Abstract: Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities.

Abstract: A mechanism is disclosed for identifying, classifying, and controlling flows in a network. In one implementation, a separate set of behavioral statistics is maintained for each flow. These behavioral statistics are updated as packets belonging to a flow are processed. Whenever a packet belonging to a flow is processed, a set of policies that the flow's behavioral statistics satisfy is determined. For each policy that the flow's behavioral statistics satisfy, actions that are associated with that policy are applied relative to the packet. The actions may be designed to cause a router to handle, in a user-specified manner, packets that are likely to represent a particular kind of traffic. Thus, different flows, such as VOIP, gaming, streaming, and P2P flows, which are associated with different behavioral statistics, may be handled in ways applicable for the specific application traffic type.

Abstract: Various embodiments of the present invention relating to a subscriber fairness solution are disclosed. The subscriber fairness solution contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor subscriber usage across various attributes (e.g., subscriber byte count, flow count, etc.) and maintain subscriber usage information for different time frames. In embodiments, the subscriber fairness solution includes a detection phase and a mitigation phase. In the detection phase, “outliers,” or subscribers who are using more than their fair share of network resources, are identified. In the mitigation phase, appropriate action is taken to resolve the constraints on the network resources, caused by these outliers. The subscriber fairness solution may be embodied in hardware, software, or a composite approach of both hardware and software.

Abstract: Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities.

Abstract: A mechanism is disclosed for identifying and penalizing misbehaving flows in a network. In one implementation, a set of behavioral statistics are maintained for each flow. These behavioral statistics are updated as information packets belonging to a flow are processed. Based upon these behavioral statistics, a determination is made as to whether a flow is exhibiting undesirable behavior. If so, a penalty is imposed on the flow. In one implementation, this penalty causes packets belonging to the flow to have a higher probability of being dropped than packets belonging to other flows that do not exhibit undesirable behavior. In one implementation, in addition to penalizing the flow, this penalty also has the effect of correcting the flow's behavior such that the flow exhibits less undesirable behavior after the penalty than before. By correcting the flow's behavior, the penalty makes it possible for the flow to become a non-misbehaving flow.

Abstract: A mechanism is disclosed for identifying, classifying, and controlling flows in a network. In one implementation, a separate set of behavioral statistics is maintained for each flow. These behavioral statistics are updated as packets belonging to a flow are processed. Whenever a packet belonging to a flow is processed, a set of policies that the flow's behavioral statistics satisfy is determined. For each policy that the flow's behavioral statistics satisfy, actions that are associated with that policy are applied relative to the packet. The actions may be designed to cause a router to handle, in a user-specified manner, packets that are likely to represent a particular kind of traffic. Thus, different flows, such as VOIP, gaming, streaming, and P2P flows, which are associated with different behavioral statistics, may be handled in ways applicable for the specific application traffic type.

Abstract: New switching technology relies upon state information for providing a previously unavailable degree of quality of service. In particular, by providing the ability to give service guarantees to uniquely identifiable sets of packets (“micro-flows”), different qualities of service can be offered for each transmission. The QoS associated with each micro-flow is characterized by a set of descriptors. These descriptors are communicated to each switch by the first packet of the micro-flow associated with the descriptors.

Abstract: A mechanism is disclosed for enabling a plurality of logical routers to be implemented within a single physical router. The logical routers emulate the behavior of interconnected, standalone routers. For example, the logical routers may be made aware of the presence of other logical routers within the same physical router. The logical routers may also have internal “links” to each other. In addition, the logical routers may send routing information to each other. Thus, to each other and to routers external to the single physical router, the logical routers appear as if they are interconnected standalone routers. The logical routers may be further endowed with an ability to determine whether the next hop for a set of information (e.g. a packet) is to a logical router within the same physical router or to an external router. The logical routers take advantage of this distinction to perform routing between logical routers more efficiently.