Active validation for ddos and ssl ddos attacks
Abstract
Methods and systems for detecting and responding to Denial of Service (“DoS”) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms; identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system. Once a client has been validated, clients may communicate directly with application servers in a secure manner by transparently passing through one or more intermediary proxy servers.
Claims
exact text as granted — not AI-modified1 . A computer-implemented method of mitigating against a denial of service (DoS) attack, comprising:
detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms; identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system.
2 . The method of claim 1 , further comprising:
redirecting network traffic directed to the first server system to the second server system in response to detecting the DoS attack or potential DoS attack against the first server system.
3 . The method of claim 2 , further comprising:
detecting a sufficient mitigation of the DoS attack or potential DoS attack; and redirecting the network traffic directed to the first server system back to the first server system.
4 . The method of claim 2 , wherein redirecting network traffic directed to the first server system to the second server system further comprises:
transmitting one or more Border Gateway Protocol (BGP) messages to advertise that traffic directed to the first server system should be routed through the second server system.
5 . The method of claim 2 , wherein redirecting network traffic directed to the first server system to the second server system further comprises:
requesting a Domain Name Services (DNS) record alteration to reassign one or more domain names assigned to one or more Internet Protocol (IP) addresses associated with the first server system to one or more IP addresses associated with the second server system.
6 . The method of claim 1 , wherein the DoS attack comprises an SSL DoS attack.
7 . The method of claim 6 , wherein receiving, at the second server system, network traffic directed to the first server system comprises:
using, by the second server system, one or more encryption keys belonging to an owner of the first server system to decrypt secure network traffic directed to the first server system, wherein the first server system and the second server system are owned by different entities.
8 . The method of claim 7 , wherein the second server system uses one or more private asymmetric encryption keys belonging to the owner of the first server system.
9 . The method of claim 1 , wherein the first server system and the second server system are owned by different entities.
10 . The method of claim 9 , wherein an owner of the second server system provides the operations of identifying suspect and non-suspect clients and forwarding traffic from non-suspect clients as part of a commercial DoS attack mitigation service.
11 . The method of claim 1 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
receiving a first HTTP request from a client directed to the first server system; sending, by the second server system, an HTTP redirect response to the client; categorizing the client as non-suspect in response to a determination that the client has transmitted a second HTTP request according to the HTTP redirect response.
12 . The method of claim 11 , wherein the HTTP redirect response directs the client to make the second HTTP request to a URL particularly associated with the client by the second server system.
13 . The method of claim 1 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
challenging a client to request SSL session resumption; and categorizing the client as non-suspect in response to a determination that the client has correctly requested SSL session resumption.
14 . The method of claim 13 , wherein challenging the client to request SSL session resumption comprises:
establishing, by the second server system, an SSL session and an SSL connection with the client, wherein the SSL session includes an SSL session ID particularly associated with the client; closing the SSL connection with the client; and categorizing the client as non-suspect in response to a determination that the client has subsequently requested a new SSL connection using the SSL session ID particularly associated with the client.
15 . The method of claim 1 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
categorizing a client as suspect or non-suspect based on the client's ability to properly store and transmit an HTTP cookie sent by the second server system.
16 . The method of claim 15 , further comprising:
transmitting an HTTP cookie to the client containing a value particularly associated with the client; categorizing the client as non-suspect in response to a determination that the client has transmitted a cookie containing the value particularly associated with the client in a subsequent HTTP request.
17 . The method of claim 1 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
directing clients to complete multiple challenge mechanisms until a portion of network traffic originating from non-suspect clients reaches a threshold.
18 . The method of claim 1 , wherein identifying one or more non-suspect clients further comprises:
whitelisting clients that successfully complete one or more challenge mechanisms.
19 . The method of claim 18 , further comprising:
whitelisting clients that successfully complete one or more challenge mechanisms using at least the successful clients' IP addresses.
20 . The method of claim 18 , further comprising:
whitelisting clients that successfully complete one or more challenge mechanisms using at least SSL session IDs particularly associated with the successful clients.
