196 results about "Flooding attack" patented technology

A system and method to detect and mitigate denial of service and distributed denial of service HTTP “page” flood attacks. Detection of attack/anomaly is made according to multiple traffic parameters including rate-based and rate-invariant parameters in both traffic directions. Prevention is done according to HTTP traffic parameters that are analyzed once a traffic anomaly is detected. This protection includes a differential adaptive mechanism that tunes the sensitivity of the anomaly detection engine. The decision engine is based on a combination between fuzzy logic inference systems and statistical thresholds. A “trap buffer” characterizes the attack to allow an accurate mitigation according to the source IP(s) and the HTTP request URL's that are used as part of the attack. Mitigation is controlled through a feedback mechanism that tunes the level of rate limit factors that are needed in order to mitigate the attack effectively while letting legitimate traffic to pass.

A method for operating a firewall includes: in response to the firewall receiving a TCP SYN request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“seq”), sending to the second node a SYN|ACK packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“ack_seq”), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet's seq+1; and in response to the firewall receiving a TCP RST packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection.

Detecting and protecting against denial of service flooding attacks that are initiated against an end system on a computer network. In accordance with one aspect of the invention, a filter is established at a network location. The filter prevents data packets received at a first network location and deemed responsible for the denial of service flooding condition from being forwarded to a subsequent network location. Data packets received at the first network location are then monitored to determine whether the flow of any data packets from a network source exhibit a legitimate behavior, such as where the flow of data packets exhibits a backoff behavior. The filter is then modified to permit data packets that exhibit legitimate behavior to pass through the filter.

Method and apparatus for deflecting connection flooding attacks. Specifically, the stateful firewall allows all connection attempts to flow into the destination host, but monitors the connection attempts to ensure that only legitimate connections are allowed. If the firewall detects that a connection is half-open for longer than a certain timer threshold, it will instruct the destination host to tear down the half-open connection, thereby freeing up resources in the destination host for other connection attempts. The timer threshold can be dynamically adjusted if a connection flooding attack is detected.

An apparatus for preventing network attacks includes: a packet buffer for storing received packets from a network; a filtering unit for filtering harmful packets based on a result of comparison between information of the received packets and preset filtering information to select a first filtering target packet; an SYN cookie handler for selecting a second filtering target packet using an SYN cookie if it is determined that there is a TCP SYN flooding attack based on the information of the received packets after said filtering; and a session manager for selecting a third filtering target packet through session management if there is a TCP flag flooding attack based on the information of the received packets after said filtering. The apparatus further includes a packet transmission and receipt processing method and apparatus using above.

A server is configured for preventing flood attacks by a client having sent a request, by dynamically generating a challenge to be performed by the client before the server will perform any work for the client. The challenge includes a dynamically generated computational request and a dynamically generated secure cookie. The server generates a first hash result based on hashing a first random number, having a prescribed length, with a second random number having a dynamically selected length. A secure cookie is generated based on hashing the first hash result with a prescribed secure key known only by the server, and a unique identifier for the request such as the client network address with a time stamp. The challenge requires the client to determine the second random number based on the first random number and the hash result. The server validates the challenge results using the secure cookie.

A system and method to detect and mitigate denial of service and distributed denial of service HTTP “page” flood attacks. Detection of attack/anomaly is made according to multiple traffic parameters including rate-based and rate-invariant parameters in both traffic directions. Prevention is done according to HTTP traffic parameters that are analyzed once a traffic anomaly is detected. This protection includes a differential adaptive mechanism that tunes the sensitivity of the anomaly detection engine. The decision engine is based on a combination between fuzzy logic inference systems and statistical thresholds. A “trap buffer” characterizes the attack to allow an accurate mitigation according to the source IP(s) and the HTTP request URL's that are used as part of the attack. Mitigation is controlled through a feedback mechanism that tunes the level of rate limit factors that are needed in order to mitigate the attack effectively while letting legitimate traffic to pass.

The invention relates to a method for defending a syn flooding attack, which is realized based on netfilter and syn-cookie. In the method, a netfilter is set in a gateway, and the authenticity of a syn packet can be authenticated by syn-cookie mechanism, and a syn request passing the authentication can be released, while the request which does not pass the authentication is intercepted.

