of load balancer 106, instantiated within a virtual machine or virtual machine monitor operating on a server 108, or a process on another computing device. The firewall 110 as included in the example system 100 is instantiated as a virtual machine monitor on a server 108 which may also include one or more web servers 112 instantiated within virtual machines.
  • The firewall 110 includes a traffic classification engine. In some embodiments, the traffic classification engine performs preliminary filtering on all incoming traffic based on usage rules. Some usage rules may specify that request from a particular IP address or other source identifier are trusted requests. Other usage rules may specify a thermometer threshold for identical or similar requests over a period. If such as thermometer threshold is reached or exceeded, such requests may be classified by the traffic classification engine as suspect requests that may be part of an attack, such as a DDoS. In some such embodiments, if higher than normal requests are detected, for example, the same type of web access requests are arriving approximately at the same time, the traffic classification engine, as instructed by a usage rule may distribute the abnormal requests to distributed virtual machines 124 that may be instantiated on one or more servers 122 across a trusted network 120. The trusted network 120 may be, in various embodiments, a virtual machine overlay, a local area network subnet, a virtual local area network, or other similar network type. Other requests not classified as part of a suspected attack may be serviced normally, such as by web servers 112 of one or more virtual machines of the server 108, another server 114, or other web servers available over a network.
  • In some embodiments, to service suspected attack requests, one or more web servers 124 may be instantiated on demand on one or more servers of the trusted network 120. As demand for resources of a suspected attack increase, more web servers 124 may be instantiated on demand until the attack is verified as an attack by detection algorithms, such as attack analytic processes or other processes.
  • As demand of suspected attacks increases, a saturation point may be reached where the resources of the trusted network 120 may not keep up with the demand. In such instances, the traffic classification engine may take one or more actions. These actions may include one or more of silently disregarding suspect requests, deflecting abnormal, suspect traffic to a virtual local area network to help detection, or continue to distribute traffic load to virtual machines that may be instantiated in other locations if resources are available.
  • If an attack is verified as an attack, the traffic classification engine may just ignore subsequently received requests. If a suspect attack is determined not to be an attack, subsequent requests may be handled by normal load balancing techniques and the web servers instantiated to handle the suspect attacks may be destroyed to free up servers 122 to handle other or future suspect attacks.
  • The system 100 provides many advantages. Some such advantages include avoidance of “hard” problems such as ingress filtering at network firewalls and tracing back to attackers while allowing adaptive load distribution based on diagnostics in the traffic classification engine and other processes that may receive traffic data from the traffic classification to perform analytics on the traffic data to determine if suspect requests are in fact, or assumed to be, an actual attack, such as a DDoS. Such embodiments also provide increased abilities to sustain system 100 operability in the face of an attack to buy critical time for attack detection and countermeasure identification through distributed virtualization across a trusted network. This may allow dynamic utilization of unused or underused resources. Further, through maintaining system 100 operability in the face of an attack, more time is available to minimize false positives in traffic classification to maintain user experience throughout a window of a temporal attack. Some embodiments further are able to ensure quality of service, such as to meet service level agreements/objectives in the face of an attack, which typically may not be achieved with simple network traffic load balancing approaches. Additional, through use of virtual machines and virtual local area networks, suspect requests may be segregated to help ensure system 100 security and enable workload distribution.
  • FIG. 2 is a time-demand graph depicting a grace period for detection of a network attack. As mentioned above, various embodiments, when faced with a potential attack, provide a grace period within which potential attacks may be evaluated while operability is maintained. For example as the traffic classification engine as described above, evaluates requests, suspect requests are processed separately, such as through the use of web servers on virtual machines over a trusted network. The trusted network and virtual machines are segregated from other system resources so as not to affect system performance in servicing non-suspect requests.
  • As demand for a resource increases over time, a threshold may be reached. For example, 500 requests for a seldom requested resource may be received within one minute. Such requests may be classified by the traffic classification engine as suspect requests of a potential attack. The traffic classification engine may then instantiate one or more web servers, depending on the level of demand of an available resource, on one or more virtual machines over a virtual local area network. This grey portion of FIG. 2 has now been entered. This may be thought of as a grace period where the suspect requests will be handled as best as possible in view of the available resources. If necessary, and resources are available, the traffic classification engine may cause more web servers to be instantiated on the virtual machines.
  • During the grace period, the traffic classification engine may continue to feed demand data to one or more analytical processes which operate on the data to identify whether or not the suspect requests are part of an attack. The grace period allows demand to be met, at least as best as system resources allow, while the analytical processes execute. During this grace period, the suspect requests are segregated from other portions of the system. Thus, non-suspect requests are serviced in a normal fashion. Processing of the segregated, suspect requests does not affect the processing of non-suspect requests.