21 . The method of claim 18 , further comprising:
whitelisting clients that successfully complete one or more challenge mechanisms using at least HTTP cookie values particularly associated with the successful clients.
22 . The method of claim 1 , wherein identifying one or more suspect clients further comprises:
blacklisting clients that fail to complete one or more challenge mechanisms.
23 . The method of claim 1 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
discarding traffic corresponding to suspect clients.
24 . The method of claim 1 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
rate-limiting traffic corresponding to suspect clients.
25 . The method of claim 1 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
operating as an intermediary for communications between a client and the first server system once the client has been identified as non-suspect.
26 . The method of claim 25 , further comprising:
decrypting, by the second server system, secure communications from the client to determine whether the client is suspect or non-suspect; and after determining that the client is non-suspect, operating as an intermediary for secure communications between the client and the first server system without decrypting the secure communications between the client and the first server system.
27 . The method of claim 25 , further comprising:
enabling communications from the client to the first server system to pass through the second server system in a manner that preserves the client's IP address.
28 . The method of claim 27 , further comprising:
including the client's IP address in an HTTP header in a communication from the second server system to the first server system forwarding a communication from the client directed to the first server system.
29 . The method of claim 27 , further comprising:
operating, by the second server system, as a router to allow communications from the client to the first server system to terminate at the first server system.
30 . The method of claim 27 , further comprising:
transmitting a first communication from the second server system to the first server system forwarding a previously received second communication from the client directed to the first server system; and modifying the first communication from the second server system to the first server system to substitute the client's IP address for the second server system's IP address.
31 . A computer-implemented method of mitigating against a Secure Sockets Layer (SSL) denial of service (DoS) attack, comprising:
detecting an SSL DoS attack or potential SSL DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system, wherein the first server system and the second server system are owned by different entities, and the second server system uses one or more encryption keys belonging to an owner of the first server system to decrypt secure network traffic directed to the first server system subjecting requesting clients to one or more challenge mechanisms; identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms; identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system.
32 . The method of claim 31 , wherein the second server system uses one or more private asymmetric encryption keys belonging to the owner of the first server system.
33 . The method of claim 31 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
operating as an intermediary for communications between a client and the first server system once the client has been identified as non-suspect.
34 . The method of claim 33 , further comprising:
decrypting, by the second server system, secure communications from the client to determine whether the client is suspect or non-suspect; and after determining that the client is non-suspect, operating as an intermediary for secure communications between the client and the first server system without decrypting the secure communications between the client and the first server system.
35 . The method of claim 34 , further comprising:
using, by the second server system, a first encryption key to decrypt secure communications from the client to determine whether the client is suspect or non-suspect; and after determining that the client is non-suspect, operating as an intermediary for secure communications between the client and the first server system that are encrypted using a second encryption key to which the second server system does not have access.
36 . The method of claim 31 , wherein identifying one or more non-suspect clients further comprises:
whitelisting clients that successfully complete one or more challenge mechanisms using at least SSL session IDs particularly associated with the successful clients.
37 . A computer-implemented method of mitigating against a denial of service (DoS) attack, comprising:
receiving a first HTTP request from a client; sending an HTTP redirect response to the client; if the client transmits a second HTTP request according to the HTTP redirect response, categorizing the client as non-suspect; and if the client does not transmit a second HTTP request according to the HTTP redirect response, categorizing the client as suspect.
38 . The method of claim 37 , wherein categorizing the client as non-suspect comprises servicing future requests from the client, and wherein categorizing the client as suspect comprises rate-limiting or declining to service future requests from the client.
39 . The method of claim 37 , wherein the HTTP redirect response directs the client to make the second HTTP request to a URL particularly associated with the client by the second server system.
40 . A computer-implemented method of mitigating against a Secure Sockets Layer (SSL) denial of service (DoS) attack, comprising:
receiving a request for an SSL session from a client; establishing an SSL session and a first SSL connection with the client, wherein the SSL session includes an SSL session ID particularly associated with the client; closing the first SSL connection with the client; receiving a subsequent request from the client to establish a second SSL connection; categorizing the client as non-suspect if the client requests the second SSL connection using the SSL session ID particularly associated with the client; and categorizing the client as suspect if the client requests the second SSL connection without using the SSL session ID particularly associated with the client.
41 . The method of claim 40 , further comprising:
determining that the client has requested the second SSL connection without using the SSL session ID particularly associated with the client; and in response to the determining, declining to establish a new SSL session with the client.
42 . The method of claim 41 , further comprising:
declining to service subsequent requests from the client.
43 . A computer-implemented method of mitigating against a denial of service (DoS) attack, comprising:
receiving a first HTTP request from a client; sending an HTTP response to the client, wherein the HTTP response includes an HTTP cookie; receiving a second HTTP request from the client; if the second HTTP request includes the HTTP cookie, categorizing the client as non-suspect; and if the second HTTP request does not include the HTTP cookie, categorizing the client as suspect.
44 . The method of claim 43 , wherein the HTTP cookie contains a value particularly associated with the client; and wherein the client is categorized as suspect or non-suspect depending on whether the HTTP cookie in the second HTTP request contains the value particularly associated with the client.
45 . The method of claim 44 , wherein the HTTP response comprises an HTTP redirect response that directs the client to make the second HTTP request to a URL particularly associated with either the client or the HTTP cookie value particularly associated with the client.
46 . A system for mitigating against a denial of service (DoS) attack, comprising:
a processing system comprising one or more processors; one or more communications ports for receiving communications from one or more networked devices and transmitting communications to one or more networked devices; and a memory system comprising one or more computer-readable media, wherein the computer-readable media store instructions that, when executed by the processing system, cause the system to perform the operations of:
detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers;
receiving, at a second server system comprising one or more servers, network traffic directed to the first server system;
subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies;
identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms;
identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and
forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system.
47 . The system of claim 46 , the operations further comprising:
redirecting network traffic directed to the first server system to the second server system in response to detecting the DoS attack or potential DoS attack against the first server system.
48 . The system of claim 47 , the operations further comprising:
detecting a sufficient mitigation of the DoS attack or potential DoS attack; and redirecting the network traffic directed to the first server system back to the first server system.
49 . The system of claim 47 , wherein redirecting network traffic directed to the first server system to the second server system further comprises:
transmitting one or more Border Gateway Protocol (BGP) messages to advertise that traffic directed to the first server system should be routed through the second server system.
50 . The system of claim 47 , wherein redirecting network traffic directed to the first server system to the second server system further comprises:
requesting a Domain Name Services (DNS) record alteration to reassign one or more domain names assigned to one or more Internet Protocol (IP) addresses associated with the first server system to one or more IP addresses associated with the second server system.
51 . The system of claim 46 , wherein the DoS attack comprises an SSL DoS attack.
52 . The system of claim 51 , wherein receiving, at the second server system, network traffic directed to the first server system comprises:
using, by the second server system, one or more encryption keys belonging to an owner of the first server system to decrypt secure network traffic directed to the first server system, wherein the first server system and the second server system are owned by different entities.
53 . The system of claim 52 , wherein the second server system uses one or more private asymmetric encryption keys belonging to the owner of the first server system.
54 . The system of claim 46 , wherein the first server system and the second server system are owned by different entities.
55 . The system of claim 54 , wherein an owner of the second server system provides the operations of identifying suspect and non-suspect clients and forwarding traffic from non-suspect clients as part of a commercial DoS attack mitigation service.
56 . The system of claim 46 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
receiving a first HTTP request from a client directed to the first server system; sending, by the second server system, an HTTP redirect response to the client; categorizing the client as non-suspect in response to a determination that the client has transmitted a second HTTP request according to the HTTP redirect response.
57 . The system of claim 56 , wherein the HTTP redirect response directs the client to make the second HTTP request to a URL particularly associated with the client by the second server system.
58 . The system of claim 46 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
challenging a client to request SSL session resumption; and categorizing the client as non-suspect in response to a determination that the client has correctly requested SSL session resumption.