The present invention provides a method for avoiding the DNS query message flood attack and a device thereof. The method comprises the following steps: receiving a DNS query message borne by UDP transmitted from a DNS client by a DNS server; transmitting a DNS response message by the DNS server to the DNS client, and marking the TC and AA in the DNS response message to a position 1; and when the DNS server receives the TCP SYN message transmitted by the DNS client in a prearranged time, detecting the validity of the DNS client through a TCP cookie mode. According to the invention, the flood attack of the DNS query message borne by the UDP can be effectively avoided.

A method for monitoring and processing domain name system (DNS) query traffic includes: monitoring DNS query traffic in each time slot during a monitoring period comprised of n number of time slots; extracting traffic information during the monitoring period by using the DNS query traffic monitored in said each time slot; and analyzing the extracted traffic information to detect a DNS traffic flooding attack.

A connection request verification based method for defending SYN-flooding attack contains sending SYNY to user end package as server end receiving user end SYNY package, when server end receiving SYNX/ACKY+1 package from user end, obtaining certification identification information from affirmation sequence number of said package to verifying, when it is effective TCP connection request, obtaining connection state information and setting TCP connection, sending back ACKX+1 package to user end, as user receiving said package the TCP connection is completed, when it is effective TCP connection request, the SYNX/ACKY+1 is dropped, which effectively defends the SYN-flooding attack using a lot of ineffective TCP connection request of pretended source address to use up system resource.

Disclosed herein is a Transmission Control Protocol (TCP) flooding attack prevention method. The TCP flooding attack prevention method includes identifying the type of a packet received at an intermediate stage between a client and a server; determining the direction of the packet; defining a plurality of session states based on the type and the direction of the packet; detecting a TCP flooding attack by tracking the session states for each flow; and responding to the TCP flooding attack based on the type of the TCP flooding attack.

The present invention discloses a DHCP attack protecting method and a client device. In the method and client device provided by the invention, the client can prevent the DHCP attach without the matching of service end device. The method is executed from each client of internal network and ensures that each internal network client is not used as an attack source for attacking the DHCP server. Simultaneously the invention also can be matched with the management server end for inquiring the suspected attack source and processing the attach source according to a corresponding safety processing strategy. The operations of warning, reminding the user for virus killing, etc. can be provided to the user. The DHCP flooding attack is effectively prevented and the IP address attack is refused.

The invention discloses a method and a system for a domain name resolution server to resist the flooding attack of DNS (Domain Name System) request messages, which can effectively resist the flooding attacks of the DNS request messages, protect the domain name resolution server, and ensure the normal operation of domain name resolution. In the technical scheme, the method comprises the steps of: combining a plurality of domain name resolution servers into a server cluster which shares one IP address; timely monitoring the service parameters and the cluster service availability of all the domain name resolution servers by a monitoring server, and reporting the service parameters and the cluster service availability to a control server; determining whether attacks exist or not by the control server according to the collected service parameters and cluster service availability of the domain name resolution server; if so, adjusting the domain name resolution server and notifying a refreshing server; and refreshing the domain name resolution server information cached by a public network domain name server by the refreshing server so as to ensure that the adjustment of the domain name resolution server takes effect.

The invention prevents server overload and possible server crippling due to a flooding of connect requests caused by intentional attack or otherwise. In response to a connection request from a host for a specified port, the number of connections to the port that are assigned to the host are determined. If this number exceeds a first threshold, the request is denied. It is possible to override this denial if a quality of service parameter pertaining to the host permits such an override. However, if the number of available connections to the port is less than a second threshold, the connection request is denied in any event.

The invention discloses a method for defensing a transmission control protocol synchronous flooding attack and a transmission control protocol agent. The method comprises that: FPGA on a TCP agent and a client perform TCP three-way handshake to verify the legality of the client; after the client passes the legality verification, a software module on the TCP agent begins establishing TCP connection between the client and a server, and transmits a session table to the FPGA; and the FPGA forwards data messages interacted between the client and the server according to the session table. The method improves the effect of defensing the TCP synchronous flooding attack.

