In some examples, a Domain Name System (DNS) server receives, over a network, DNS queries containing domain names, extracts a common domain name shared by the domain names, determines whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold, and in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger a countermeasure action to address a threat associated with the DNS queries.

A web server operating in a container has resource and network limits applied to add an extra layer of security to the web server. If a monitor detects that the container's resource usage is approaching one or more of these limits, which may be indicative of a DDoS attack, (step 210) or identifies traffic sources exhibiting suspicious behaviour, such as frequently repeated requests from the same address, or from a related set of addresses, a restrictor function caps the resources allowed by the original Webserver container to allow it to recover from buffer overflow and protect servers running in other containers from overwhelming any shared resources. A duplicator function starts up replica containers with the same resource limits to take overflow traffic, and a load balancing function then directs incoming traffic to these overflow containers etc. Traffic from suspicious sources is directed by the load balancer to one or more specially-configured attack-assessment container(s) where a dummy web server operates. The behaviour of these sources is analysed by a behaviour monitoring function over some time to determine if they are legitimate or malicious, which can control a firewall to block addresses identified as generating malicious traffic.

Systems, methods, and/or techniques for mitigating attacks on an IoT device at a gateway device may be provided. The gateway device may receive a communication directed to an Internet of Things (IoT) device and forward it to the IoT device. The IoT device may indicate to the gateway device that the communication is associated with an attack and send the gateway device a sleep time period and a request to change a filtering rule set at the gateway device. The gateway device may change the filtering rule set and receive another communication directed to the IoT device. If the another communication is valid based on the filtering rule set with the change and a number of valid packets is less than a threshold, and the sleep time period has expired, the gateway device may send another communication to the IoT device.

The present invention includes methods, circuits, systems and functionally associated computer executable code for systems and functionally associated computer executable code for detecting and mitigating a denial of service attack on or through a radio access network. According to some embodiments, there may be provided a radio access network with one or more radio access points to wirelessly engage in communication with one or more wireless communication devices, a Malicious Packet Detector (MPD) communicatively coupled to one or more radio access points and configured to detect one or more malicious packets transmitted to the radio access network by the one or more wireless communication devices, and a controller functionally associated with the MPD and configured to alter network operation so as to mitigate malicious packet flow from the one or more malicious packet transmitting wireless communication devices.

A data packet received at a service infrastructure is screened by a data packet cleaning system that successively applies each signature of a set of signatures as a mask to a predetermined area of a content of the data packet. If there is a byte-for-byte match between the predetermined area of the content and one of the signatures, an action corresponding to the matched signature is taken. The action is selected from unconditionally forwarding the data packet toward a server of the service infrastructure, unconditionally discarding the data packet, forwarding the data packet toward the server of the service infrastructure if a current flow of data packets being forwarded to the server is less than a flow threshold, and discarding the data packet if the current flow of data packets being forwarded to the server meets or exceeds the flow threshold.

First data indicative of information that a packet is part of a DDoS attack is received at a management network device. A DDoS remediation network device to be used for remediation of packets associated with the DDoS attack is determined from the first data. Second data, indicative of the DDoS attack and indicative of the DDoS remediation network device, is transmitted from the management network device to an edge network device. The second data is configured to cause the edge network device to route packets associated with the DDoS attack to the DDoS remediation network device.

A device for providing secure transmission of data between a transmitter and a receiver includes an interface circuit that includes a first input circuit arranged to receive data to be transmitted, the first input circuit comprising programmable logic for transforming said data to be transmitted, the programmable logic being built in the first input circuit by a first controller; a first output circuit arranged to receive the data transformed by the first input circuit, the first output circuit comprising programmable logic for retransforming said transformed data, the programmable logic being built by a second controller, and a first comparator arranged to compare said data retransformed by the first output circuit and the data to be transmitted, the programmable logic of the first input circuit being inverse and complementary to the programmable logic of the first output circuit. Also disclosed is a method implemented by the device described above.

A system and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system. At least one DDoS honeypot in operative communication with a central controller in the networked computing system is configured to receive a data packet from a network, determine a source address of the data packet, and send the source address to the central controller. The central controller is configured to initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

Apparatus and methods are provided for tracking and validating behavior and communication patterns of sensors on an Internet-of-Things (IoT) network. Preferably, a tracking node is assigned to monitor activity of a target node. The tracking node may hand-off monitoring responsibility to another node on the network. A tracking node may intercept communications of a target node. A first tracking node may monitor activity of the target node in a first geographic location. A second tracking node may monitor activity of the target node in a second geographic location. Two or more tracking node may monitor activity of the target node in a geographic location.

A monitor apparatus, method, and non-transitory computer readable storage medium thereof are provided. The monitor method is adapted for an electronic computing apparatus, wherein the electronic computing apparatus stores a smart contract and a blockchain ledger of a blockchain system. The monitor method periodically executes the following steps: (a) obtaining a piece of behavior information of a first electronic apparatus at a time point, (b) retrieving, via the smart contract, a plurality of pieces of previous behavior information within a time interval from the blockchain ledger, wherein the time interval is defined by the time point, and each piece of previous behavior information corresponds to one of a plurality of second electronic apparatuses and the first electronic apparatus, (c) determining a legality of the piece of behavior information according to the pieces of previous behavior information, and (d) writing the behavior information into the blockchain ledger.