A method and system for protection from DDoS attack for a CDN server group. The CDN server group includes a plurality of CDN servers and a center server. The method includes: sending by each CDN server access source information of an access request to the center server; counting by the center server the number of access requests in each CDN server; determining by the center server access requests, of which the number is greater than a predetermined threshold, corresponding to the same access source information in each CDN server as DDoS attacks, and generating by the center server a blacklist; issuing by the center server the blacklist to the plurality of CDN servers; and making the CDN servers refuse to provide a service to an access source in the blacklist. Accordingly, the CDN server group is protected against DDoS attacks from the entire network.

Provided are a method and a system for identifying an IP of a DDoS attack orderer by using a client route control server. A method for detecting a network problem-causing client by using a client route control server includes: forming an edge server IP allocation matrix; checking a network problem occurrence in an edge server; allocating an edge server IP according to the edge server IP allocation matrix when a network problem occurs in an edge server; and detecting user information or a client IP, which has no edge server IP to be allocated according to the edge server IP allocation matrix, as a network problem-causing client, wherein an edge server IP is allocated differently for each user information or client IP in the edge server IP allocation matrix, and the edge server IP allocation is performed by at least two-stage edge server IP for each user information or client IP.

In one embodiment, a device (e.g., switch or registry) maintains a binding table for all internet protocol (IP) addresses in a particular subnet associated with the device, and in response to receiving a neighbor solicitation (NS) lookup message from a router for a particular address, determines whether the particular address is within the binding table. When the particular address is not within the binding table, the device causes the router to not store the particular address in a neighbor discovery (ND) cache at the router (e.g., by responding to clear the cache, or ignoring to prevent state from being created). In another embodiment, the ND-requesting router ensures that the particular address is not kept in an ND cache at the router in response to the device indicating that the particular address is not within its binding table (e.g., an explicit response to clear, or absence of instruction to store state).

A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.

A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.

Embodiments are directed towards network address based flood attack mitigation methods. A PTMD disposed between one or more computers may monitor several network flows and generate metrics associated with malicious network activity, such as, flood attacks. If flood attacks are determined to be occurring, the PTMD may determine the network addresses targeted by the flood attack. Further, the PTMD may activate flood attack mitigation procedures for the targeted network addresses such that other network addresses associated with the monitored network flows are excluded from the flood attack mitigation procedure. The PTMD may monitor the network traffic subsequently communicated to the targeted network addresses. Accordingly, the PTMD may determine if the flood attack has ceased based on characteristics of the monitored network traffic. If the flood attack has ceased, the flood attack mitigation procedures for the targeted network addresses may be deactivated.

A system of client devices and a server system implementing services makes use of credentials to facilitate authentication of the client devices with the server and generates log entries for different accesses to the server system. A monitoring system places credentials and log entries referencing the monitoring system with the credentials and log entries on the client devices without any authentication or actual access attempts by the client devices to the monitoring system. Unauthorized access to the client devices may result in the credentials and log entries to the monitoring system being accessed and used to access the monitoring system. Attempts to exploit the monitoring system using the credentials and log entries is contained within the monitoring system and data is collected to characterize malicious code attempting to exploit the monitoring system. The data is then used to prevent attacks and detect compromised client devices and server systems.

A security apparatus for a local network is in communication with an external electronic communication system and a first electronic device. The apparatus includes a memory device configured to store computer-executable instructions, and a processor in operable communication with the memory device. The processor is configured to implement the stored computer-executable instructions to cause the apparatus to determine a complexity score for the first electronic device, establish a behavioral pattern for the first electronic device operating within the local network, calculate a confidence metric for the first electronic device based on the determined complexity score and the established behavioral pattern, and control access of the first electronic device to the external electronic network according to the calculated confidence metric.

FlowSpec is a mechanism for distributing rules to routers in a network. Such rules may be used, for example, to drop traffic associated with a distributed denial of service attack. However, a malformed or incorrect FlowSpec announcement may, if distributed in the network, cause legitimate traffic to be dropped, degrading the service experienced by legitimate users. As such, systems and methods for avoiding the distribution of malformed FlowSpec announcements are provided.

Aspects of detecting and mitigating denial of service (DoS) attacks over home gateway network address translation (NAT) are disclosed herein. According to one aspect disclosed herein, a home gateway system can detect that a NAT table is overpopulated. In response to detecting that the NAT table is overpopulated, the home gateway system can determine a mitigation action to be performed. The home gateway system can then perform the mitigation action in an attempt to mitigate an effect of the NAT table overpopulation.