Search

US-12627706-B2 - Volumetric distributed denial of service attack mitigation

US12627706B2US 12627706 B2US12627706 B2US 12627706B2US-12627706-B2

Abstract

Technologies related to mitigation of volumetric distributed denial of service attacks are disclosed. Malicious network connection request detection can be performed using a first network traffic management module (NTMM) that executes before network connection resources are allocated and a second NTMM that executes after connection resource allocation. The second NTMM can be used to determine whether a connection request is from a potential bad actor. If the request is from a potential bad actor, the second NTMM can add an identifier for the potential bad actor to a list of potential bad actors. When a subsequent connection request is received, the first NTMM can generate the identifier based on the subsequent request and determine whether it is stored in the list of potential bad actors. If it is, the first NTMM can drop the subsequent request before connection resources for establishing the second request are allocated.

Inventors

  • Vadim Krishtal
  • Tomer Pasman
  • Eyal Pery

Assignees

  • F5, INC.

Dates

Publication Date
20260512
Application Date
20231128

Claims (17)

  1. 1 . A method implemented by a network traffic management system, the method comprising: receiving a first request to establish a first network connection using a first network traffic management module, wherein the first network traffic management module executes after an allocation of resources for establishing the first network connection; determining, using the first network traffic management module, that the first request is from a potential bad actor; generating, using the first network traffic management module, an identifier using the first request, wherein the identifier comprises a source network address of the first request and an additional identifier based on contents of the first request; storing, using the first network traffic management module, the identifier in a list of potential bad actor identifiers; receiving a second request to establish a second network connection using a second network traffic management module, wherein the second network traffic management module executes before an allocation of resources for establishing the second network connection; generating, using the second network traffic management module, the identifier using the second request; determining, using the second network traffic management module, that the identifier is in the list of potential bad actor identifiers; and based on the determining: dropping the second request, and preventing the resources for establishing the second network connection from being allocated.
  2. 2 . The method of claim 1 , further comprising: transmitting, using the first network traffic management module, a challenge in a response to the potential bad actor; receiving, using the first network traffic management module, an answer to the challenge that indicates that the potential bad actor is not a bad actor; and removing, using the first network traffic management module, the identifier from the list of potential bad actor identifiers.
  3. 3 . The method of claim 1 , further comprising: storing, using the first network traffic management module, a timestamp in association with the identifier; and wherein dropping the second request and preventing the resources for establishing the second network connection from being allocated are further based on a determining, using the second network traffic management module, that the timestamp associated with the identifier is older than a specified time threshold time.
  4. 4 . The method of claim 1 , wherein: the additional identifier comprises a hash based on transport layer security (TLS) handshake information.
  5. 5 . The method of claim 1 , wherein: the network traffic management module comprises an extended Berkeley Packet Filter (eBPF) express data path (XDP) program.
  6. 6 . A system comprising one or more network traffic management modules, a memory comprising programmed instructions stored thereon, and one or more processors configured to be capable of executing the stored programmed instructions to: receive a first request to establish a first network connection using a first network traffic management module, wherein the first network traffic management module executes after an allocation of resources for establishing the first network connection; determine, using the first network traffic management module, that the first request is from a potential bad actor; generate, using the first network traffic management module, an identifier using the first request, wherein the identifier comprises a source network address of the first request and an additional identifier based on contents of the first request; store, using the first network traffic management module, the identifier in a list of potential bad actor identifiers; receive a second request to establish a second network connection using second a network traffic management module, wherein the second network traffic management module executes before an allocation of resources for establishing the second network connection; generate, using the second network traffic management module, the identifier using the second request; determine, using the second network traffic management module, that the identifier is in the list of potential bad actor identifiers; and based on the determining: drop the second request, and prevent the resources for establishing the second network connection from being allocated.
  7. 7 . The system of claim 6 , wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to: transmit, using the first network traffic management module, a challenge in a response to the potential bad actor; receive, using the first network traffic management module, an answer to the challenge that indicates that the potential bad actor is not a bad actor; and remove, using the first network traffic management module, the identifier from the list of potential bad actor identifiers.
  8. 8 . The system of claim 6 , wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to: store, using the first network traffic management module, a timestamp in association with the identifier; and wherein dropping the second request and preventing the resources for establishing the second connection from being allocated are further based on a determining, using the second network traffic management module, that the timestamp associated with the identifier is older than a specified time threshold time.
  9. 9 . The system of claim 6 , wherein: the additional identifier comprises a hash based on transport layer security (TLS) handshake information.
  10. 10 . The system of claim 6 , wherein: the network traffic management module comprises an extended Berkeley Packet Filter (eBPF) express data path (XDP) program.
  11. 11 . A non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors, causes the processors to: receive a first request to establish a first network connection using a first network traffic management module, wherein the first network traffic management module executes after an allocation of resources for establishing the first network connection; determine, using the first network traffic management module, that the first request is from a potential bad actor; generate, using the first network traffic management module, an identifier using the first request, wherein the identifier comprises a source network address of the first request and an additional identifier based on contents of the first request; store, using the first network traffic management module, the identifier in a list of potential bad actor identifiers; receive a second request to establish a second network connection using a second network traffic management module, wherein the second network traffic management module executes before an allocation of resources for establishing the second network connection; generate, using the second network traffic management module, the identifier using the second request; determine, using the second network traffic management module, that the identifier is in the list of potential bad actor identifiers; and based on the determining: drop the second request, and prevent the resources for establishing the second network connection from being allocated.
  12. 12 . The non-transitory computer readable medium of claim 11 , wherein the instructions further comprise executable code that, when executed by one or more processors, causes the processors to: transmit, using the first network traffic management module, a challenge in a response to the potential bad actor; receive, using the first network traffic management module, an answer to the challenge that indicates that the potential bad actor is not a bad actor; and remove, using the first network traffic management module, the identifier from the list of potential bad actor identifiers.
  13. 13 . The non-transitory computer readable medium of claim 11 , wherein the instructions further comprise executable code that, when executed by one or more processors, causes the processors to: store, using the first network traffic management module, a timestamp in association with the identifier; and wherein dropping the second request and preventing the resources for establishing the second connection from being allocated are further based on a determining, using the second network traffic management module, that the timestamp associated with the identifier is older than a specified time threshold time.
  14. 14 . The non-transitory computer readable medium of claim 11 , wherein: the additional identifier comprises a hash based on transport layer security (TLS) handshake information.
  15. 15 . The non-transitory computer readable medium of claim 11 , wherein: the network traffic management module comprises an extended Berkeley Packet Filter (eBPF) express data path (XDP) program.
  16. 16 . A network traffic management apparatus, comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to: receive a first request to establish a first network connection using a first network traffic management module, wherein the first network traffic management module executes after an allocation of resources for establishing the first network connection; determine, using the first network traffic management module, that the first request is from a potential bad actor; generate, using the first network traffic management module, an identifier using the first request, wherein the identifier comprises a source network address of the first request and an additional identifier based on contents of the first request; store, using the first network traffic management module, the identifier generated using the first request in a list of potential bad actor identifiers; receive a second request to establish a second network connection using a second network traffic management module, wherein the second network traffic management module executes before an allocation of resources for establishing the second network connection; generate the identifier, using the second network traffic management module, using the second request; determine, using the second network traffic management module, that the identifier is in the list of potential bad actor identifiers; and based on the determining: drop the second request, and prevent the resources for establishing the second network connection from being allocated.
  17. 17 . The network traffic management apparatus of claim 16 , wherein: the second network traffic management module comprises an extended Berkeley Packet Filter (eBPF) express data path (XDP) program.

