Distributed rate limiting

US 10,069,859 B2
Filed: 12/16/2015
Issued: 09/04/2018
Est. Priority Date: 12/16/2015
Status: Active Grant

First Claim

Patent Images

1. A method for defending against network attacks, the method comprising:

providing a distributed platform comprising a plurality of distribution points with each distribution point comprising a plurality of servers, each server tracking a request rate at that server independently prior to initiation of attack protections;

receiving requests for content at a particular server at a first rate in excess of a single server request rate threshold, wherein the particular server is one of the plurality of servers operating from a particular distribution point of the plurality of distribution points;

providing the particular server control over attack response of the distributed platform in response to the particular server receiving the requests at the first rate in excess of the first single server request rate threshold, said providing comprising configuring the particular server with monitoring attack propagation from the particular server across the particular distribution point based on a second distribution point request rate threshold, and monitoring attack escalation from the particular distribution point across the plurality of distribution points based on a third distributed platform request rate threshold, and wherein the third distributed platform request rate threshold is greater than the second distribution point request rate threshold, and the second distribution point request rate threshold is greater than the first single server request rate threshold;

initiating from the particular server, attack protections at each other server of the plurality of servers operating in the particular distribution point in response to said providing the particular server control over the attack response, each server of the plurality of servers operating in the particular distribution point providing a request rate at that server to the particular server in response to initiating the attack protections from the particular server;

propagating by the particular server, the attack protections to the plurality of servers at each other distribution point of the plurality of distribution points in response to the different rates at the plurality of servers of the particular distribution point totaling a second rate in excess of the second distribution point request rate threshold, each server at each other distribution point of the plurality of distribution points providing a request rate at that server to the particular server operating in the particular distribution point in response to propagating the attack protections; and

activating from the particular server, the attack protections across the plurality of servers in the plurality of distribution points in response to (i) the requests arriving across the plurality of servers of the plurality of distribution points at a third rate in excess of the third distributed platform request rate threshold, (ii) the different rates at the plurality of servers of the particular distribution point totaling the second rate in excess of the second distribution point request rate threshold, and (iii) the particular server receiving the requests at the first rate in excess of the first single server request rate threshold; and

blocking each first request from each requestor arriving at each server at the plurality of distribution points in response to said activating the attack protections from the particular server, said blocking comprising at least one of redirecting the first request, dropping the first request, or responding with a computational problem having a solution that withdraws said blocking.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments provide distributed rate limiting to combat network based attacks launched against a distributed platform or customers thereof. The distributed rate limiting involves graduated monitoring to identify when an attack expands beyond a single server to other servers operating from within the same distributed platform distribution point, and when the attack further expands from one distributed platform distribution point to other distribution points. Once request rates across the distributed platform distribution points exceed a global threshold, a first set of attack protections are invoked across the distributed platform. Should request rates increase or continue to exceed the threshold, additional attack protections can be invoked. Distributed rate limiting allows any server within the distributed platform to assume command and control over the graduated monitoring as well as escalating the response to any identified attack.

40 Citations

View as Search Results

16 Claims

1. A method for defending against network attacks, the method comprising:
- providing a distributed platform comprising a plurality of distribution points with each distribution point comprising a plurality of servers, each server tracking a request rate at that server independently prior to initiation of attack protections;
  
  receiving requests for content at a particular server at a first rate in excess of a single server request rate threshold, wherein the particular server is one of the plurality of servers operating from a particular distribution point of the plurality of distribution points;
  
  providing the particular server control over attack response of the distributed platform in response to the particular server receiving the requests at the first rate in excess of the first single server request rate threshold, said providing comprising configuring the particular server with monitoring attack propagation from the particular server across the particular distribution point based on a second distribution point request rate threshold, and monitoring attack escalation from the particular distribution point across the plurality of distribution points based on a third distributed platform request rate threshold, and wherein the third distributed platform request rate threshold is greater than the second distribution point request rate threshold, and the second distribution point request rate threshold is greater than the first single server request rate threshold;
  
  initiating from the particular server, attack protections at each other server of the plurality of servers operating in the particular distribution point in response to said providing the particular server control over the attack response, each server of the plurality of servers operating in the particular distribution point providing a request rate at that server to the particular server in response to initiating the attack protections from the particular server;
  
  propagating by the particular server, the attack protections to the plurality of servers at each other distribution point of the plurality of distribution points in response to the different rates at the plurality of servers of the particular distribution point totaling a second rate in excess of the second distribution point request rate threshold, each server at each other distribution point of the plurality of distribution points providing a request rate at that server to the particular server operating in the particular distribution point in response to propagating the attack protections; and
  
  activating from the particular server, the attack protections across the plurality of servers in the plurality of distribution points in response to (i) the requests arriving across the plurality of servers of the plurality of distribution points at a third rate in excess of the third distributed platform request rate threshold, (ii) the different rates at the plurality of servers of the particular distribution point totaling the second rate in excess of the second distribution point request rate threshold, and (iii) the particular server receiving the requests at the first rate in excess of the first single server request rate threshold; and
  
  blocking each first request from each requestor arriving at each server at the plurality of distribution points in response to said activating the attack protections from the particular server, said blocking comprising at least one of redirecting the first request, dropping the first request, or responding with a computational problem having a solution that withdraws said blocking.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising compiling at the particular server in response to said propagating, the third rate based on different rates at which the plurality of servers from the plurality of distribution points receive the requests.
  - 3. The method of claim 2, wherein said propagating comprises signaling at least one server from each specific distribution point of the plurality of distribution points to report a rate at which the plurality of servers of the specific distribution point receive the requests.
  - 4. The method of claim 1, wherein said activating of said attack protections comprises passing a message from the particular server to each of the plurality of distribution points, said message invoking said blocking by each server within the plurality of distribution points.
  - 5. The method of claim 1 further comprising serving the content in response to a redirected second request for the content from a common requestor.
  - 6. The method of claim 1 further comprising serving the content in response to a second request from a particular requestor providing a correct solution to the computational problem, and dropping the second request from the particular requestor or submitting a different second computational problem in response to the second request providing an incorrect solution to the computational problem.

