Patent Application
20170111390
The present invention generally relates to the field of wireless communication. More specifically, the present invention relates to methods, circuits, devices, systems and functionally associated computer executable code for directing and mitigating a denial of service attack on or through a radio access network.
In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Criminal perpetrators of DoS and DDoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Damage to networks and businesses utilizing these networks can be very significant.
Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. A distributed denial-of-service (DDoS) is an attack where the attack source is more than one, often thousands of, unique IP addresses. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations. These types of DDoS attacked are usually achieved by distribution of malware onto computing devices used by unsuspecting users, and hijacking via the malware those devices such that they act as DDoS packet sources and routers at the control of attacker. The scale of DDoS attacks has continued to rise over recent years, even reaching over 600 Gbit/s. DDoS attackers have started producing and distributing DDoS malware in the form mobile device applications and have started used mobile devices and their respective radio/wireless access networks to facilitate DDoS attacked.
DDoS attacks may include:
There is a trend of ongoing growth in web attacks in general, and more specifically in attacks and through mobile radio access networks, and it is becoming more crucial to develop solutions that enable detecting and mitigating these attacks prior to damage that may be caused to the network. Accordingly, there is a need for improved methods, circuits, devices, systems and functionally associated computer executed code for mitigating DDoS attacks performed on and through radio access networks.
The present invention may include methods, circuits, devices, systems and functionally associated computer executable code for directing and mitigating a denial of service attack on or through a radio access network. According to some embodiments, there may be provided a Malicious Packet Detector (MPD) at or in communicatively proximity with a wireless/radio access node of a wireless radio access network and adapted to detect malicious packets and/or malicious packet flows/streams from a communication device communicatively coupled to the wireless access node and intended to cause a degradation in functionality of one or more network resources of the radio access network itself or of another network to which the radio access network may transmit packets. The MPD may also include packet flow routing and/or filtering functionality to block, mitigate, hinder or otherwise disrupt malicious packet flow from one or more devices found to be transmitting malicious packets. The MPD may also include a controller, an access point signaling module to signal an access point to deallocate bandwidth or otherwise hinder packet flow from a device found to be transmitting malicious packets, and a signaling/reporting unit to report to a network management unit device(s) found to be transmitting malicious packets.
Embodiments of the present invention address detection and disruption of malicious packets associated with Distributed Denial-of-Service (DDoS) attacks launched using mobile communication devices communicatively coupled to access points of a wireless radio access network such a cellular network or a network of Wi-Fi access points. According to embodiment of the present invention, invention advanced methods for detecting and mitigating these attacks from within the radio access network are provided, thus enabling early detection and prevention of damage or disruption of network resources, or of resources on interconnected networks, prior to the occurrence of significant disruption to service. Embodiments of the present invention include methods to detect and disrupt different types of DDoS attacks as close as possible to the source of the one or more attacking communication devices or User Equipment (EU). So as to minimize detection time, and to mitigate possible network resource damage or network service disruptions, some embodiments of the present invention include packet inspection circuits and capability integral with, in communicative proximity, or otherwise functionally associated with radio access circuits or a network access segment of a Wireless and/or Radio Access Network.
The present invention includes methods and devices to detect and mitigate DDoS attacks stemming from devices connected to a mobile cellular network from within the RAN of the network. Different types of DDoS attacks occurring inside a mobile network may be detected and mitigated in accordance with various embodiments of the present invention using network control elements, such as a MPD, unit located in or in proximity with the RAN. DDoS attack types which may be detected and mitigated from inside the RAN portion of the mobile network may include: (a) DNS attacks; (b) SYN attacks; (c) Simple Service Discovery Protocol (SSDP) attacks; (d) TCP/UDP/Traffic attack; and Application attacks.
According to some embodiments of the present invention, a network element may perform packet traffic steering towards a DDoS attack detection and mitigation block (e.g. MPD).
The DDoS attack detection and mitigation block may detect and mitigates various different DDoS attacks by analyzing and handling packet traffic as follows:
According to some embodiments, there may be provided a radio access network comprising including one or more radio access points to wirelessly engage in communication with one or more wireless communication devices. The access points may include wireless communication circuits including Radio Frequency transceivers and a wireless communication controller to provide and manage radio access to wireless/radio communication devices. The network may also include a Malicious Packet Detector (MPD) communicatively coupled to one or more radio access points and configured to detect one or more malicious packets, such as DDoS packets, transmitted to the radio access network by the one or more wireless communication devices. A controller functionally associated with the MPD may be configured to alter network operation so as to mitigate and/or disrupt malicious packet flow from the one or more malicious packet transmitting wireless communication devices.
