Method and apparatus for trust-based, fine-grained rate limiting of network requests
First Claim
1. A method comprising:
- for each successful authentication, adding or updating a database record in a database containing at least a user identifier, an IP address agnostic client device identifier, an originating network address, and a date/timestamp of a first or previously successful authentication;
determining whether a user identifier of a subsequent request matches the user identifier of a database record associated with a previously successful authentication;
determining whether a client device identifier of the subsequent request matches the IP address agnostic client device identifier of the database record associated with the previously successful authentication;
processing, using at least one processor, the subsequent request according to a first policy if both of the user identifier and the client device identifier of the subsequent request match the user identifier and the IP address agnostic client device identifier of the database record associated with the previously successful authentication; and
processing, using the at least one processor, the subsequent request according to a second policy by adding a configurable amount of response latency if the client device identifier of the subsequent request does not match the IP address agnostic client device identifier of the database record associated with the previously successful authentication.
5 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.
-
Citations
25 Claims
-
1. A method comprising:
-
for each successful authentication, adding or updating a database record in a database containing at least a user identifier, an IP address agnostic client device identifier, an originating network address, and a date/timestamp of a first or previously successful authentication; determining whether a user identifier of a subsequent request matches the user identifier of a database record associated with a previously successful authentication; determining whether a client device identifier of the subsequent request matches the IP address agnostic client device identifier of the database record associated with the previously successful authentication; processing, using at least one processor, the subsequent request according to a first policy if both of the user identifier and the client device identifier of the subsequent request match the user identifier and the IP address agnostic client device identifier of the database record associated with the previously successful authentication; and processing, using the at least one processor, the subsequent request according to a second policy by adding a configurable amount of response latency if the client device identifier of the subsequent request does not match the IP address agnostic client device identifier of the database record associated with the previously successful authentication. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
for each successful authentication to a network service, creating a database record in a database for an entity if the entity has not previously authenticated to the network service, the database record containing at least a user identifier, an IP address agnostic client device identifier, an originating network address, and a date/timestamp of a first or previously successful authentication; determining whether a user identifier of a subsequent request matches the user identifier of a database record associated with a previously successful authentication; determining whether a client device identifier of the subsequent request matches the IP address agnostic client device identifier of the database record associated with the previously successful authentication; processing, using at least one processor, the subsequent request according to a first policy if both of the user identifier and the client device identifier of the subsequent request match the user identifier and the IP address agnostic client device identifier of the database record associated with the previously successful authentication; and processing, using the at least one processor, the subsequent request according to a second policy by adding a configurable amount of response latency if the client device identifier of the subsequent request does not match the IP address agnostic client device identifier of the database record associated with the previously successful authentication. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
at least one server; and at least one non-transitory computer readable storage medium storing instructions that, when executed by the at least one server, cause the system to; for each successful authentication, update a previously created record in a database for subsequent authentication requests from an entity, the record containing at least a user identifier, a client device identifier, an originating network address, and a date/timestamp of a first or previously successful authentication; detect a subsequent request from an anonymous client device; determine a trusted address range for a user identifier of the subsequent request from stored authentication records; determine whether a client device identifier of the subsequent request matches the client device identifier of the record associated with a previously successful authentication; determine whether the subsequent request from the anonymous client device has an address within the determined trusted address range; process the subsequent request according to a first policy if the subsequent request from the anonymous client device has an address within the determined trusted address range and if the client device identifier of the subsequent request matches the client device identifier of the record associated with the previously successful authentication; process the subsequent request according to a second policy by adding a configurable amount of server to client device response latency if the subsequent request from the anonymous client device has an address outside of the determined trusted address range or if the client device identifier of the subsequent request does not match the client device identifier of the record associated with the previously successful authentication; and extend trust if the user identifier and the client device identifier of the subsequent request match the user identifier and the client device identifier of the record associated with a previously successful authentication. - View Dependent Claims (13, 14, 15)
-
-
16. A system comprising:
-
at least one server; and at least one non-transitory computer readable storage medium storing instructions that, when executed by the at least one server, cause the system to; for each successful authentication to a network service, create a record in a database if an entity has not previously authenticated to the network service, the record containing at least a user identifier, an IP address agnostic client device identifier, an originating network address, and a date/timestamp of a first or previously successful authentication; determine whether a user identifier of a subsequent request is associated with a client device that includes a trust token; determine whether a client device identifier of a subsequent request matches the IP address agnostic client device identifier of the record associated with the previously successful authentication; process the subsequent request according to a first policy if the client device contains the trust token and the client device identifier of the subsequent request matches the IP address agnostic client device identifier of the record associated with the previously successful authentication; process the request according to a second policy by adding a configurable amount of response latency if the client device contains the trust token and the client device identifier of the subsequent request does not match the IP address agnostic client device identifier of the record associated with the previously successful authentication; and extend trust if both of the user identifier and the client device identifier of the subsequent request matches the user identifier and the IP address agnostic client device identifier of the record associated with a previously successful authentication. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification