Methods and systems for reducing unwanted data traffic in a computer network

1 . A computer-implemented method for reducing unwanted data traffic in a computer network due to a Distributed Reflection Denial of Service (DRDoS) attack, the method comprising: receiving requests at a filtering module; operating the filtering module in a normal mode in which the filtering module communicates the requests to a network device and a honeypot device in the computer network; and inspecting the requests received at the honeypot device to determine if the requests comprise a plurality of attack requests that form part of a DRDoS attack and, if the requests comprise a plurality of attack requests, configuring the filtering module to operate in a blocking mode in which the filtering module blocks further attack requests from being communicated to the network device while continuing to communicate the further attack requests to the honeypot device, such that the honeypot device can continue to monitor attack requests during the DRDoS attack. 2 . The method of claim 1 , wherein the method comprises determining if a plurality of requests received at the honeypot device are attack requests by identifying if the plurality of requests each comprise the same source IP address and the same destination port. 3 . The method of claim 2 , wherein the method further comprises: grouping the attack requests which comprise the same source IP address and the same destination port into a flow group which corresponds to a DRDoS attack. 4 . The method of claim 3 , wherein if, during the inspection of the requests, the method identifies attack requests having a plurality of different source IP addresses and a plurality of different destination ports, the method comprises grouping the attack requests into a plurality of flow groups, and the method further comprises configuring the filtering module to operate in a separate blocking mode for each flow group to block the attack requests for each respective flow group from being communicated to the network device. 5 . The method of claim 3 , wherein the method further comprises identifying the subnet of each attack request and, if the method identifies that there are a plurality of attack requests corresponding to the same subnetwork, the method comprises configuring the filtering module to operate in the blocking mode to block all requests corresponding to that subnetwork and the same destination port from being communicated to the network device. 6 . The method of claim 1 , wherein the method comprises determining if a plurality of requests received at the honeypot device are attack requests by performing deep packet inspection to identify if the plurality of requests each comprise the same protocol command. 7 . The method of claim 1 , wherein the method further comprises: configuring the filtering module to operate in the blocking mode if the number of attack requests received at the honeypot device over a first predetermined period of time is above a first predetermined threshold. 8 . The method of claim 7 , wherein the method further comprises: storing a packet timestamp of each attack request with the same source IP address and the same destination port in a queue; computing the time difference between the earliest packet timestamp in the queue and the most recent packet timestamp added to the queue; comparing the time difference with the first predetermined period of time and, if the time difference is less than or equal to the first predetermined period of time, identifying the number of packet timestamps in the queue and comparing the number of packet timestamps with the first predetermined threshold; and configuring the filtering module to operate in the blocking mode if the number of packet timestamps is above the first predetermined threshold and the time difference is below the first predetermined period of time. 9 . The method of claim 1 , wherein the method further comprises: monitoring the number of further attack requests received at the honeypot device over a second predetermined period of time and, if the number of further attack requests received at the honeypot device over the second predetermined period of time falls to below a second predetermined threshold, configuring the filtering module to return to the normal mode of operation. 10 . The method of claim 9 , wherein the method further comprises: determining if a plurality of requests received at the honeypot device are attack requests by identifying if the plurality of requests each comprise the same source IP address and the same destination port; and grouping the attack requests which comprise the same source IP address and the same destination port into a flow group which corresponds to a DRDoS attack, wherein if the honeypot device receives a request comprising a source IP address and a destination port matching a flow group, the method comprises: storing a packet timestamp of the request in a queue for the flow group; computing the time difference between the earliest packet timestamp in the queue and the most recent packet timestamp added to the queue; comparing the time difference with the second predetermined period of time and, if the time difference is equal to or greater than the second predetermined period of time, identifying the number of packet timestamps in the queue and comparing the number of packet timestamps with the second predetermined threshold; and if the number of packet timestamps is below the second predetermined threshold and the time difference is above the second predetermined period of time, configuring the filtering module to return to the normal mode of operation. 11 . The method of claim 1 , wherein the method further comprises: configuring the honeypot device to prevent the honeypot device from enacting attack requests received at the honeypot device when the filtering module is operating in the blocking mode. 12 . The method of claim 1 , wherein the method further comprises: generating a firewall rule which, when implemented, configures the filtering module to operate in the blocking mode. 13 . The method of claim 12 , wherein the firewall rule configures the filtering module to perform traffic shaping when the filtering module is operating in the blocking mode. 14 . The method of claim 12 , wherein the method further comprises: cancelling the firewall rule to configure the filtering module to return to the normal mode of operation. 15 . A computer program product comprising instructions which, when executed by a computing system, cause the computing system to: receive requests at a filtering module; operate the filtering module in a normal mode in which the filtering module communicates the requests to a network device and a honeypot device in a computer network; and inspect the requests received at the honeypot device to determine if the requests comprise a plurality of attack requests that form part of a DRDoS attack and, if the requests comprise a plurality of attack requests, configure the filtering module to operate in a blocking mode in which the filtering module blocks further attack requests from being communicated to the network device while continuing to communicate the further attack requests to the honeypot device, such that the honeypot device can continue to monitor attack requests during the DRDoS attack. 16 . A system for reducing unwanted data traffic in a computer network due to a DRDoS attack, the system comprising: a network device; a honeypot device which is coupled for communication with the network device; and a filtering module which is coupled for communication with the network devi