7. A method for responding to an attack on a distributed platform comprising a plurality of distribution points with each distribution point of the plurality of distribution points comprising a plurality of servers for responding to requests for content or services, the method comprising:
- receiving a plurality of requests for a plurality of content from a plurality of different clients over a digital network at the plurality of servers of the plurality of distribution points;
  
  detecting initiation of a network based attack at a particular server of a particular distribution point based on (i) a rate of requests for particular content at the particular server exceeding a first single server request rate threshold or (ii) requests from a set of the plurality of users exceeding the first single server request rate threshold;
  
  configuring the particular server with a first set of addresses of each other server of the plurality of servers of the particular distribution point and a second set of addresses of at least one server in other distribution points of the plurality of distribution points;
  
  invoking an initial response to said network based attack from other servers of the plurality of servers within the particular distribution point based on signaling to the first set of addresses originating from the particular server in response to said detecting the initiation of the network based attack at the particular server;
  
  invoking an escalated response to said network based attack from the plurality of servers within other distribution points of the plurality of distribution points based on signaling to the second set of addresses originating from the particular server in response to (i) an aggregate rate of requests for said particular content at the particular distribution point exceeding a second distribution point request rate threshold for the particular content or (ii) requests from the set of users to the plurality of servers of the particular distribution point exceeding the second distribution point request rate threshold; and
  
  modifying the escalated response by activating first request blocking at each server of the plurality of servers in the plurality of distribution points in response to a request rate for said particular content across the plurality of distribution points or a number of requests from the set of users across the plurality of distribution points exceeding a third distributed platform request rate threshold, wherein said first request blocking comprises each server operating from the plurality of distribution points redirecting requests for said particular content or requests from the set of users during a first time, and sending computational problems in response to requests for the particular content or requests from the set of users during a second time in response to exceeding the third distributed platform request rate threshold after the first time and said redirecting.

8. A method comprising:
- serving over a first time, from each of a plurality of servers in a plurality of distribution points of a distributed platform, particular customer content in response to requests for the particular customer content arriving at each server below a first single server request rate threshold; and
  
  blocking at each server in the plurality of distribution points over a later second time, each first request directed to the particular customer content in response to (i) a first request rate for the particular customer content at a particular server in a particular distribution point exceeding the first single server request rate threshold, (ii) a second request rate for the particular customer content at the particular distribution point exceeding a different second distribution point request rate threshold, and (iii) a third request rate for the particular customer content across the plurality of distribution points exceeding a different third distributed platform request rate threshold,wherein the third distributed platform request rate threshold is greater than the second distribution point request rate threshold, and the second distribution point request rate threshold is greater than the first single server request rate threshold, andwherein blocking each first request comprises at least one of redirecting the first request, dropping the first request, or responding with a computational problem having a solution that withdraws said blocking.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The method of claim 8 further comprising detecting the second request rate for the particular customer content at the particular distribution point in response to the first request rate for the particular customer content at the particular server exceeding the first single server request rate threshold.
  - 10. The method of claim 9 further comprising detecting the third request rate for the particular customer content across the plurality of distribution points in response to the second request rate for the particular customer content at the particular distribution point exceeding the second distribution point request rate threshold.
  - 11. The method of claim 8 further comprising changing the first request blocking from one of the redirecting, dropping, and responding with the computational problem to a different one of the redirecting, dropping, and responding with the computational problem in response to the third request rate for the particular customer content across the plurality of distribution points not falling below the third distributed platform request rate threshold after said second time interval.
  - 12. The method of claim 8 increasing difficulty of the computation problem in response to the third request rate for the particular customer content across the plurality of distribution points not falling below the third distributed platform request rate threshold after said second time interval.
  - 13. The method of claim 8 further comprising configuring a plurality of customer attack definitions at each server in the plurality of distribution points, each customer attack definition being associated with different customer content and setting the first single server request rate threshold, the second distribution point request rate threshold, and the third distributed platform request rate threshold with different threshold values specified for the customer content associated with the customer attack definition.
  - 14. The method of claim 13 further comprising selecting a particular customer attack definition from the plurality of customer attack definitions at each server in the plurality of distribution points in response to each server receiving requests for the particular customer content.
  - 15. The method of claim 14 further comprising setting values for the first single server request threshold, the second distribution point request rate threshold, and the third distributed platform request rate threshold at each server based on said selecting the particular customer attack definition.
  - 16. The method of claim 14 further comprising activating said blocking at the later second time, in response to (i) the first request rate exceeding a first customer specific value for the first single server request rate threshold from the particular customer attack definition, (ii) the second request rate exceeding a second customer specific value for the second distribution point request rate threshold from the particular customer attack definition, and (iii) the third request rate exceeding a third customer specific value for the third distributed platform request rate threshold from the particular customer attack definition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Edgio Incorporated
Original Assignee
Verizon Digital Media Services Inc. (Verizon Communications Inc.)
Inventors
Andrews, David, Morrison, Reed, Shiell, Derek, Peters, Robert J.
Primary Examiner(s)
Pearson, David
Assistant Examiner(s)
Champakesan, Badri

Application Number

US14/971,679
Publication Number

US 20170180414A1
Time in Patent Office

993 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

Distributed rate limiting

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

40 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed rate limiting

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links