| CPC H04L 63/1458 (2013.01) [H04L 61/4511 (2022.05); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1441 (2013.01); H04L 67/145 (2013.01)] | 22 Claims |
|
1. A method of monitoring a network during a DDoS attack, the method comprising:
receiving packets included in the attack;
determining whether the packets are designated for tarpitting;
for each packet from a source determined to be designated for tarpitting, assigning the packet to an existing or newly established flow;
for each newly established flow, establishing a flow record, wherein the flow record stores data that affects timing and/or types of transmissions related to the flow;
for each flow having a flow record, establishing a state machine configured to change between multiple states, each of the multiple states having an associated handler function;
invoking the handler function associated with the current state of a flow's state machine, wherein the handler function, upon being invoked, is configured to:
perform one or more actions associated with the flow or the flow record for applying at least one tarpitting technique of one or more candidate tarpitting techniques associated with the flow record; and
return a next state;
updating the current state of the flow's state machine to be the next state returned by the handler function; and
repeating invocation of the handler function associated with the current state until the current state is a closing state, wherein each invocation of the handler function associated with the current state potentially applies different at least one tarpitting techniques.
|