59 . The system of claim 58 , wherein challenging the client to request SSL session resumption comprises:
establishing, by the second server system, an SSL session and an SSL connection with the client, wherein the SSL session includes an SSL session ID particularly associated with the client; closing the SSL connection with the client; and categorizing the client as non-suspect in response to a determination that the client has subsequently requested a new SSL connection using the SSL session ID particularly associated with the client.
60 . The system of claim 46 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
categorizing a client as suspect or non-suspect based on the client's ability to properly store and transmit an HTTP cookie sent by the second server system.
61 . The system of claim 60 , the operations further comprising:
transmitting an HTTP cookie to the client containing a value particularly associated with the client; categorizing the client as non-suspect in response to a determination that the client has transmitted a cookie containing the value particularly associated with the client in a subsequent HTTP request.
62 . The system of claim 46 , wherein subjecting requesting clients to one or more challenge mechanisms comprises:
directing clients to complete multiple challenge mechanisms until a portion of network traffic originating from non-suspect clients reaches a threshold.
63 . The system of claim 46 , wherein identifying one or more non-suspect clients further comprises:
whitelisting clients that successfully complete one or more challenge mechanisms.
64 . The system of claim 63 , the operations further comprising:
whitelisting clients that successfully complete one or more challenge mechanisms using at least the successful clients' IP addresses.
65 . The system of claim 63 , the operations further comprising:
whitelisting clients that successfully complete one or more challenge mechanisms using at least SSL session IDs particularly associated with the successful clients.
66 . The system of claim 63 , the operations further comprising:
whitelisting clients that successfully complete one or more challenge mechanisms using at least HTTP cookie values particularly associated with the successful clients.
67 . The system of claim 46 , wherein identifying one or more suspect clients further comprises:
blacklisting clients that fail to complete one or more challenge mechanisms.
68 . The system of claim 46 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
discarding traffic corresponding to suspect clients.
69 . The system of claim 46 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
rate-limiting traffic corresponding to suspect clients.
70 . The system of claim 46 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
operating as an intermediary for communications between a client and the first server system once the client has been identified as non-suspect.
71 . The system of claim 70 , the operations further comprising:
decrypting, by the second server system, secure communications from the client to determine whether the client is suspect or non-suspect; and after determining that the client is non-suspect, operating as an intermediary for secure communications between the client and the first server system without decrypting the secure communications between the client and the first server system.
72 . The system of claim 70 , the operations further comprising:
enabling communications from the client to the first server system to pass through the second server system in a manner that preserves the client's IP address.
73 . The system of claim 72 , the operations further comprising:
including the client's IP address in an HTTP header in a communication from the second server system to the first server system forwarding a communication from the client directed to the first server system.
74 . The system of claim 72 , the operations further comprising:
operating, by the second server system, as a router to allow communications from the client to the first server system to terminate at the first server system.
75 . The system of claim 72 , the operations further comprising:
transmitting a first communication from the second server system to the first server system forwarding a previously received second communication from the client directed to the first server system; and modifying the first communication from the second server system to the first server system to substitute the client's IP address for the second server system's IP address.
76 . A system for mitigating against a Secure Sockets Layer (SSL) denial of service (DoS) attack, comprising:
a processing system comprising one or more processors; one or more communications ports for receiving communications from one or more networked devices and transmitting communications to one or more networked devices; and a memory system comprising one or more computer-readable media, wherein the computer-readable media store instructions that, when executed by the processing system, cause the system to perform the operations of:
detecting an SSL DoS attack or potential SSL DoS attack against a first server system comprising one or more servers;
receiving, at a second server system comprising one or more servers, network traffic directed to the first server system, wherein the first server system and the second server system are owned by different entities, and the second server system uses one or more encryption keys belonging to an owner of the first server system to decrypt secure network traffic directed to the first server system
subjecting requesting clients to one or more challenge mechanisms;
identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms;
identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and
forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system.
77 . The system of claim 76 , wherein the second server system uses one or more private asymmetric encryption keys belonging to the owner of the first server system.
78 . The system of claim 76 , wherein forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system further comprises:
operating as an intermediary for communications between a client and the first server system once the client has been identified as non-suspect.
