Techniques for detecting and mitigating Denial of Service (DoS) attacks in distributed networking environment are disclosed. In certain embodiments, a DoS detection and mitigation system is disclosed that automatically monitors and analyzes network traffic data in a distributed networking environment using a set of pre-defined threshold criteria. The system includes capabilities for automatically invoking various mitigation techniques that take actions on malicious traffic based on the analysis and the pre-defined threshold criteria. The system includes capabilities for automatically detecting and mitigating outbound DoS attacks by analyzing network traffic data originating from an entity within the network to a public network (e.g., the Internet) outside the network as well as detect and mitigate east-west DoS attacks by analyzing network traffic data originating from a first entity located in a first data center of the network to a second entity located in a second data center of the network.

A method, system, and computer-implemented method to manage threats to a network is provided. The method includes receiving volume threat data that indicates a volume of threat data that needs to be managed by a threat management system having a plurality of threat management devices, determining a volume range from a plurality of volume ranges to which the received volume threat data belongs, determining a number of threat management devices of the plurality of threat devices needed to manage threat traffic associated with the volume range determined, and determining whether the number of threat management devices needed is different than a number of threat management devices currently being used to manage threat traffic. The method further includes selecting automatically threat management devices of the plurality of threat management devices to manage received threat data, in response to a determination that the number is different and based on the number determined, assigning automatically, each packet of the threat traffic to a group, each group corresponding to a threat management device of the selected threat management devices, and directing automatically each packet of the threat traffic to the threat management device that corresponds to the group to which the packet is assigned.

A method and system for detecting and mitigation recursive domain name system (DNS) cyber-attacks are disclosed. The method includes receiving DNS queries directed to a DNS resolver, wherein the DNS resolver is communicatively connected between at least one client and at least one name server; parsing each received DNS query to extract a hostname identified therein; updating at least one array of Bloom filters using the extracted hostname; computing a ratio of an unrecognized hostnames per sample (UPS) based on the contents of the at least one array; and determining if the UPS ratio is abnormal, wherein an abnormal UPS ratio is an indication of an attack.

In one embodiment, an elimination point device in a network obtains a master secret from a network controller. The elimination point device assesses, using the master secret, whether an incoming packet received by the elimination point device from a redundant path between the elimination point device and a replication point device in the network includes a valid message integrity check (MIC). The elimination point device determines whether the incoming packet was injected maliciously into the redundant path, based on the assessment of the incoming packet. The elimination point device initiates performance of a mitigation action in the network, when the elimination point device determines that the incoming packet was injected maliciously into the redundant path.

Provided are a method and a system for identifying an IP of a DDoS attack orderer by using a client route control server. A method for detecting a network problem-causing client by using a client route control server includes: forming an edge server IP allocation matrix; checking a network problem occurrence in an edge server; allocating an edge server IP according to the edge server IP allocation matrix when a network problem occurs in an edge server; and detecting user information or a client IP, which has no edge server IP to be allocated according to the edge server IP allocation matrix, as a network problem-causing client, wherein an edge server IP is allocated differently for each user information or client IP in the edge server IP allocation matrix, and the edge server IP allocation is performed by at least two-stage edge server IP for each user information or client IP.

Provided are methods and systems for dynamically limiting new sessions. A method for dynamically limiting new sessions may commence with initiating a dynamic session rate limiter based on predetermined criteria. The method may further include dynamically ascertaining, by the dynamic session rate limiter, a remaining session table capacity. The method may continue with dynamically limiting, by the dynamic session rate limiter, a number of new sessions according to a function selected to negatively correlate the new sessions and the remaining session table capacity.

In one embodiment, a centralized controller maintains a plurality of hierarchical behavioral modules of a behavioral model, and distributes initial behavioral modules to data plane entities to cause them to apply the initial behavioral modules to data plane traffic. The centralized controller may then receive data from a particular data plane entity based on its having applied the initial behavioral modules to its data plane traffic. The centralized controller then distributes subsequent behavioral modules to the particular data plane entity to cause it to apply the subsequent behavioral modules to the data plane traffic, the subsequent behavioral modules selected based on the previously received data from the particular data plane entity. The centralized controller may then iteratively receive data from the particular data plane entity and distribute subsequently selected behavioral modules until an attack determination is made on the data plane traffic of the particular data plane entity.

Embodiments of the present disclosure disclose a method for defending against a User Datagram Protocol (UDP) attack and a defense device. The method is implemented by a defense device, the defense device comprising a memory, a processor, and a bus system. The method comprising: detecting, by the defense device, whether a target host is attacked by a UDP attack from an attack device; obtaining, by the defense device, an Internet Control Message Protocol (ICMP) data packet sent back by the target host to the attack device, in response to the target host being attacked by the attack device; extracting, by the defense device, information about target ports in the ICMP data packet; and performing, by the defense device according to the information about the target ports, interception processing on UDP data packets sent by the attack device to the target ports.

A signaling attack prevention method and apparatus is provided. The signaling attack prevention method can include receiving a Diameter request message sent by a mobility management entity (MME) or a serving general packet radio service (GPRS) support node (SGSN); and determining whether the Diameter request message is received through a roaming interface. When the Diameter request message is received from the roaming interface, the signaling attack prevention method can include determining whether a characteristic parameter of the Diameter request message is valid; and if the characteristic parameter of the Diameter request message is invalid, the method can include discarding Diameter request message or returning, to the MME or the SGSN, a Diameter response message carrying an error code. In this way, a hacker can be effectively prevented from attacking an HSS or an edge node by using each attack path, and communication security is improved.

A signaling attack prevention method and apparatus, where the method includes receiving a general packet radio service (GPRS) Tunneling Protocol (GTP-C) message from a serving gateway (SGW), determining whether the GTP-C message is received from an eighth data interface (S8), determining whether a first characteristic parameter of the GTP-C message is valid when the GTP-C message is received from the S8 interface, where the first characteristic parameter includes at least one of an international mobile subscriber identity (IMSI) of a user, or an identifier of a message source end of the GTP-C message, and discarding the GTP-C message or returning, to the SGW, a GTP-C response message carrying an error code cause value when the first characteristic parameter of the GTP-C message is invalid.