Abstract: An apparatus is equipped to receive network traffic data for network traffic routed over one or more network links relevant to a network link. Selected numbers of analysis are performed to determine if the network link of interest is being misused. The analyses include but are not limited to analyses to determine whether the network traffic routed are inconsistent with an expected traffic pattern, whether unallocated source addresses are present, whether source addresses exhibit an uncharacteristic even distribution pattern, whether a server is uncharacteristically excessive in responding to the same source address, whether normal bursty behavior is absent from the traffic, whether a ratio of packets in one direction to packets in another direction is out of balance, whether a ratio of packets of one type to packets of another type is out of balance, and whether a server is uncharacteristically excessive in responding with error responses.

Abstract: A server, using a deterministic function, a secret value and persistent information of a packet, destined for a client device, generates and includes a conversation identifier for inclusion with the packet. The client device in turn includes the conversation identifier in a subsequent packet sent by the client device destined for the server. An intermediate routing device having knowledge of the deterministic function and the secret value, upon receiving the packet en-route from the client device to the server, would independently determine whether the packet is a part of a conversation between the client and the server, by independently verifying the included conversation identifier, and forward or not forward the packet accordingly. As result, undesirable packets may be independently detected and filtered for the server.

Abstract: The present invention provides for a novel approach to protecting a system owner's system(s) from being exploited and providing involuntary assistance to a DOS attack. The present invention provides the protection by detecting and preventing undesirable or inappropriate network traffic from being sourced from a network domain. More specifically, a monitor/regulator is provided to monitor network traffic leaving a network domain. The monitor/regulator determines if undesirable/inappropriate network traffics are leaving the network domain based on the observed characteristics of the outbound and inbound network traffics. If it is determined that undesirable/inappropriate network traffics are leaving the network domain, the monitors/regulator, in one embodiment, at least warns system owners of the detection.

Abstract: One or more networking apparatuses are employed to practice a networking method that improves a first networking device's likelihood in meeting its service level goals/commitments for a first group of network traffic serviced by the first networking device. Determination is made, away from the networking device, on whether the first network device is meeting the service level goals/commitments for the first group of network traffic. Determination may include monitoring the first group of network traffic at or away from the networking device. If the service level goals/commitments are not being met, a second group of network traffic (also serviced by the first networking device) is regulated. Regulation may be made at the networking device or away from the network device. Additionally, if the condition for regulation is no longer presents, regulation may be moderated or removed. Further, the service level goals/commitments may include reliability and/or performance goals/commitments.

Abstract: A director is provided to receive source address instances of packets routed through routing devices of a network. The director determines whether any of the reported source address instances are to be deemed as spoof source address instances. The director further determines where filtering actions are to be deployed to filter out packets having certain source addresses deemed to be spoof instances. The director makes its determinations based at least in part on a selected one of a number of consistency measures. The consistency measures may include but are not limited to spatial consistency, destination consistency, migration consistency, and temporary consistency. The consistency measures are evaluated using spatial, destination source address range, migration and timing S/D/M/T distribution profiles of the reported source addresses.

Abstract: A number of sensors are distributively deployed in a network, either integrally disposed in a number of routing devices of the network or externally disposed and coupled to the routing devices, to monitor and report on network traffic routed through the routing devices. A director is provided to receive network traffic reports from the sensors for the routing devices, and to determine whether moderating actions are to be taken to moderate an amount of network traffic, based at least in part on some of the network traffic reports received from the sensors. In one embodiment, upon determining moderating actions are to be taken, the director further determines what kind of moderating actions are to be taken, including where the moderating actions are to be taken. In one embodiment, the director further instructs appropriate ones of the sensors to cause the desired moderating actions to be applied on the network traffic going through some of the routing devices.

Abstract: An apparatus is equipped to receive network traffic data for network traffic routed through a number of routing devices with one or more degrees of separation from a network node. The network traffic data include at least network traffic data for network traffic destined for the network node which meet a traffic type selection criteria and are routed by the routing devices to the network node. The apparatus is further equipped to progressively regulate and de-regulate network traffic routing by the routing devices based at least in part on the received network traffic data and the degrees of separation of the routing devices from the network node. Regulation extends from routing devices with the lowest degree of separation from the network node to routing devices with the highest degree of separation, following in the reverse direction of the routing paths traversed by the packets to reach the network node. In one embodiment, the extension or push back is made one degree of separation at a time.

Abstract: An apparatus is equipped to receive network traffic data for network traffic routed over one or more network links relevant to a network link. Selected numbers of analysis are performed to determine if the network link of interest is being misused. The analyses include but are not limited to analyses to determine whether the network traffic routed are inconsistent with an expected traffic pattern, whether unallocated source addresses are present, whether source addresses exhibit an uncharacteristic even distribution pattern, whether a server is uncharacteristically excessive in responding to the same source address, whether normal bursty behavior is absent from the traffic, whether a ratio of packets in one direction to packets in another direction is out of balance, whether a ratio of packets of one type to packets of another type is out of balance, and whether a server is uncharacteristically excessive in responding with error responses.

Abstract: A server, using a deterministic function, a secret value and persistent information of a packet, destined for a client device, generates and includes a conversation identifier for inclusion with the packet. The client device in turn includes the conversation identifier in a subsequent packet sent by the client device destined for the server. An intermediate routing device having knowledge of the deterministic function and the secret value, upon receiving the packet en-route from the client device to the server, would independently determine whether the packet is a part of a conversation between the client and the server, by independently verifying the included conversation identifier, and forward or not forward the packet accordingly. As result, undesirable packets may be independently detected and filtered for the server.

Abstract: A director is provided to receive source address instances of packets routed through routing devices of a network. The director determines whether any of the reported source address instances are to be deemed as spoof source address instances. The director further determines where filtering actions are to be deployed to filter out packets having certain source addresses deemed to be spoof instances. The director makes its determinations based at least in part on a selected one of a number of consistency measures. The consistency measures may include but are not limited to spatial consistency, destination consistency, migration consistency, and temporary consistency. The consistency measures are evaluated using spatial, destination source address range, migration and timing S/D/M/T distribution profiles of the reported source addresses.