Abstract: Systems and methods of mitigating DOS attacks on a victim node in a computer based communication system are presented. According to the methods a node such as a router upstream from the victim analyzes traffic flow directed to the victim node and if a pattern indicating a possible attack is detected a notification to the effect is sent to the victim node. The victim can either ignore the notification or chose to suggest or request attack mitigation measures be implemented by the upstream router. Alternatively the upstream router can implement attack mitigation measures without waiting for input from the victim node.

Abstract: A packet filter for filtering data packets in a communications network is described. The packet filter has input and output ports for receiving and transmitting respective data packets. A data filter selectively passes packets from the input port to the output port in accordance with filtering policies. A policy manager determines filtering policies and controls operation of the data filter. The policy manager is independent of its implementation and not related to any particular operating system. This independence allows for a generic path of managing policies across devices implementing a system and for more flexibility in the implementation of packet filters. Flexibility may be enhanced by implementing the policy manager in system-on-chip technology.

Abstract: Methods and apparatus for detecting denial of service attacks on a system in a communications network are provided. A frequency analysis is performed on certain types of packets that arrive with a periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.

Abstract: Methods and apparatus for mitigating denial of service attacks in a communications network are described. Frequency domain techniques such as Fourier Transform are used to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.