79 . The system of claim 78 , the operations further comprising:
decrypting, by the second server system, secure communications from the client to determine whether the client is suspect or non-suspect; and after determining that the client is non-suspect, operating as an intermediary for secure communications between the client and the first server system without decrypting the secure communications between the client and the first server system.
80 . The system of claim 79 , the operations further comprising:
using, by the second server system, a first encryption key to decrypt secure communications from the client to determine whether the client is suspect or non-suspect; and after determining that the client is non-suspect, operating as an intermediary for secure communications between the client and the first server system that are encrypted using a second encryption key to which the second server system does not have access.
81 . The system of claim 76 , wherein identifying one or more non-suspect clients further comprises:
whitelisting clients that successfully complete one or more challenge mechanisms using at least SSL session IDs particularly associated with the successful clients.
82 . A system for mitigating against a denial of service (DoS) attack, comprising:
a processing system comprising one or more processors; one or more communications ports for receiving communications from one or more networked devices and transmitting communications to one or more networked devices; and a memory system comprising one or more computer-readable media, wherein the computer-readable media store instructions that, when executed by the processing system, cause the system to perform the operations of:
receiving a first HTTP request from a client;
sending an HTTP redirect response to the client;
if the client transmits a second HTTP request according to the HTTP redirect response, categorizing the client as non-suspect; and
if the client does not transmit a second HTTP request according to the HTTP redirect response, categorizing the client as suspect.
83 . The system of claim 82 , wherein categorizing the client as non-suspect comprises servicing future requests from the client, and wherein categorizing the client as suspect comprises rate-limiting or declining to service future requests from the client.
84 . The system of claim 82 , wherein the HTTP redirect response directs the client to make the second HTTP request to a URL particularly associated with the client by the second server system.
85 . A system for mitigating against a Secure Sockets Layer (SSL) denial of service (DoS) attack, comprising:
a processing system comprising one or more processors; one or more communications ports for receiving communications from one or more networked devices and transmitting communications to one or more networked devices; and a memory system comprising one or more computer-readable media, wherein the computer-readable media store instructions that, when executed by the processing system, cause the system to perform the operations of:
receiving a request for an SSL session from a client;
establishing an SSL session and a first SSL connection with the client, wherein the SSL session includes an SSL session ID particularly associated with the client;
closing the first SSL connection with the client;
receiving a subsequent request from the client to establish a second SSL connection;
categorizing the client as non-suspect if the client requests the second SSL connection using the SSL session ID particularly associated with the client; and
categorizing the client as suspect if the client requests the second SSL connection without using the SSL session ID particularly associated with the client.
86 . The system of claim 85 , the operations further comprising:
determining that the client has requested the second SSL connection without using the SSL session ID particularly associated with the client; and in response to the determining, declining to establish a new SSL session with the client.
87 . The system of claim 86 , the operations further comprising:
declining to service subsequent requests from the client.
88 . A system for mitigating against a denial of service (DoS) attack, comprising:
a processing system comprising one or more processors; one or more communications ports for receiving communications from one or more networked devices and transmitting communications to one or more networked devices; and a memory system comprising one or more computer-readable media, wherein the computer-readable media store instructions that, when executed by the processing system, cause the system to perform the operations of:
receiving a first HTTP request from a client;
sending an HTTP response to the client, wherein the HTTP response includes an HTTP cookie;
receiving a second HTTP request from the client;
if the second HTTP request includes the HTTP cookie, categorizing the client as non-suspect; and
if the second HTTP request does not include the HTTP cookie, categorizing the client as suspect.
89 . The system of claim 88 , wherein the HTTP cookie contains a value particularly associated with the client; and wherein the client is categorized as suspect or non-suspect depending on whether the HTTP cookie in the second HTTP request contains the value particularly associated with the client.
90 . The system of claim 89 , wherein the HTTP response comprises an HTTP redirect response that directs the client to make the second HTTP request to a URL particularly associated with either the client or the HTTP cookie value particularly associated with the client.Join the waitlist — get patent alerts
Track US2012174196A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.