A method of collaboration between protecting services associated with one or more domains. Such a method includes: getting a first agent used by a first protecting service to identify an attack on at least one resource managed by a domain protected by the first protecting service; and transmitting, to at least one second agent used by a second protecting service having taken out a subscription to at least one information-sharing service offered by the first protecting service, at least one piece of information relating to the attack identified by the first agent.

Embodiments are directed to monitoring network traffic over a network using one or more network monitoring computers. A monitoring engine may be instantiated to perform actions, including: monitoring network traffic to identify client requests provided by clients and server responses provided by servers in response to the client requests; determining request metrics associated with the client requests; and determining response metrics associated with the server responses. An analysis engine may be instantiated that performs actions, including: comparing the request metrics with the response metrics; determining atypical behavior associated with the clients based on the comparison such that the atypical behavior includes an absence of adaption by the clients to changes in the server responses; and providing alerts that may identify the clients be associated with the atypical behavior.

In a particular embodiment, a network protocol modification system is configured to identify a malicious attack on a particular computing system, and modify a protocol (e.g., Border Gateway Protocol) that dictates a path of network traffic to the particular computing system. The system may, for example, modify a protocol (e.g., Border Gateway Protocol) that dictates the path of network traffic to the particular computing system for: (1) all network traffic; (2) any network traffic from one or more particular sources; and/or (3) any other suitable combination of traffic. In some embodiments, the system may interface with one or more ISP or other systems in order to propagate network protocol updates. In particular embodiments, the system is particularly configured to mitigate one or more DDoS attacks against a particular target network or service.

Certain exemplary embodiments comprise a method comprising: within a backbone network: for backbone network traffic addressed to a particular target and comprising attack traffic and non-attack traffic, the attack traffic simultaneously carried by the backbone network with the non-attack traffic: redirecting at least a portion of the attack traffic to a scrubbing complex; and allowing at least a portion of the non-attack traffic to continue to the particular target without redirection to the scrubbing complex.

An apparatus for mitigating a DDoS attack in a networked computing system includes at least one detector coupled with a corresponding router in the networked computing system. The detector is configured: to obtain network flow information from the router regarding current data traffic to at least one host; to compare the current data traffic to the host with stored traffic patterns associated with at least one prior DDoS attack; and to generate an output indicative of a match between the current data traffic and at least one of the stored traffic patterns. The apparatus further includes at least one mitigation unit coupled with the at least one detector. The mitigation unit is configured: to receive the output indicative of the match between the current data traffic and at least one of the stored traffic patterns; and to initiate a DDoS attack mitigation action in response to the received output.

Embodiments of the present disclosure disclose a method for defending against a User Datagram Protocol (UDP) attack and a defense device. The method is implemented by a defense device, the defense device comprising a memory, a processor, and a bus system. The method comprising: detecting, by the defense device, whether a target host is attacked by a UDP attack from an attack device; obtaining, by the defense device, an Internet Control Message Protocol (ICMP) data packet sent back by the target host to the attack device, in response to the target host being attacked by the attack device; extracting, by the defense device, information about target ports in the ICMP data packet; and performing, by the defense device according to the information about the target ports, interception processing on UDP data packets sent by the attack device to the target ports.

A system and method for out-of-path detection of cyber-attacks are provided. The method includes receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack; and upon detection of a potential cyber-attack, providing indication to each network entity of the network entities that is under attack.

Methods and systems to resolve a distributed denial of service (DDoS) attack in a wireless network are disclosed. In one embodiment, a method comprises receiving signaling messages along with samples of spurious traffic sourced from one or more end devices, where the one or more end devices connect to the wireless network for internet connectivity. The method continues with determining, based the samples, that there is a DDoS attack occurring in which a set of one or more of the end devices is acting as bots in a botnet, and are thus are infected end devices, and causing denial of radio resource allocation to the set of one or more of the infected end devices.

Various solutions for avoiding denial of services with respect to mobile station (MS) and network apparatus in mobile communications are described. A MS may receive a first reject message from a network apparatus in a location area. The first reject message may comprise a first reject cause. The MS may also receive a second reject message from the network apparatus in the location area. The second reject message may comprise a second reject cause. The MS may store an identification of the location area in a forbidden location area list in an event that both the first reject cause and the second reject cause are received from the same location area. The MS may further search for another location area or tracking area.

A method for filtering attack streams targeting a connectivity module receiving a plurality of incoming connection streams includes: determining a plurality of aggregates; determining a plurality of first measurement vectors; determining another aggregate resulting from the combination of a plurality of incoming connection streams during another time period; determining another first measurement vector associated with the other aggregate; determining an abnormality score depending on the result of projecting the other first measurement vector and projecting the plurality of first measurement vectors and then, if the abnormality score is comprised in an area of doubt regarding the presence of an attack stream determining a plurality of second measurement vectors, each associated with one of the aggregates; determining another second measurement vector associated with the other aggregate; and detecting the presence or absence of an attack by analysing the other second measurement vector.