  • The grace period ends when the one or more analytic processes resolve the demand data to identify the requests as part of an attack or normal increased demand. FIG. 2 illustrates a scenario where the suspect requests are part of an attack. In such a scenario, the analytic processes may communicate the identification of an attack to the traffic classification engine at which time future requests determined to be part of the attack may simply be quietly ignored. Thus, at the end of the grace period, demand falls off drastically.
  • FIG. 3 is a flow diagram of a method 300 according to an example embodiment. The method 300 is a method which may be performed by a traffic classification engine.
  • Consider when a DDoS attack is launched to a certain universal resource locator (“URL”), the first perception by the web server is a sudden increase in application requests, which is abnormal but at that moment the nature of the increase is unknown. It may be just legitimate traffic or it may be an attack. The approach of the method 300 is to utilize an edge piece of a web servicing environment, such as a traffic classification engine in a firewall, contain bandwidth usage within a virtual machine or virtualized network, provide a control point for the analysis, and support business service quality of service during detection, analysis, and response. The approach also defines and isolates the locus for remedial action if required. More detail of such an embodiment is illustrated in the method 300.
  • The method 300 includes receiving incoming requests 302 and determining 304 if the requests are abnormal. If the requests are not abnormal, the method 300 includes applying normal load balancing rules 306 and the method ends 324. However, if it is determined 304 that a request is abnormal, a further determination is made to determine 308 if a request threshold has been reached, such as a number of requests for a specific URL over a certain period.
  • If the threshold has been reached, a determination 314 is made if an attack has been previously detected or diagnosed that is applicable to the current request. If yes, corresponding actions as specified by an analytic process are taken 316 and the method 300 ends 324.
  • If an attack has not been detected or diagnosed, another determination is made as to whether a segregated network, such as a virtual local area network, is available to sustain processing of continued requests for the resource 318. If not, future requests for the resource are disregarded 322 and the method 300 ends 324. If a segregated network and resources thereon are available to service the current abnormal request, the request is redirected to the segregated network and resources and the method 300 ends 324.
  • Returning back to the determination 308 if a request threshold has not been reached, a determination 310 is made as to whether request saturation for the abnormal request has been reached. For example, if the number of requests exceed the processing capabilities available, that is the request has not reached saturation, such as on a local virtual machine, the request may be redirected 312 to a distributed virtual machine web server, such as within an underutilized server. That server may then determine 308 if a request threshold has been reached. The method 300 continues in an identical fashion from that point until the request is either serviced, disregarded, or otherwise times out.
  • FIG. 4 is a block flow diagram of method 400 according to an example embodiment. The example method 400 includes receiving a request over a network for a network resource 402 and applying one or more attack detection rules to the received request 404. The method 400 further includes ignoring the request if the request is part of a detected attack 406 or segregating the request to a virtual local area network if the request is suspected to be part of an attack 408. The method 400 then services the request from the virtual local area network utilizing resources segregated to the virtual local area network 410.
  • In some embodiments of the method 400, the resources segregated to the virtual local area network 408 include one or more virtual machines instantiated on demand as needed to service requests suspected to be a part of one or more identified potential attacks. Each of the one or more virtual machines may include a server process operating within the virtual machine to service requests.
  • In some embodiments, an attack detection rule may include a threshold level, which when reached, causes requests to be classified as part of a specific suspected attack and an action rule, the application of which specifies how to handle requests classified as part of the specific suspected attack. In some embodiments, if a number of requests for a particular network resource reaches a saturation point, subsequent requests for the particular network resource are ignored. The saturation point may be a number of requests the virtual local area network is able to service over a particular period.
  • It is emphasized that the Abstract is provided to comply with 37 C.F.R. §1.72(b) requiring an Abstract that will allow the reader to quickly ascertain the nature and gist of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
  • In the foregoing Detailed Description, various features are grouped together in a single embodiment to streamline the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the inventive subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment.
  • These embodiments, and others, may be implemented in virtually any networked environment including servers that serve content to requestors. One such networked environment may include a web server farm environment.
  • It will be readily understood to those skilled in the art that various other changes in the details, material, and arrangements of the parts and method stages which have been described and illustrated in order to explain the nature of the inventive subject matter may be made without departing from the principles and scope of the inventive subject matter as expressed in the subjoined claims.

