Method and apparatus for large-scale automated distributed denial of service attack detection

Assignee

• AT&T Intellectual Property I, L.P. · US

Inventors

• Nicholas Duffield · Summit, US
• Jacobus Van der Merwe · New Providence, US
• Vyas Sekar · Pittsburgh, US
• Oliver Spatscheck · Denison, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1458
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A multi-staged framework for detecting and diagnosing Denial of Service attacks is disclosed in which a low-cost anomaly detection mechanism is first used to collect coarse data, such as may be obtained from Simple Network Management Protocol (SNMP) data flows. Such data is analyzed to detect volume anomalies that could possibly be indicative of a DDoS attack. If such an anomaly is suspected, incident reports are then generated and used to trigger the collection and analysis of fine grained data, such as that available in Netflow data flows. Both types of collection and analysis are illustratively conducted at edge routers within the service provider network that interface customers and customer networks to the service provider. Once records of the more detailed information have been retrieved, they are examined to determine whether the anomaly represents a distributed denial of service attack, at which point an alarm is generated.