Description:TECHNICAL FIELD
The present disclosure relates generally to network security and more specifically relates to techniques for preventing denial of service attacks in a network.

BACKGROUND

[0001] A Denial-of-Service (DoS) attack is an attempt to bring a system or network to a halt, rendering it unreachable to its intended users. DoS attacks do this by flooding the target with traffic or transmitting information that causes it to crash. The DoS attack in both cases deprives genuine users (i.e. employees, members, or account holders) of the service or resource they anticipated.
[0002] DoS assaults frequently target high-profile businesses' web servers, such as banks, commerce, and media corporations, as well as government and trade organizations. Though DoS assaults do not usually result in the theft or loss of valuable information or assets, they can cost the victim a substantial amount of time and money to cope with.
[0003] DoS attacks may be classified into two types: flooding services and crashing services. Flood assaults happen when the system receives too much traffic for the server to buffer, causing it to slow down and finally stop working. Flood assaults are common.
[0004] The most prevalent type of DoS attack is a buffer overflow. The idea is to send more traffic to a network address than the system was designed to manage. It covers the attacks described below, as well as those aimed to exploit flaws particular to certain programmes or networks. ICMP flood - takes advantage of misconfigured network devices by delivering faked packets that ping every computer on the targeted network rather than just one. The network is then activated to boost the traffic. SYN flood - submits a connection request but never completes the handshake. Continues until all open ports are inundated with requests and no legitimate users can connect.
[0005] Other DoS attacks simply exploit flaws in the target system or service, causing it to crash. In these attacks, input is received that exploits flaws in the target, causing the system to crash or become highly destabilized, preventing it from being accessed or used.
[0006] There are techniques known in the art which disclose denial of service attacks. For example, reference can be made to US11159563B2 which discloses detecting and mitigating denial-of-service (DoS) attacks in a cloud-based proxy service. Further, reference can be made to US8973150B2 which discloses mitigating a Denial-of-Service (DoS) attack in a VoIP network. However, none of the techniques known in the art disclose ways of preventing denial of service attacks using hardware based tool.

OBJECTS OF THE INVENTION

[0007] The principal object of the present invention is to provide techniques for preventing denial of service attacks in a network.
[0008] Another object of the present invention is to provide techniques for monitoring user activity.

[0009] Another object of the present invention is to provide techniques for detecting communication with command and control servers.

SUMMARY OF THE INVENTION

[0010] A system (100) for preventing denial of service attacks are disclosed. The system (100) comprises a server (102), a network (106), a plurality of computing devices (104) configured to establish a connection with the server (102) via the network (104), wherein the plurality of computing devices (104) is configured to send one or more requests to the server (102), the server (102) is configured to detect whether a number of one or more requests exceeds a predetermined threshold, and notify one or more users if the number of one or more requests exceeds the predetermined threshold.
[0011] A method for preventing denial of service attacks is disclosed. The method comprises providing a server (102), providing a network (106), establishing, by a plurality computing device (106), a connection with the server (102) via the network (104), sending, by the plurality of computing devices (104), one or more requests to the server (102), detecting, by the server (102), whether a number of one or more requests exceeds a predetermined threshold, and notifying one or more users if the number of one or more requests exceeds the predetermined threshold.
BRIEF DESCRIPTION OF DRAWINGS