Claims (25)

1-15. (canceled)
16. At least one machine readable medium including instructions that, when executed by a machine, cause the machine to perform operations comprising:
receiving a network request that is suspected to be part of an attack on a network, the network request directed to a first resource available on the network;
intercepting the network request in response to the network request being part of the attack and routing the request to a virtual local area network; and
servicing the network request from a second resource available on the virtual local area network.
17. The machine readable medium of claim 16, wherein servicing the network request from the second resource includes instantiating a virtual machine on the virtual local area network to service the network request.
18. The machine readable medium of claim 17, wherein the virtual machine is instantiated in response to a first network request corresponding to the suspected attack, the network request being one of a plurality of network requests that correspond to the suspected attack.
19. The machine readable medium of claim 16, wherein the network request is one of a plurality of requests that correspond to the suspected network attack, the plurality of requests related via application of an attack detection rule.
20. The machine readable medium of claim 19, wherein the suspected attack begins with the first request of the plurality of requests and persists through a predetermined time period.
21. The machine readable medium of claim 20, comprising performing additional attack analysis during the predetermined time period on requests in the plurality of requests received during the predetermined time period.
22. The machine readable medium of claim 21, comprising denying requests of the plurality of requests when the additional attack analysis indicates that the suspected attack is an actual attack and allowing requests to the first resource otherwise.
23. The machine readable medium of claim 16, wherein the second resource includes a saturation constraint, and wherein additional requests beyond the saturation constraint are ignored.
24. A system for serving suspect network requests, the system comprising:
a first network interface arranged to receive a network request that is suspected to be part of an attack on a network, the network request directed to a first resource available on the network;
a classifier to intercept the network request in response to the network request being part of the attack and routing the request to a virtual local area network; and
a second network interface to service the network request from a second resource available on the virtual local area network.
25. The system of claim 24, comprising partitionable hardware resources, wherein to service the network request from the second resource includes the classifier to instantiate a virtual machine on the virtual local area network by the partitionable hardware resources to service the network request.
26. The system of claim 25, wherein the virtual machine is instantiated in response to a first network request corresponding to the suspected attack, the network request being one of a plurality of network requests that correspond to the suspected attack.
27. The system of claim 24, wherein the network request is one of a plurality of requests that correspond to the suspected network attack, the plurality of requests related via application of an attack detection rule.
28. The system of claim 27, wherein the suspected attack begins with the first request of the plurality of requests and persists through a predetermined time period.
29. The system of claim 28, comprising an attack analytic processor to perform additional attack analysis during the predetermined time period on requests in the plurality of requests received during the predetermined time period.
30. The system of claim 29, wherein the classifier is to deny requests of the plurality of requests when the additional attack analysis indicates that the suspected attack is an actual attack and allowing requests to the first resource otherwise.
31. The system of claim 24, wherein the second resource includes a saturation constraint, and wherein additional requests beyond the saturation constraint are ignored.
32. A method for serving suspect network requests, the method comprising:
receiving a network request that is suspected to be part of an attack on a network, the network request directed to a first resource available on the network;
intercepting the network request in response to the network request being part of the attack and routing the request to a virtual local area network; and
servicing the network request from a second resource available on the virtual local area network.
33. The method of claim 32, wherein servicing the network request from the second resource includes instantiating a virtual machine on the virtual local area network to service the network request.
34. The method of claim 33, wherein the virtual machine is instantiated in response to a first network request corresponding to the suspected attack, the network request being one of a plurality of network requests that correspond to the suspected attack.
35. The method of claim 32, wherein the network request is one of a plurality of requests that correspond to the suspected network attack, the plurality of requests related via application of an attack detection rule.
36. The method of claim 35, wherein the suspected attack begins with the first request of the plurality of requests and persists through a predetermined time period.
37. The method of claim 36, comprising performing additional attack analysis during the predetermined time period on requests in the plurality of requests received during the predetermined time period.
38. The method of claim 37, comprising denying requests of the plurality of requests when the additional attack analysis indicates that the suspected attack is an actual attack and allowing requests to the first resource otherwise.
39. The method of claim 32, wherein the second resource includes a saturation constraint, and wherein additional requests beyond the saturation constraint are ignored.
US14/803,987 2007-09-19 2015-07-20 Proactive network attack demand management Abandoned US20160021137A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/803,987 US20160021137A1 (en) 2007-09-19 2015-07-20 Proactive network attack demand management

