Techniques are disclosed for processing data packets and implementing policies in a software defined network (SDN) of a virtual computing environment. A plurality of computing nodes are communicatively coupled to network devices. The computing nodes are configured to provide at least one cloud edge processing function. The network devices are configured to enable communications between virtual machines within a virtual network of the virtual computing environment in accordance with associated policies. The network devices and the processing function are disaggregated from dependencies on particular computing nodes that are hosting the virtual machines.

A method and a system of restricting data packet transmission of an apparatus at a network node. The network node, during a first time period, updates a whitelist and does not restrict data packet transmission according to the whitelist. After the first time period, the network node determines corresponding destination address of each of the data packets and allows the data packets to be sent to the corresponding destination address if a criteria is satisfactory. The network node does not allow the data packets to be sent to the corresponding destination address if the criteria is not satisfactory. The whitelist is comprised of at least one destination address. The criteria is based on the at least one destination address. The whitelist list is stored in non-transitory computer readable storage medium in the network node.

A device includes a processor and a memory. The processor effectuates operations including receiving signaling messages traversing a first interface or a second interface from the network traffic, translating the signaling messages into one or more events, detecting one or more anomalies by analyzing the one or more events, determining whether the one or more anomalies is indicative of an attack on a telecommunications network and performing a remediation action to the signaling messages resolving the attack when the one or more anomalies is indicative of an attack on the telecommunications network.

A policy based mechanism that enforces use of compute resources in a data center by authorized entities is provided. The policies include a set of policies associated with a requestor of compute resources and a set of policies associated with the use of resources in the data center. The policies are stored in a tamper proof way in a secure storage in the data center.

Example methods and apparatus for enhancing cross-network access security are described. In one example method, a terminal accesses a second network by using a packet data unit (PDI) session established in a first network. A session management network element in the first network receives a first request message for the PDIJ session, where the first request message comprises address information of the terminal, an identifier of the second network, and indication information for prohibiting the terminal from accessing the second network. Based on the first request message, the session management network element stores the information for prohibiting the terminal from accessing the second network, and blocks access of the terminal to the second network.

The techniques described in this disclosure provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange. For example, an exchange comprises a first virtual network for switching mixed traffic (including dirty (DDoS) traffic and clean (non-DDoS) traffic)) from one or more networks to one or more DDoS scrubbing centers; and a second virtual network for switching the clean traffic from the one or more DDoS scrubbing centers to the one or more networks, wherein the exchange is configured to receive the mixed traffic from the one or more networks and switch, using the first virtual network, the mixed traffic to a selected DDoS scrubbing center of the one or more DDoS scrubbing centers, and wherein the exchange is configured to receive the clean traffic from the selected DDoS scrubbing center and switch, using the second virtual network, the clean traffic to the one or more networks.

Aspects of detecting and mitigating denial of service (“DoS”) attacks over home gateway network address translation (“NAT”) are disclosed herein. According to one aspect disclosed herein, a home gateway system can detect that a NAT table is overpopulated. In response to detecting that the NAT table is overpopulated, the home gateway system can determine a mitigation action to be performed. The home gateway system can then perform the mitigation action in an attempt to mitigate an effect of the NAT table overpopulation.

A method and network are provided for monitoring a network during a DDoS attack. The method includes establishing a flow record for flows designated for tarpitting and a state machine, each state of multiple states of the state machine having an associated handler function. The handler function associated with a current state of a state machine associated with a flow is invoked to perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record, and return a next state, which is used to update the current state of the state machine. The handler function associated with the current state of the state machine is repeatedly invoked, wherein each invocation of the handler function potentially applies different tarpitting techniques.

A method of delaying computer network clients from sending DNS queries. The method includes receiving a DNS query from a client and consulting a client record in a client record database and/or a flow record in a flow record database storing information about the flow including about one or more previous DNS queries and/or responses in the flow. The method further includes formulating a response to the DNS query as a function of the information about the client and/or the information about the flow, updating the client record with information about the client and/or the flow record with information about the DNS query and the response as formulated, and transmitting the response as formulated to the client. The DNS query includes a question and the response is intentionally defective or incomplete and causes the client to be delayed in sending another DNS query as part of an attack.

Techniques for detecting and mitigating Denial of Service (DoS) attacks in distributed networking environment are disclosed. In certain embodiments, a DoS detection and mitigation system is disclosed that automatically monitors and analyzes network traffic data in a distributed networking environment using a set of pre-defined threshold criteria. The system includes capabilities for automatically invoking various mitigation techniques that take actions on malicious traffic based on the analysis and the pre-defined threshold criteria. The system includes capabilities for automatically detecting and mitigating “outbound” DoS attacks by analyzing network traffic data originating from an entity within the network to a public network (e.g., the Internet) outside the network as well as detect and mitigate “east-west” DoS attacks by analyzing network traffic data originating from a first entity located in a first data center of the network to a second entity located in a second data center of the network.