Search

US-12621342-B2 - Systems and methods for policy driven distributed denial of service mitigation chaining

US12621342B2US 12621342 B2US12621342 B2US 12621342B2US-12621342-B2

Abstract

A system includes instructions that cause processors to store a directed acyclic graph including nodes comprising selector nodes, mitigator nodes, and actor nodes, each of the nodes linked to another node, receive a data packet, inspect, using a selector node, a header of the data packet to determine a protection group, tag the data packet with an identification of the protection group based on the inspection, apply, using a mitigator node, criteria of a protection group policy corresponding to the protection group to the data packet based on the identification of the protection group tagged to the data packet, tag the data packet with a mitigation flag corresponding to a mitigation measure selected based on the application of the criteria of the protection group policy to the data packet, and apply, using an actor node, the mitigation measure corresponding to the mitigation tag to the data packet.

Inventors

  • Steinthor Bjarnason
  • Brian St. Pierre

Assignees

  • NETSCOUT SYSTEMS, INC.

Dates

Publication Date
20260505
Application Date
20240612

Claims (20)

  1. 1 . A system comprising: one or more processors coupled with memory, the memory storing executable instructions that, when executed by the one or more processors, cause the one or more processors to: store a directed acyclic graph (DAG) comprising a plurality of nodes, the plurality of nodes comprising one or more selector nodes, one or more mitigator nodes, and one or more actor nodes, each of the plurality of nodes linked to another node of the plurality of nodes; receive a data packet transmitted from a computing device to a server across a communications network; inspect, using at least one of one or more of the selector nodes, a header of the data packet to determine a protection group for the data packet; tag the data packet with an identification of the protection group based on the inspection; apply, using at least one of the one or more mitigator nodes, one or more criteria of a protection group policy corresponding to the protection group to the data packet based on the identification of the protection group tagged to the data packet; tag the data packet with a mitigation flag corresponding to a mitigation measure selected based on the application of the one or more criteria of the protection group policy to the data packet; and apply, using at least one of the one or more actor nodes, the mitigation measure corresponding to the mitigation tag to the data packet.
  2. 2 . The system of claim 1 , wherein the instructions further cause the one or more processors to: determine a first intersection between one or more tags of the data packet and a required tag set of a first node of the plurality of nodes, wherein the first node is currently inspecting the data packet; and responsive to a determination that the first intersection does not exist, reassign a second node of the plurality of nodes to currently inspect the data packet.
  3. 3 . The system of claim 2 , wherein the instructions further cause the one or more processors to: responsive to a determination that the first intersection does exist, determine a second intersection between the one or more tags of the data packet and an excluded tag set of the first node of the plurality of nodes; and responsive to a determination that an intersection does not exist, invoke a function of the first node, wherein invoking a function of the first node causes at least one tag of the one or more tags of the data packet to be altered.
  4. 4 . The system of claim 1 , wherein the instructions cause the one or more processors to apply the mitigation measure by dropping a data packet of the one or more data packets based on the application of the DAG.
  5. 5 . The system of claim 1 , wherein the instructions cause the one or more processors to apply the mitigation measure by forwarding the data packet to the server.
  6. 6 . The system of claim 1 , wherein each of the plurality of nodes is a separate computer program stored in memory of a single computing device.
  7. 7 . The system of claim 1 , wherein each of the one or more selector nodes is linked to at least one of the one or more mitigator nodes with a first edge, and wherein each of the one or more mitigator nodes is linked to at least one of the one or more action nodes with a second edge.
  8. 8 . The system of claim 1 , wherein the instructions cause the one or more processors to determine the protection group using the at least one selector node based on a destination IP address of the data packet or a source IP address of the data packet in the header of the data packet.
  9. 9 . The system of claim 1 , wherein the instructions cause the one or more processors to transfer the data packet through the plurality of nodes of the DAG based on tags placed on the data packet by individual nodes of the DAG.
  10. 10 . The system of claim 9 , wherein the instructions cause the one or more processors to: responsive to the identification of the protection group, identify, using a second selector node of the one or more selector nodes, the at least one of the one or more mitigator nodes based on the identification of the protection group; and send the data packet to the at least one of the one or more mitigator nodes based on identification of the protection group, wherein the instructions cause the one or more processors to apply the one or more criteria of the protection group policy corresponding to the protection group to the data packet responsive to receipt of the data packet from the second selector node.