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/857,709 US9088605B2 (en) 2007-09-19 2007-09-19 Proactive network attack demand management
US14/803,987 US20160021137A1 (en) 2007-09-19 2015-07-20 Proactive network attack demand management

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/857,709 Continuation US9088605B2 (en) 2007-09-19 2007-09-19 Proactive network attack demand management

Publications (1)

Publication Number Publication Date
US20160021137A1 true US20160021137A1 (en) 2016-01-21

Family

ID=40455999

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/857,709 Expired - Fee Related US9088605B2 (en) 2007-09-19 2007-09-19 Proactive network attack demand management
US14/803,987 Abandoned US20160021137A1 (en) 2007-09-19 2015-07-20 Proactive network attack demand management

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/857,709 Expired - Fee Related US9088605B2 (en) 2007-09-19 2007-09-19 Proactive network attack demand management

Country Status (1)

Country Link
US (2) US9088605B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10764323B1 (en) * 2015-12-21 2020-09-01 Amdocs Development Limited System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101061375B1 (en) * 2009-11-02 2011-09-02 한국인터넷진흥원 JR type based DDoS attack detection and response device
WO2013048111A2 (en) * 2011-09-26 2013-04-04 인텔렉추얼디스커버리 주식회사 Method and apparatus for detecting an intrusion on a cloud computing service
EP2592806A1 (en) * 2011-11-10 2013-05-15 Alcatel-Lucent Deutschland AG Method of identifying a distributed infrastructure attack in a highly distributed cloud
CN104247332B (en) * 2012-02-20 2017-10-17 维图斯瑞姆Ip控股公司 Handle the method and system of the flow on the communication between virtual machine and network
US20130291107A1 (en) * 2012-04-27 2013-10-31 The Irc Company, Inc. System and Method for Mitigating Application Layer Distributed Denial of Service Attacks Using Human Behavior Analysis
US9197653B2 (en) * 2012-06-05 2015-11-24 Empire Technology Development Llc Cross-user correlation for detecting server-side multi-target intrusion
US8925084B2 (en) * 2012-10-26 2014-12-30 Cisco Technology, Inc. Denial-of-service attack protection
US9680708B2 (en) 2014-03-14 2017-06-13 Veritas Technologies Method and apparatus for cloud resource delivery
US20150341377A1 (en) * 2014-03-14 2015-11-26 Avni Networks Inc. Method and apparatus to provide real-time cloud security
US9712546B2 (en) 2014-09-12 2017-07-18 Level 3 Communications, Llc Dynamic configuration of settings in response to DDOS attack
US9769203B2 (en) 2014-09-22 2017-09-19 Sap Se Methods, systems, and apparatus for mitigating network-based attacks
US9798567B2 (en) 2014-11-25 2017-10-24 The Research Foundation For The State University Of New York Multi-hypervisor virtual machines
US9485273B2 (en) * 2014-12-09 2016-11-01 At&T Intellectual Property I, L.P. System and method to diffuse denial-of-service attacks using virtual machines
CN106411828B (en) * 2015-08-03 2019-06-28 阿里巴巴集团控股有限公司 The method, apparatus and system of quantization defence result
US10432650B2 (en) 2016-03-31 2019-10-01 Stuart Staniford System and method to protect a webserver against application exploits and attacks
US11102238B2 (en) * 2016-04-22 2021-08-24 Sophos Limited Detecting triggering events for distributed denial of service attacks
US11016798B2 (en) 2018-06-01 2021-05-25 The Research Foundation for the State University Multi-hypervisor virtual machines that run on multiple co-located hypervisors
CN110098951A (en) * 2019-03-04 2019-08-06 西安电子科技大学 A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system
US20210306359A1 (en) * 2020-03-28 2021-09-30 Dell Products L.P. Intelligent detection and prevention of anomalies in interface protocols
US20220046036A1 (en) * 2020-08-04 2022-02-10 Oracle International Corporation Mirage Instance of a Database Server