Description

FIELD This technology generally relates to detection and mitigation of denial of service attacks. BACKGROUND A Denial of Service (DoS) attack is a type of cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users. This may be accomplished by temporarily or indefinitely disrupting the services of a host connected to the Internet. One method for performing a DoS attack is flooding the targeted machine with superfluous requests in an attempt to overload its system. When this happens, the machine can no longer process legitimate requests, effectively blocking users from accessing the service or resource. One type of DoS attack is a Distributed Denial of Service (DDoS) attack. In a DDoS attack, the attacker uses multiple compromised computers to launch a coordinated attack against one target. This can make it more difficult to stop since the attack comes from many different IP addresses, making it challenging to distinguish legitimate user traffic from attack traffic. In a volumetric DDoS attack, multiple compromised computers are used to flood a targeted network or site with an immense volume of network traffic. BRIEF SUMMARY In an example embodiment, a method is implemented by a network traffic management system, wherein the method comprises: receiving a request to establish a network connection using a network traffic management module, wherein the network traffic management module executes before an allocation of resources for establishing the network connection; generating, using the network traffic management module, an identifier using the request, wherein the identifier comprises a source network address of the request and an additional identifier based on contents of the request; determining, using the network traffic management module, that the identifier is in a list of potential bad actor identifiers; and based on the determining: dropping the request, and preventing the resources for establishing the network connection from being allocated. In another example embodiment, a system comprises one or more network traffic management modules, a memory comprising programmed instructions stored thereon, and one or more processors configured to be capable of executing the stored programmed instructions to: receive a request to establish a network connection using a network traffic management module, wherein the network traffic management module executes before an allocation of resources for establishing the network connection; generate, using the network traffic management module, an identifier using the request, wherein the identifier comprises a source network address of the request and an additional identifier based on contents of the request; determine, using the network traffic management module, that the identifier is in a list of potential bad actor identifiers; and drop the request, and prevent the resources for establishing the network connection from being allocated. Another example embodiment comprises a non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors, causes the processors to: receive a request to establish a network connection using a network traffic management module, wherein the network traffic management module executes before an allocation of resources for establishing the network connection; generate, using the network traffic management module, an identifier using the request, wherein the identifier comprises a source network address of the request and an additional identifier based on contents of the request; determine, using the network traffic management module, that the identifier is in a list of potential bad actor identifiers; and based on the determining: drop the request, and prevent the resources for establishing the network connection from being allocated. Another example embodiment comprises a network traffic management apparatus, comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to: receive a first request to establish a first network connection using a first network traffic management module, wherein the first network traffic management module executes after an allocation of resources for establishing the first network connection; determine, using the first network traffic management module, that the first request is from a potential bad actor; generate, using the first network traffic management module, an identifier using the first request, wherein the identifier comprises a source network address of the first request and an additional identifier based on contents of the first request; store, using the first network traffic management module, the identifier generated using the first request in a list of potential bad actor identifiers; receive a second request to establish a second network connection usi