| 摘要 |
<p>Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Using a flow-based statistical collection, the DDoS solution monitors flow record data, on an individual and an aggregate level, and detects deviations in traffic that are indicative of a potential threat. Detection includes collecting and analyzing network flow-state data to determine a probability of attack (typically by calculating a weighted sum of the results of multiple algorithms) based on traffic deviation, and to determine whether an attack is from a spoofed or legitimate address. The DDoS solution can monitor and analyze flow data to quickly identify when a DDoS attack is underway. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities. Mitigation policies can be based on the determined probability of attack and allow the operator to configure the appropriate actions for the attack. In one embodiment, the DDoS solution can control the attack in real-time without any degradation of performance or processing power via a local mechanism of a linecard. In another embodiment, the DDoS solution further includes a global mechanism such as an external software application that makes a decision on the attack on a more global basis with a network-wide view.</p> |
