Detecting DDOS attacks by correlating inbound and outbound network traffic information

Assignee

• ARBOR NETWORKS, INC. · US

Inventors

• Brian St. Pierre · Acworth, US
• Steinthor Bjarnason · Fjerdingby, NO

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/166
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A computer system and process for mitigating a Distributed Denial of Service (DDoS) attack by analyzing and correlating inbound and outbound packet information relative to the one or more protected computer networks for detecting novel DDoS Reflection/Amplification attack vectors. Created are separate data repositories that respectively store information relating to captured inbound and outbound packets flowing to and from the protected computer networks. Stored in each respective inbound and outbound data repository are identified inbound destination ports respectively associated with the captured inbound and outbound packets such that each identified inbound destination port number is associated with 1) a packet count relating to the inbound and outbound packets; and 2) a packet byte length count relating to each of the inbound and outbound packets. By accessing the inbound and outbound data repositories, a determination is made as to whether a total inbound packet count for a first inbound destination port is substantially the same to a total outbound packet count for a same inbound destination port. A next determination is then made as to whether a total outbound packet byte le…