Abstract: Methods, systems, and computer programs are presented for automated detection and mitigation of Denial of Service (DoS) attacks. One method includes an operation for collecting traffic data from service network routers that provide users access to a service. The traffic data is applied to security rules to identify a blacklist of illegitimate users to be blocked. Further, the method receives from the one or more servers a whitelist with information regarding legitimate users and their geographical location. A safe blacklist is determined for each router based on the blacklist and the whitelist, and the respective safe blacklist is sent to each router. Legitimate users are not blocked from accessing the service, but an illegitimate user spoofing a legitimate user is blocked by the routers when trying to access the service from a geographic location that is not the geographic location of the legitimate user.

Abstract: Methods, systems, and computer programs are presented for automated detection and mitigation of Denial of Service (DoS) attacks. One method includes an operation for collecting traffic data from service network routers that provide users access to a service. The traffic data is applied to security rules to identify a blacklist of illegitimate users to be blocked. Further, the method receives from the one or more servers a whitelist with information regarding legitimate users and their geographical location. A safe blacklist is determined for each router based on the blacklist and the whitelist, and the respective safe blacklist is sent to each router. Legitimate users are not blocked from accessing the service, but an illegitimate user spoofing a legitimate user is blocked by the routers when trying to access the service from a geographic location that is not the geographic location of the legitimate user.