| CPC H04L 63/1416 (2013.01) [G06F 17/18 (2013.01); H04L 41/0816 (2013.01); H04L 43/0876 (2013.01); H04L 63/1458 (2013.01)] | 20 Claims |
|
19. A method performed by a data-plane of a network device, the data-plane comprising two or more serial match-action circuitries that are configurable with match-action entries, the method comprising:
processing data tuples associated with received data messages using one or more match-action circuitries of the data-plane in order to forward data messages to either a next hop or to a control-plane circuit and
detecting a distributed denial of service (DDoS) attack, using one or more other match-action circuitries of the data-plane as a distributed DDoS attack detector, to detect a DDoS attack of a tracked set of one or more destinations, wherein identifiers of the tracked set of one or more destinations are identified by the control-plane circuit;
wherein:
the distributed DDoS attack detector is configurable to perform an iterative data collection process to iteratively collect attack related information with increasing granularity relative to initial granularity;
the iterative data collection process is for use in identifying a DDoS attack destination with increasing precision relative to initial precision;
the control-plane circuit is to set successive threshold levels associated with one or more tracked destination message flows related to the DDoS attack; and
the one or more tracked destination message flows are associated with the tracked set of one or more destinations.
|