Distributed DoS (DDoS) attack mitigation appliances have been in use due to increasing distributed denial of service attacks. As more such attacks are launched, the Internet Service Provider (ISP) network infrastructure bears the brunt of such attacks. The infrastructure consists of many routers and switches via which Internet Protocol (IP) protocol packets flow. A surge in these packets overloads ISP equipment and causes them to slow down, which in turn slows down the service provided by the ISP. ISPs need to protect their infrastructure from such attacks; and in particular need to protect their core routers from becoming overloaded. As such, ISPs need a way to address DDoS attacks in a such that these attacks are stopped closer to their sources, i.e., closer to the edge routers, thereby better protecting the ISPs' core routers.
Many systems have been previously designed that collect flow data from routers using software. Such flow collectors can then determine if there is a surge of incoming packets and divert the traffic to scrubbing appliances. As one skilled in the art knows, software appliances have performance limits. Additionally, determining baseline traffic granularly and predicting future traffic adaptively are key missing components in existing solutions. Clearly, a new method and system is needed to collect flow data using hardware logic and determine the presence of such attacks behaviorally and adaptively in a short time and with better performance.