	US 12,438,907 B2
	Systems and methods for mitigating domain name system amplification attacks
John R. B. Woodworth, Amissville, VA (US); and Dean Ballew, Sterling, VA (US)
Assigned to CenturyLink Intellectual Property LLC, Denver, CO (US)
Filed by CenturyLink Intellectual Property LLC, Broomfield, CO (US)
Filed on Jul. 28, 2023, as Appl. No. 18/360,931.
Claims priority of provisional application 63/370,135, filed on Aug. 2, 2022.
Prior Publication US 2024/0048587 A1, Feb. 8, 2024
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/1458 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01)]

19 Claims

1. A method comprising:

analyzing network traffic information;

identifying a domain name system (DNS) amplification attack based on the network traffic information;

determining a threshold payload size dynamically based on a machine learning model and the network traffic information received within a specified first period;

in response to identifying the DNS amplification attack, invoking a threat mitigation action, including distributing a filtering announcement to at least one network device;

receiving a domain name system (DNS) query from a source address;

receive a response to the DNS query;

determining, by a DNS server, that a payload size of a response to the DNS query exceeds the threshold payload size; and

dropping the response to the DNS query based on determining that the payload size of the response to the current DNS query exceeds the threshold payload size;

determining an updated threshold payload size dynamically based on the machine learning model and the network traffic information received within a specified second period; and

distributing an updated filtering announcement with the updated threshold payload size to at least one network device.