  11. 11 . The system of claim 1 , wherein the instructions cause the one or more processors to execute the at least one mitigator node of the one or more mitigator nodes on the data packet based on the identification of the protection group tag corresponding to a required tag of the at least one mitigator node.
  12. 12 . The system of claim 11 , wherein the instructions cause the one or more processors to determine not to execute a second mitigator node of the one or more mitigator nodes on the data packet based on the identification of the protection group tag corresponding to an excluded tag of the second mitigator node.
  13. 13 . A method comprising: storing, via one or more processors, a directed acyclic graph (DAG) comprising a plurality of nodes, the plurality of nodes comprising one or more selector nodes, one or more mitigator nodes, and one or more actor nodes, each of the plurality of nodes linked to another node of the plurality of nodes; receiving, via the one or more processors, a data packet transmitted from a computing device to a server across a communications network; inspecting, via the one or more processors, using at least one of one or more of the selector nodes, a header of the data packet to determine a protection group for the data packet; tagging, via the one or more processors, the data packet with an identification of the protection group based on the inspection; applying, via the one or more processors, using at least one of the one or more mitigator nodes, one or more criteria of a protection group policy corresponding to the protection group to the data packet based on the identification of the protection group tagged to the data packet; tagging, via the one or more processors, the data packet with a mitigation flag corresponding to a mitigation measure selected based on the application of the one or more criteria of the protection group policy to the data packet; and applying, via the one or more processors, using at least one of the one or more actor nodes, the mitigation measure corresponding to the mitigation tag to the data packet.
  14. 14 . The method of claim 13 , wherein the method further comprises: determining a first intersection between one or more tags of the data packet and a required tag set of a first node of the plurality of nodes, wherein the first node is currently inspecting the data packet; and responsive to a determination that the first intersection does not exist, reassigning a second node of the plurality of nodes to currently inspect the data packet.
  15. 15 . The method of claim 14 , wherein method further comprises: responsive to a determination that the first intersection does exist, determining a second intersection between the one or more tags of the data packet and an excluded tag set of the first node of the plurality of nodes; and responsive to a determination that an intersection does not exist, invoking a function of the first node, wherein invoking a function of the first node causes at least one tag of the one or more tags of the data packet to be altered.
  16. 16 . The method of claim 14 , wherein the method further comprises applying the mitigation measure by dropping a data packet of the one or more data packets based on the application of the DAG.
  17. 17 . A system comprising: one or more processors coupled with memory, the memory storing executable instructions that, when executed by the one or more processors, cause the one or more processors to: store a directed acyclic graph (DAG) comprising a plurality of nodes, the plurality of nodes comprising one or more selector nodes, one or more mitigator nodes, and one or more actor nodes, each of the plurality of nodes linked to another node of the plurality of nodes; receive a data packet transmitted from a computing device to the server across the communications network; inspect, using at least one of the one or more selector nodes, a header of the data packet to determine a protection group for the data packet; apply, using at least one of the one or more mitigator nodes, one or more criteria of a protection group policy corresponding to the protection group to the data packet; apply the DAG configured according to a selected configuration to the data packet to determine a mitigation action for the data packet; and apply, using at least one of the one or more actor nodes, the mitigation measure to the data packet.
  18. 18 . The system of claim 17 , wherein the instructions further cause the one or more processors to: determine a first intersection between one or more tags of the data packet and a required tag set of a first node of the plurality of nodes, wherein the first node is currently inspecting the data packet; and responsive to a determination that the first intersection does not exist, reassign a second node of the plurality of nodes to inspect the data packet.
  19. 19 . The system of claim 18 , wherein the instructions cause the one or more processors to apply the mitigation measure by forwarding the data packet to the server.
  20. 20 . The system of claim 17 , wherein the instructions cause the one or more processors to apply the mitigation measure by dropping a data packet of the one or more data packets based on the application of the DAG.