The invention discloses a network attack processing method and device. The method comprises the following steps: collecting data packet information in data stream; analyzing the data packet information to obtain attack detection dimension data and packet characteristic dimension data; comparing the attack detection dimension data and the packet characteristic dimension data with preset/learnt data to judge whether the attack detection dimension data and the packet characteristic dimension data are abnormal; when the judgment result is positive, reporting an abnormal event, and detecting whether the packet characteristic dimension data have abnormal characteristics according to the preset/learnt data; when the judgment result is negative, matching a corresponding easing scheme according to the packet characteristic dimension data; and executing the easing scheme. The network attack processing method and device disclosed by the invention are used for solving the technical problems in the prior art that the accidental damage to a data packet with normal flow in a flooding attack easing process is large, the attach confirmation precision is low and large system resources are consumed for preventing flooding attacks.

The invention relates to an increment deployment SDN network-based method for defending a link flooding attack. A node upgrade algorithm is utilized to pick out routers that need to be upgraded into software-defined network function nodes and the routers are upgraded; when congestion occurs in a network, a congestion link is positioned through the software-defined network function nodes deployed in the network; congestion link information of the whole network is collected, and on this basis, whether current network congestion forms a link flooding attack is judged; and if the link flooding attach is formed, global flow engineering is started to balance flow of the whole network, otherwise, the congestion link is relieved through backup of a path. According to the increment deployment SDN network-based method for defending a link flooding attack, in a traditional network, a small quantity of nodes are upgraded into software-defined network function nodes, the link flooding attack is detected, a link group that is attacked is positioned, and link flow of the whole network is balanced through centralized control flow engineering, so that the root of a link flooding attack is eliminated, thereby effectively defending the link flooding attack.

Provided is a method for responding a distributed denial of service (DDoS) attack using deterministic pushback scheme. In the method, all of packets outbound from an edge router of a predetermined network system to the other network system are marked with own IP address in order to enable a victim system to confirm an IP address of an attack source edge router for DDoS attack packets. Then, IP address information of an attack source edge router is obtained by reassembling an IP address of detected DDoS attack packets at a victim system that detects DDoS attack. A deterministic pushback message is received at an attack source edge router if a victim system transmits a deterministic pushback message to the attack source edge router, information of the attack source edge router is confirmed, and corresponding attack packets are filtered.

The disclosed scheme is a scheme for defending DoS/DdoS attack actively. Tracing attack source, the invention restrains attacks from source. Tracing to source of attack provides evidence for investigating liability of attacker further. Researching on algorithm, the invention strengthens own security from algorithm self, and enhances interference immunity of the algorithm. Probability method for selecting marker is adopted in the scheme instead of original fixing probability method for each route forwarding node so as to optimize capability when attack route is reconstructed.

One embodiment of the present invention provides a system for mitigating interest flooding attacks in content-centric networks (CCNs). During operation, the system receives, at a physical interface of a router, an interest packet; obtains current interest satisfaction statistics associated with the physical interface; and determines whether to forward or drop the interest packet based on the current interest satisfaction statistics.

The invention discloses a firewall of a vehicle-mounted information system of an automobile. According to the firewall, a hardware platform is composed of a smart phone or a smart terminal connected with an external network. The firewall is an APP installed in the smart phone or the smart terminal. The firewall is the unique entry/exit for connecting the vehicle-mounted information system and the external network. Data enters a gateway in the automobile after passing through an ELM327 connected with the smart phone or terminal and then passing through an OBD-II connected with the ELC327. The data is forwarded to different intra-automobile buses by the gateway according to the features of the data. Finally the data enters corresponding ECUs for execution. The illegal data is filtered by security rules of the firewall and then is discarded. The firewall of the vehicle-mounted information system of the automobile comprises the ELM327, the OBD-II, the gateway, the ECUs and the firewall APP. According to the system, a flooding attack can be prevented and a service attack can be rejected through statistical rules; and a replay attack can be prevented through address filtration.

The embodiment of the invention provides a flood attack prevention method comprising the following steps of: carrying out CAR (Committed Access Rate) limitation on messages sent to different IP addresses, and respectively arranging CAR channels; and carrying out Hash processing on messages sent by all IP addresses based on IP addresses. The embodiment also provides a flood attack prevention device comprising a CAR limitation unit and a Hash processing unit based on IP addresses. According to the embodiment, normal flow messages can be separated from attach flow messages, so that the attach flow messages are filtered by the CAR channels due to large flow rate, and the normal flow messages are sent to a CPU to be processed through the CAR channels. The normal business running of attached equipment is ensured.