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6430617B1 (en) * 1999-03-22 2002-08-06 Hewlett-Packard Co. Methods and systems for dynamic measurement of a system's ability to support data collection by network management system applications
US6912221B1 (en) * 1999-01-15 2005-06-28 Cisco Technology, Inc. Method of providing network services
US20050190788A1 (en) * 2004-02-27 2005-09-01 Wong Yu-Man M. System and method for VLAN multiplexing
US7043730B2 (en) * 2002-08-29 2006-05-09 Hewlett-Packard Development Company, L.P. System and method for demand oriented network resource management
US20070157306A1 (en) * 2005-12-30 2007-07-05 Elrod Craig T Network threat detection and mitigation
US20070168512A1 (en) * 2002-04-29 2007-07-19 Microsoft Corporation Peer-to-peer name resolution protocol (PNRP) security infrastructure and method
US20080127335A1 (en) * 2006-09-18 2008-05-29 Alcatel System and method of securely processing lawfully intercepted network traffic
US7693158B1 (en) * 2003-12-22 2010-04-06 Extreme Networks, Inc. Methods and systems for selectively processing virtual local area network (VLAN) traffic from different networks while allowing flexible VLAN identifier assignment
US20100223669A1 (en) * 2004-05-12 2010-09-02 Vincent Vermeulen Automated Containment Of Network Intruder
US20120089663A1 (en) * 2006-12-29 2012-04-12 Jeff Sedayao Apparatus for end-user transparent utilization of computational, storage, and network capacity of mobile devices, and associated methods
US20120204263A1 (en) * 2005-06-14 2012-08-09 Premkumar Jonnala Method and apparatus for preventing dos attacks on trunk interfaces
US20150052248A1 (en) * 2003-12-10 2015-02-19 Sonicwall, Inc. Rule-based routing to resources through a network

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7080378B1 (en) * 2002-05-17 2006-07-18 Storage Technology Corporation Workload balancing using dynamically allocated virtual servers
US20040054925A1 (en) * 2002-09-13 2004-03-18 Cyber Operations, Llc System and method for detecting and countering a network attack
US7831693B2 (en) * 2003-08-18 2010-11-09 Oracle America, Inc. Structured methodology and design patterns for web services
US7526807B2 (en) * 2003-11-26 2009-04-28 Alcatel-Lucent Usa Inc. Distributed architecture for statistical overload control against distributed denial of service attacks
US7774849B2 (en) * 2005-04-15 2010-08-10 Tekelec Methods, systems, and computer program products for detecting and mitigating denial of service attacks in a telecommunications signaling network
US8855143B1 (en) * 2005-04-21 2014-10-07 Joseph Acampora Bandwidth saving system and method for communicating self describing messages over a network
US7757283B2 (en) * 2005-07-08 2010-07-13 Alcatel Lucent System and method for detecting abnormal traffic based on early notification
US8296846B2 (en) * 2005-08-19 2012-10-23 Cpacket Networks, Inc. Apparatus and method for associating categorization information with network traffic to facilitate application level processing
US7760641B2 (en) * 2006-07-10 2010-07-20 International Business Machines Corporation Distributed traffic shaping across a cluster
US8185893B2 (en) * 2006-10-27 2012-05-22 Hewlett-Packard Development Company, L.P. Starting up at least one virtual machine in a physical machine by a load balancer

