A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

The disclosed computer-implemented method includes applying transport protocol heuristics to selective acknowledgement (SACK) messages received at a network adapter from a network node. The transport protocol heuristics identify threshold values for operational functions that are performed when processing the SACK messages. The method further includes determining, by applying the transport protocol heuristics to the SACK messages received from the network node, that the threshold values for the transport protocol heuristics have been reached. In response to determining that the threshold values have been reached, the method includes identifying the network node as a security threat and taking remedial actions to mitigate the security threat. Various other methods, systems, and computer-readable media are also disclosed.

In one embodiment, a device in a network receives traffic data regarding a plurality of observed traffic flows. The device maps one or more characteristics of the observed traffic flows from the traffic data to traffic characteristics associated with a targeted deployment environment. The device generates synthetic traffic data based on the mapped traffic characteristics associated with the targeted deployment environment. The device trains a machine learning-based traffic classifier using the synthetic traffic data.

A method for filtering attack streams targeting a connectivity module receiving a plurality of incoming connection streams includes: determining a plurality of aggregates; determining a plurality of first measurement vectors; determining another aggregate resulting from the combination of a plurality of incoming connection streams during another time period; determining another first measurement vector associated with the other aggregate; determining an abnormality score depending on the result of projecting the other first measurement vector and projecting the plurality of first measurement vectors and then, if the abnormality score is comprised in an area of doubt regarding the presence of an attack stream determining a plurality of second measurement vectors, each associated with one of the aggregates; determining another second measurement vector associated with the other aggregate; and detecting the presence or absence of an attack by analysing the other second measurement vector.

A method and system for protecting cloud-hosted applications against application-layer slow DDoS attacks are provided. The system include a processing circuitry; and a memory connected to the processor, the memory contains instructions that when executed by the processing circuitry, configure the system to: collect telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms, wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application; provide a set of rate-based and rate-invariant features based on the collected telemetries; evaluate each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack; and cause execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined.

An apparatus for mitigating a DDoS attack in a networked computing system includes at least one detector coupled with a corresponding router in the networked computing system. The detector is configured: to obtain network flow information from the router regarding current data traffic to at least one host; to compare the current data traffic to the host with stored traffic patterns associated with at least one prior DDoS attack; and to generate an output indicative of a match between the current data traffic and at least one of the stored traffic patterns. The apparatus further includes at least one mitigation unit coupled with the at least one detector. The mitigation unit is configured: to receive the output indicative of the match between the current data traffic and at least one of the stored traffic patterns; and to initiate a DDoS attack mitigation action in response to the received output.

Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by a network gateway system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the network gateway system responsive to the determination that the received packet has a spoofed source IP address.

A dynamic denial of service (DDoS) mitigation system comprising a BGP address family exchange connected to at least one DDoS mitigation route reflector, and at least one DDoS mitigation route reflector being an address family identifier specific route reflector, where each DDoS mitigation route reflector advertises BGP content in a first address family to the BGP family exchange. The BGP address family exchange translates the BGP content from the first address family to a destination address family and announces the translated content to a destination route reflector, and wherein the destination address family includes a flow specification diversion route.

A monitoring service obtains request data specifying entries corresponding to requests received by a Domain Name System service to obtain an Internet Protocol address for a resource and to requests received by a web service to access the resource. The monitoring service uses that request data to generate a request frequency value corresponding to the received requests and compares this value to a baseline request frequency value. If the request frequency value exceeds the baseline request frequency value by a maximum threshold value, the monitoring service performs an operation to redirect network traffic originally directed towards the web service.

A method includes monitoring and logging a plurality of transactions between one or more clients and an application programming interface gateway, and analyzing data corresponding to the plurality of transactions using one or more machine learning techniques. The method further includes determining, based on the analyzing, one or more issues corresponding to one or more application programming interfaces associated with the application programming interface gateway and resulting from one or more of the plurality of transactions. In the method, one or more corrective actions are performed to address the one or more issues.