Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation

摘要

Methods and systems for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure are provided. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is determined for the at least one destination based on the information regarding the at least one destination. When a DDoS attack is detected the flow controller is notified of the DDoS attack status for the at least one destination by the DDoS attack detection module. Responsive thereto, the flow controller directs a route reflector to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network.

主权项

1. A system for mitigating rate-based distributed denial of service (DDoS) attacks, the system comprising:
a flow controller; and a hardware module coupled to flow controller via a host interface, including: a flow packet interface through which flow statistics packets are received from one or more routers within a network; a packet interface, coupled to the flow packet interface, configured to receive and buffer the flow statistics packets; a packet processing module, coupled to the packet interface, configured to (i) determine a DDoS attack status of at least one monitored destination coupled to or within the network based on information regarding the flow statistics packets, (ii) parse the flow statistics packets, (ii) derive a plurality of granular traffic rates and (iii) determine the DoS attack status of the at least one monitored destination based on the derived granular traffic rates and associated thresholds; wherein the packet processing module comprises: a layer 2 classifier module that is configured to parse the flow statistics packets at layer 2 and validate Ethernet frames; a layer 3 classifier module that is configured to parse the flow statistics packets at layer 3 and validate Internet Protocol (IP) version 4 (IPv4) and IP version 6 (IPv6) packets, a layer 4 classifier module that is configured to parse the flow statistics packets at layer 3 and validate Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets; a layer 7 classifier module that is configured to parse the flow statistics packets at layer 7 and validate protocol data units associated with one or more flow statistics protocols; wherein a rate anomaly meter module within the layer 3 rate anomaly module, the layer 4 rate anomaly module and the layer 7 rate anomaly module further comprises a metering module configured to derive relevant fields from the layer 3 classifier module, the layer 4 classifier module and the layer 7 classifier module, respectively, and increment and calculate the layer 3 granular rates, the layer 4 granular rates and the layer 7 granular rates, respectively, and enforce the layer 3 granular rates, the layer 4 granular rates and the layer 7 granular rates, respectively, using a combination of a meter and an ager; wherein the host interface is configured to interrupt the flow controller when it is determined by the packet processing module that the at least one monitored destination is under attack; wherein, responsive to the interrupt, the flow controller informs a route reflector within the network of the DDoS attack status; and wherein the route reflector is configured to divert traffic destined for the monitored destination to a DDoS attack mitigation appliance within the network.