The MPD may detect whether a packet is a malicious packet by inspecting at least one characteristics of the packet to assess whether the packet is part of a denial of service attack on a data network resource. The MPD may detect whether a packet is part of a malicious packet flow by inspecting at least one characteristic of a set of packets addressed to a common or related data network resource. A network resource protected by the MPD may be selected from the group consisting of: (a) a Domain Name Server, (b) a digital content or media server, and (c) an application engine or server. At least one characteristic of the set of packets may be selected from the group consisting of: (a) destination address, (b) source address, (c) duration between consecutive packets, (d) patterns of packet transmissions from a given device, and (e) a correlation between packets being transmitted to a common destination address substantially concurrently by separate devices.
According to embodiments, mitigating malicious packet flow may include redirecting or terminating packets detected to be part of a malicious packet flow. Mitigating malicious packet flow may include altering a radio link of a device which is transmitting a malicious packet flow to the radio access network. Altering a radio link of the device which is transmitting the malicious packet flow includes signaling a radio access point with which the device is communicatively coupled to deallocate or otherwise restrict bandwidth to the device.
Mitigating a malicious packet flow may include reporting detection of the malicious packet flow to a network control unit, wherein reporting may include reporting an identifier of a device transmitting the malicious packet flow.
The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which:
It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.
In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components and circuits have not been described in detail so as not to obscure the present invention.
Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as “processing”, “computing”, “calculating”, “determining”, or the like, may refer to the action and/or processes of a computer or computing system, or similar electronic computing device, that manipulate and/or transform data represented as physical, such as electronic, quantities within the computing system's registers and/or memories into other data similarly represented as physical quantities within the computing system's memories, registers or other such information storage, transmission or display devices.
In addition, throughout the specification discussions utilizing terms such as “storing”, “hosting”, “caching”, “saving”, or the like, may refer to the action and/or processes of ‘writing’ and ‘keeping’ digital information on a computer or computing system, or similar electronic computing device, and may be interchangeably used. The term “plurality” may be used throughout the specification to describe two or more components, devices, elements, parameters and the like.
Some embodiments of the invention, for example, may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment including both hardware and software elements. Some embodiments may be implemented in software, which includes but is not limited to firmware, resident software, microcode, or the like.
Furthermore, some embodiments of the invention may take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system. For example, a computer-usable or computer-readable medium may be or may include any apparatus that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
In some embodiments, the medium may be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device) or a propagation medium. Some demonstrative examples of a computer-readable medium may include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), any composition and/or architecture of semiconductor based Non-Volatile Memory (NVM), any composition and/or architecture of biologically based Non-Volatile Memory (NVM), a rigid magnetic disk, and an optical disk. Some demonstrative examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W), and DVD.
In some embodiments, a data processing system suitable for storing and/or executing program code may include at least one processor coupled directly or indirectly to memory elements, for example, through a system bus. The memory elements may include, for example, local memory employed during actual execution of the program code, bulk storage, and cache memories which may provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
In some embodiments, input/output or I/O devices (including but not limited to keyboards, displays, pointing devices, etc.) may be coupled to the system either directly or through intervening I/O controllers. In some embodiments, network adapters may be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices, for example, through intervening private or public networks. In some embodiments, modems, cable modems and Ethernet cards are demonstrative examples of types of network adapters. Other functionally suitable components may be used.
Turning now to
The MPD may operate inside of a RAN, a flat IP environment, an IP tunnel or any other data environment found within a cellular communication network. The MPD may include one or more packet inspectors, including a deep packet inspector. The MPD may include an IP tunnel sniffer or the like.
The MPD shown of
Turning now to
Packets received by the network from communication devices via wireless radio circuits of the network may be received by the MPD over an interface to the radio circuits. Individual packets may be inspected by a packet inspector and a packet pattern detector may detect packet patterns indicative of a DDoS attach. A library of packet signatures, packet patterns or packet flow/stream behaviors may be used by the packet inspector and/or the packet the packet pattern detector.
Packets not found to be malicious are routed by the MPD routing module to their respective target network resources destination, as shown in
Turning now to
Turning now to
Functions, operations, components and/or features described herein with reference to one or more embodiments, may be combined or otherwise utilized with one or more other functions, operations, components and/or features described herein with reference to one or more other embodiments, or vice versa. While certain features of the invention have been illustrated and described herein, many modifications, substitutions, changes, and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.
The present application claims the benefit of U.S. Provisional Patent Application 62/241,164 filed Oct. 14, 2015, the disclosure of which is incorporated herein by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| 62241164 | Oct 2015 | US |