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6912221B1 (en) * 1999-01-15 2005-06-28 Cisco Technology, Inc. Method of providing network services
US6430617B1 (en) * 1999-03-22 2002-08-06 Hewlett-Packard Co. Methods and systems for dynamic measurement of a system's ability to support data collection by network management system applications
US20070168512A1 (en) * 2002-04-29 2007-07-19 Microsoft Corporation Peer-to-peer name resolution protocol (PNRP) security infrastructure and method
US7043730B2 (en) * 2002-08-29 2006-05-09 Hewlett-Packard Development Company, L.P. System and method for demand oriented network resource management
US20150052248A1 (en) * 2003-12-10 2015-02-19 Sonicwall, Inc. Rule-based routing to resources through a network
US7693158B1 (en) * 2003-12-22 2010-04-06 Extreme Networks, Inc. Methods and systems for selectively processing virtual local area network (VLAN) traffic from different networks while allowing flexible VLAN identifier assignment
US20050190788A1 (en) * 2004-02-27 2005-09-01 Wong Yu-Man M. System and method for VLAN multiplexing
US20100223669A1 (en) * 2004-05-12 2010-09-02 Vincent Vermeulen Automated Containment Of Network Intruder
US9185129B2 (en) * 2005-06-14 2015-11-10 Cisco Technology, Inc. Method and apparatus for preventing DOS attacks on trunk interfaces
US20120204263A1 (en) * 2005-06-14 2012-08-09 Premkumar Jonnala Method and apparatus for preventing dos attacks on trunk interfaces
US20070157306A1 (en) * 2005-12-30 2007-07-05 Elrod Craig T Network threat detection and mitigation
US20120311664A1 (en) * 2005-12-30 2012-12-06 Elrod Craig T Network threat detection and mitigation
US20080127335A1 (en) * 2006-09-18 2008-05-29 Alcatel System and method of securely processing lawfully intercepted network traffic
US20120089663A1 (en) * 2006-12-29 2012-04-12 Jeff Sedayao Apparatus for end-user transparent utilization of computational, storage, and network capacity of mobile devices, and associated methods

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10764323B1 (en) * 2015-12-21 2020-09-01 Amdocs Development Limited System, method, and computer program for isolating services of a communication network in response to a distributed denial of service (DDoS) attack

Also Published As

Publication number Publication date
US9088605B2 (en) 2015-07-21
US20090077632A1 (en) 2009-03-19

Similar Documents

Publication Publication Date Title
US9088605B2 (en) Proactive network attack demand management
US11082436B1 (en) System and method for offloading packet processing and static analysis operations
US11281485B2 (en) Extended context delivery for context-based authorization
US9130977B2 (en) Techniques for separating the processing of clients' traffic to different zones
CN109716729B (en) Dynamic load-based automatic scaling network security microservice method and device
EP3127301B1 (en) Using trust profiles for network breach detection
US7540028B2 (en) Dynamic network security apparatus and methods or network processors
EP3075129B1 (en) System for protection against ddos attacks
US8621610B2 (en) Network service for the detection, analysis and quarantine of malicious and unwanted files
US8079030B1 (en) Detecting stealth network communications
US20130074181A1 (en) Auto Migration of Services Within a Virtual Data Center
US9548990B2 (en) Detecting a heap spray attack
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
US20160269443A1 (en) Exploit detection based on heap spray detection
US20070289014A1 (en) Network security device and method for processing packet data using the same
CN110012033B (en) Data transmission method, system and related components
EP3243313B1 (en) System and method for monitoring a computer system using machine interpretable code
TWI764618B (en) Cyber security protection system and related proactive suspicious domain alert system
Tupakula et al. Dynamic state-based security architecture for detecting security attacks in virtual machines
US20230153270A1 (en) Data criticality-based network policy creation and consumption
US20230231857A1 (en) Deep learning pipeline to detect malicious command and control traffic
Watanabe et al. HTTP-GET Flood Prevention Method by Dynamically Controlling Multiple Types of Virtual Machine Resources
AU2008348253A1 (en) Method and system for controlling a computer application program

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION