A management entity obtains from a first wireless access point a Basic Service Set (BSS) color collision event detected by the first wireless access point. The first wireless access point uses a first BSS color. A color collision event occurs when the first wireless access point receives from a device in a BSS of a different physical wireless access point a frame or PHY Protocol Data Unit (PPDU) that includes the first BSS color. The management entity obtains from the first wireless access point an indication whether the color collision event has been detected for longer than a predetermined duration. When the color collision event has been detected for longer than the predetermined duration, the management computes a probability of the color collision event. The management entity determines whether the color collision event is malicious or benign, and determines whether to maintain the first BSS color.

The attack vectors for some denial-of-service cyber attacks on the Internet's Domain Name System (DNS) are bad, bogus, or unregistered domain name DNS requests to resolve domain names that are not registered in the DNS. Some other cyber attacks steal sensitive data by encoding the data in bogus domain names, or domain names otherwise not registered in the DNS, that are transferred across networks in bogus DNS requests. A DNS gatekeeper may filter in-transit packets containing DNS requests and may efficiently determine if a request's domain name is registered in the DNS. When the domain name is not registered in the DNS, the DNS gatekeeper may take one of a plurality of protective actions. The DNS gatekeeper drops requests determined not to be legitimate, which may prevent an attack.

A system, central controller, and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system. One or more records including meta-data about network traffic are received from one or more network devices and anomalous network traffic is identified. A source address of the anomalous network traffic is determined and a mitigation action is initiated based on the source address and one or more mitigation rules, wherein a determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules.

Generally described, the present disclosure is directed to managing request routing functionality corresponding to resource requests for one or more resources associated with a content provider. The processing of the DNS requests by the service provider can include the selective filtering of DNS queries associated with a DNS query-based attack. A service provider can assign DNS servers corresponding to a distributed set of network addresses, or portions of network addresses, such that DNS queries exceeding a threshold, such as in DNS query-based attacks, can be filtered in a manner that can mitigate performance impact on for the content provider or service provider.

A method and a system of restricting data packet transmission of an apparatus at a network node. The network node, during a first time period, updates a whitelist and does not restrict data packet transmission according to the whitelist. After the first time period, the network node determines corresponding destination address of each of the data packets and allows the data packets to be sent to the corresponding destination address if a criteria is satisfactory. The network node does not allow the data packets to be sent to the corresponding destination address if the criteria is not satisfactory. The whitelist is comprised of at least one destination address. The criteria is based on the at least one destination address. The whitelist list is stored in non-transitory computer readable storage medium in the network node.

A system includes a terminal and a gateway. The terminal is programmed to identify, in received data, a signature of rogue data that includes at least a device identifier and an application identifier, and to transmit, via uplink to a satellite, the identified signature to a gateway. The gateway is programmed to block downlink data, upon determining that downlink data includes the received signature, and to broadcast the received signature to a second gateway.

A method and system for detecting and mitigation recursive domain name system (DNS) cyber-attacks are disclosed. The method includes receiving DNS queries directed to a DNS resolver, wherein the DNS resolver is communicatively connected between at least one client and at least one name server; parsing each received DNS query to extract a hostname identified therein; updating at least one array of Bloom filters using the extracted hostname; computing a ratio of an unrecognized hostnames per sample (UPS) based on the contents of the at least one array; and determining if the UPS ratio is abnormal, wherein an abnormal UPS ratio is an indication of an attack.

Systems, methods, and computer-readable media are disclosed for the dynamic, real-time detection and clustering of emerging fraud patterns. Example methods may include determining an expected account registration volume and an actual account registration volume during a same period of time. Certain methods may include determining an abnormal fluctuation in account registration volume based on a difference between the expected account registration volume and the actual account registration volume during the period of time. Certain methods may include generating subsets of account registrations received during the period of time based on one or more shared characteristics. Certain methods may include generating an account cluster based on the subsets of account registrations. Certain methods may include sending the account cluster to a bulk closure system.

The techniques described in this disclosure provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange. For example, an exchange comprises a first virtual network for switching mixed traffic (including dirty (DDoS) traffic and clean (non-DDoS) traffic)) from one or more networks to one or more DDoS scrubbing centers; and a second virtual network for switching the clean traffic from the one or more DDoS scrubbing centers to the one or more networks, wherein the exchange is configured to receive the mixed traffic from the one or more networks and switch, using the first virtual network, the mixed traffic to a selected DDoS scrubbing center of the one or more DDoS scrubbing centers, and wherein the exchange is configured to receive the clean traffic from the selected DDoS scrubbing center and switch, using the second virtual network, the clean traffic to the one or more networks.

A monitoring service obtains request data specifying entries corresponding to requests received by a Domain Name System service to obtain an Internet Protocol address for a resource and to requests received by a web service to access the resource. The monitoring service uses that request data to generate a request frequency value corresponding to the received requests and compares this value to a baseline request frequency value. If the request frequency value exceeds the baseline request frequency value by a maximum threshold value, the monitoring service performs an operation to redirect network traffic originally directed towards the web service.