[0012] Figure 1 illustrates a system for preventing denial of service (DoS) attacks, in accordance with one embodiment of the present invention.
[0013] Figure 2 illustrates a flowchart of a method for preventing denial of service (DoS) attacks, in accordance with one embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0014] While the present invention is described herein by way of example using embodiments and illustrative drawings, those skilled in the art will recognize that the invention is not limited to the embodiments of drawing or drawings described and are not intended to represent the scale of the various components. Further, some components that may form a part of the invention may not be illustrated in certain figures, for ease of illustration, and such omissions do not limit the embodiments outlined in any way. It should be understood that the drawings and the detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim.
[0015] As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein are solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like are included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0016] In this disclosure, whenever a composition or an element or a group of elements is preceded with the transitional phrase “comprising”, it is understood that we also contemplate the same composition, element, or group of elements with transitional phrases “consisting of”, “consisting”, “selected from the group of consisting of, “including”, or “is” preceding the recitation of the composition, element or group of elements and vice versa.
[0017] The present invention is described hereinafter by various embodiments with reference to the accompanying drawing, wherein reference numerals used in the accompanying drawing correspond to the like elements throughout the description. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only and are not intended to limit the scope of the claims. In addition, several materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary and are not intended to limit the scope of the invention.
[0018] Referring to FIG. 1, a system 100 preventing denial of service (DoS) attacks is disclosed. The system 100 comprises a server 102, a plurality of computing devices 104 and a network 106. The plurality of computing devices 104 are connected to the server 102 via the network 106. In one embodiment, the plurality of computing devices 104 may include a mobile phone, a laptop, a computer, tablet, etc. Although only one server has been shown, there may be more than one server.
[0019] In one embodiment, the server 102 may include content server. The plurality of computing devices 104 may send one or more requests to the server 102 for requesting content from the server 102. In one embodiment, the plurality of requests may represent traffic which is received at the server 102. The server 102 processes the requests received from each of the plurality of computing devices 104 and send the requested content to the plurality of computing devices 104.
[0020] During a denial-of-service (DoS) attack, a server 102 is overwhelmed with the plurality of requests from the plurality of computing devices 104, making a website or resource unavailable. A distributed denial-of-service (DDoS) attack is a DoS attack in which several computing devices 104 or workstations are used to overwhelm a targeted resource. Both types of assaults try to take down a server 102 or online application by overwhelming it in order to halt services.
[0021] If server 102 receive more Transmission Control Protocol/User Datagram Protocol (TCP/UDP) packets than it can handle, the server 102 may crash, damage data, improperly allocate resources, or even run out of resources to the point that the system becomes incapacitated.
[0022] The present invention provides one or more techniques for creating customizable action to address the issue if hosts discover in the deployed network, sending or receiving a lot of packets, bytes, or flows per second. These customizable actions may be set up to alert you, shut down the server, or lock the client. If their unique SRC IP, DST IP, SRC port, DST port, and protocol fields can be used to identify them, then one or more ICMP, UDP, or TCP packets are regarded as being in a flow.
[0023] The present invention may be implemented in the form of a Universal serial bus (USB). The USB may be in the form of a storage device which may be attached to any server as a plug and play device. This USB device can detect all types of DOS/DDOS attacks and can send the admin a notification about it. This USB device supports packet capture engines like NetFlow V5, Wireshark, Netmap, IPFIX, SFlow, PF_Ring. The hardware that is used has 1GB of RAM and can work on Linux, Ununtu, Debian, centOS, RHEL.
[0024] In one embodiment, the present invention may detect DoS/DDoS in as little as 1-2 secs. The present invention may scale up to 40G+ in mirror mode or terabits on a single server. If an IP exceeds specified criteria for packets, bytes, or flows per second, run a script to block or warn the user. Full support for the majority of the attack types. The hostgroups feature allows thresholds to be set up per-subnet. Email alerts for attacks discovered Full IPv6 support
[0025] In one embodiment, the system 100 may detect DoS/DDoS within 1-2 seconds. The server 102 may store terabits of data or scales up to 40G+ in mirror mode. The system 100 may run a script to block or notify the user if an IP exceeds defined threshold for packets, bytes, or flows per second. Support for the bulk of attack types is complete. Thresholds may be configured per-subnet using the hostgroups functionality.
[0026] In one embodiment, email notifications of assaults BGP broadcast of blocked IPs to routers with full IPv6 functionality. Full plug-in support is available. Obtain PCAP-formatted attack IDs. Experimental BGP Flow Specs, RFC 5575 support. This tool supports packet capture engines like NetFlow V5, Wireshark, Netmap, IPFIX, SFlow, PF_Ring. The hardware that is used has 1GB of RAM. And can work on Linux, Ununtu, Debian, centOS, RHEL.
[0027] In one embodiment, user activity is monitored. For example, based on the requests received from the plurality of computing devices 104, activities of the users can be monitored. In one embodiment, the server 102 may keep a track of the patterns of one or more users based on the requests received from the plurality of computing devices and learn from the patterns of the users. In one embodiment, the system 100 may detect communication with command and control servers and respond in real time with rule-based event correlation.
[0028] Referring to FIG. 2 now, a flowchart of a method for preventing denial of service (DoS) attacks is shown. At step 202, the method comprises establishing a connection, by a plurality of computing devices, with a sever via a network. At step 204, the method comprises receiving one or more requests from the plurality of computing devices. At step 206, the method comprises determining if a number of requests received from the plurality of computing devices exceeds a predetermined threshold. At step 208, the method comprises notifying one or more network administrators if the number of requests exceeds the predetermined threshold.
[0029] Although particular embodiments of the invention have been described in detail for purposes of illustration, various modifications and enhancements may be made without departing from the spirit and scope of the invention.
, Claims:I/We Claim:
1. A system (100) for preventing denial of service attacks, the system (100) comprising:
a server (102);
a network (106);
a plurality of computing devices (104) configured to establish a connection with the server (102) via the network (104), wherein:
the plurality of computing devices (104) is configured to send one or more requests to the server (102),
the server (102) is configured to detect whether a number of one or more requests exceeds a predetermined threshold,
notify one or more users if the number of one or more requests exceeds the predetermined threshold.

2. The system as claimed in claim 1, wherein the system is implemented in a universal serial bus (USB) device.

3. The system as claimed in claim 1, wherein the one or more users are network administrators.

4. The system as claimed in claim 1, wherein the number of the one or more requests exceeding the predetermined threshold represent a denial of service (DoS) attack.

5. The system as claimed in claim 1, wherein the number of the one or more requests are blocked when the number of one or more requests exceeds the predetermined threshold.

6. A method for preventing denial of service attacks, the method comprising:
providing a server (102);
providing a network (106);
establishing, by a plurality computing device (106), a connection with the server (102) via the network (104);
sending, by the plurality of computing devices (104), one or more requests to the server (102);
detecting, by the server (102), whether a number of one or more requests exceeds a predetermined threshold; and
notifying one or more users if the number of one or more requests exceeds the predetermined threshold.
.
7. The method as claimed in claim 6, wherein the method is implemented in a universal serial bus (USB) device.

8. The method as claimed in claim 6, wherein the one or more users are network administrators.

9. The method as claimed in claim 6, wherein the number of the one or more requests exceeding the predetermined threshold represent a denial of service (DoS) attack.

10. The method as claimed in claim 6, wherein the number of the one or more requests are blocked when the number of one or more requests exceeds the predetermined threshold.