Description

BACKGROUND Distributed denial of service (DDoS) attacks are used by malicious actors to deny access to a given network service. A class of DDoS attacks focus on an application layer. These application layer attacks may involve attacking a specific application, such as web servers, session initiation protocol (SIP) voice services, and/or a Domain name System (DNS), among others. A set of mitigation methods may be applied to network traffic to classify and remove malicious actors. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings are not intended to be drawn to scale. Like reference numbers and designations in the various drawings indicate like elements. For purposes of clarity, not every component may be labeled in every drawing. In the drawings: FIG. 1 is an illustration of a system for DDoS attack mitigation using a directed acyclic graph, in accordance with an implementation; FIG. 2 is an illustration of a diagram of a system for DDoS mitigation using a directed acyclic graph, in accordance with an implementation; FIG. 3 is an illustration of a flow diagram of a method for moving through a directed acyclic graph, in accordance with an implementation; FIG. 4 is an illustration of a flow diagram of a method for utilizing a directed acyclic graph to mitigate a DDOS attack, in accordance with an implementation; FIG. 5 is an illustration of a flow diagram of a method for configuring a directed acyclic graph to mitigate a DDoS attack, in accordance with an implementation; FIG. 6A is a block diagram depicting an implementation of a network environment including a client device in communication with a server device; FIG. 6B is a block diagram depicting a cloud computing environment including a client device in communication with cloud servers; and FIG. 6C is a block diagram depicting an implementation of a computing device that can be used in connection with the system depicted in FIG. 1, and the methods depicted in FIGS. 2-5. DETAILED DESCRIPTION In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented here. It will be readily understood that the aspects of the present disclosure, as generally described herein, and illustrated in the figures, can be arranged, substituted, combined, and designed in a wide variety of different configurations, all of which are explicitly contemplated and make part of this disclosure. Distributed denial of service (DDoS) attacks are used by malicious actors to deny access to a given network service. The malicious actors may be blocked or otherwise have their communication between the actors and a server mitigated to prevent an attack on the server. Traditionally, DDoS mitigation may be performed by applying a static set of mitigation methods to network traffic. Each method may utilize a unique method to classify malicious traffic and subsequently remove the malicious traffic. This may be effective in removing malicious actions, but a static set of rules may be limiting. Further, it may be preferable to be able to reorder the rules arbitrarily, or to add extra conditions around when certain rules are implemented. The systems and methods described herein may define a generalized data packet processing system in which “inspectors” can apply tags to data packets. The system may include a data processing system that monitors a communication session between a client device and a server that occurs over a network. The client device may transmit data packets to and from the server. The data processing system can retrieve the transmitted data packets and inspect the information stored in the data packet. The data processing system may include a directed acyclic graph (DAG) containing a plurality of inspector nodes. The inspector nodes can apply tags to the data packet and forward the data packet to subsequent nodes corresponding to the applied tags. For example, the tags may, for example, indicate where (e.g., to which node) in the DAG the data packet should be forwarded, what the data packet information contains, and/or any actions that should be taken by subsequent nodes. For example, a data packet may be tagged with a tag indicating that the data packet is malicious and should be dropped by the system so the data cannot reach the server. Thus, a specific inspector node may inspect the data packet based on which tags are associated with the data packet and perform an action or process based on the presence or absence of a specific tag corresponding to the specific role of the inspector. For example, a specific inspector may be configured to drop any data packets ta