Distributed rate limiting
First Claim
1. A method for defending against network attacks, the method comprising:
- providing a distributed platform comprising a plurality of distribution points with each distribution point comprising a plurality of servers, each server tracking a request rate at that server independently prior to initiation of attack protections;
receiving requests for content at a particular server at a first rate in excess of a single server request rate threshold, wherein the particular server is one of the plurality of servers operating from a particular distribution point of the plurality of distribution points;
providing the particular server control over attack response of the distributed platform in response to the particular server receiving the requests at the first rate in excess of the first single server request rate threshold, said providing comprising configuring the particular server with monitoring attack propagation from the particular server across the particular distribution point based on a second distribution point request rate threshold, and monitoring attack escalation from the particular distribution point across the plurality of distribution points based on a third distributed platform request rate threshold, and wherein the third distributed platform request rate threshold is greater than the second distribution point request rate threshold, and the second distribution point request rate threshold is greater than the first single server request rate threshold;
initiating from the particular server, attack protections at each other server of the plurality of servers operating in the particular distribution point in response to said providing the particular server control over the attack response, each server of the plurality of servers operating in the particular distribution point providing a request rate at that server to the particular server in response to initiating the attack protections from the particular server;
propagating by the particular server, the attack protections to the plurality of servers at each other distribution point of the plurality of distribution points in response to the different rates at the plurality of servers of the particular distribution point totaling a second rate in excess of the second distribution point request rate threshold, each server at each other distribution point of the plurality of distribution points providing a request rate at that server to the particular server operating in the particular distribution point in response to propagating the attack protections; and
activating from the particular server, the attack protections across the plurality of servers in the plurality of distribution points in response to (i) the requests arriving across the plurality of servers of the plurality of distribution points at a third rate in excess of the third distributed platform request rate threshold, (ii) the different rates at the plurality of servers of the particular distribution point totaling the second rate in excess of the second distribution point request rate threshold, and (iii) the particular server receiving the requests at the first rate in excess of the first single server request rate threshold; and
blocking each first request from each requestor arriving at each server at the plurality of distribution points in response to said activating the attack protections from the particular server, said blocking comprising at least one of redirecting the first request, dropping the first request, or responding with a computational problem having a solution that withdraws said blocking.
6 Assignments
0 Petitions
Accused Products
Abstract
Some embodiments provide distributed rate limiting to combat network based attacks launched against a distributed platform or customers thereof. The distributed rate limiting involves graduated monitoring to identify when an attack expands beyond a single server to other servers operating from within the same distributed platform distribution point, and when the attack further expands from one distributed platform distribution point to other distribution points. Once request rates across the distributed platform distribution points exceed a global threshold, a first set of attack protections are invoked across the distributed platform. Should request rates increase or continue to exceed the threshold, additional attack protections can be invoked. Distributed rate limiting allows any server within the distributed platform to assume command and control over the graduated monitoring as well as escalating the response to any identified attack.
40 Citations
16 Claims
-
1. A method for defending against network attacks, the method comprising:
-
providing a distributed platform comprising a plurality of distribution points with each distribution point comprising a plurality of servers, each server tracking a request rate at that server independently prior to initiation of attack protections; receiving requests for content at a particular server at a first rate in excess of a single server request rate threshold, wherein the particular server is one of the plurality of servers operating from a particular distribution point of the plurality of distribution points; providing the particular server control over attack response of the distributed platform in response to the particular server receiving the requests at the first rate in excess of the first single server request rate threshold, said providing comprising configuring the particular server with monitoring attack propagation from the particular server across the particular distribution point based on a second distribution point request rate threshold, and monitoring attack escalation from the particular distribution point across the plurality of distribution points based on a third distributed platform request rate threshold, and wherein the third distributed platform request rate threshold is greater than the second distribution point request rate threshold, and the second distribution point request rate threshold is greater than the first single server request rate threshold; initiating from the particular server, attack protections at each other server of the plurality of servers operating in the particular distribution point in response to said providing the particular server control over the attack response, each server of the plurality of servers operating in the particular distribution point providing a request rate at that server to the particular server in response to initiating the attack protections from the particular server; propagating by the particular server, the attack protections to the plurality of servers at each other distribution point of the plurality of distribution points in response to the different rates at the plurality of servers of the particular distribution point totaling a second rate in excess of the second distribution point request rate threshold, each server at each other distribution point of the plurality of distribution points providing a request rate at that server to the particular server operating in the particular distribution point in response to propagating the attack protections; and activating from the particular server, the attack protections across the plurality of servers in the plurality of distribution points in response to (i) the requests arriving across the plurality of servers of the plurality of distribution points at a third rate in excess of the third distributed platform request rate threshold, (ii) the different rates at the plurality of servers of the particular distribution point totaling the second rate in excess of the second distribution point request rate threshold, and (iii) the particular server receiving the requests at the first rate in excess of the first single server request rate threshold; and blocking each first request from each requestor arriving at each server at the plurality of distribution points in response to said activating the attack protections from the particular server, said blocking comprising at least one of redirecting the first request, dropping the first request, or responding with a computational problem having a solution that withdraws said blocking. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for responding to an attack on a distributed platform comprising a plurality of distribution points with each distribution point of the plurality of distribution points comprising a plurality of servers for responding to requests for content or services, the method comprising:
-
receiving a plurality of requests for a plurality of content from a plurality of different clients over a digital network at the plurality of servers of the plurality of distribution points; detecting initiation of a network based attack at a particular server of a particular distribution point based on (i) a rate of requests for particular content at the particular server exceeding a first single server request rate threshold or (ii) requests from a set of the plurality of users exceeding the first single server request rate threshold; configuring the particular server with a first set of addresses of each other server of the plurality of servers of the particular distribution point and a second set of addresses of at least one server in other distribution points of the plurality of distribution points; invoking an initial response to said network based attack from other servers of the plurality of servers within the particular distribution point based on signaling to the first set of addresses originating from the particular server in response to said detecting the initiation of the network based attack at the particular server; invoking an escalated response to said network based attack from the plurality of servers within other distribution points of the plurality of distribution points based on signaling to the second set of addresses originating from the particular server in response to (i) an aggregate rate of requests for said particular content at the particular distribution point exceeding a second distribution point request rate threshold for the particular content or (ii) requests from the set of users to the plurality of servers of the particular distribution point exceeding the second distribution point request rate threshold; and modifying the escalated response by activating first request blocking at each server of the plurality of servers in the plurality of distribution points in response to a request rate for said particular content across the plurality of distribution points or a number of requests from the set of users across the plurality of distribution points exceeding a third distributed platform request rate threshold, wherein said first request blocking comprises each server operating from the plurality of distribution points redirecting requests for said particular content or requests from the set of users during a first time, and sending computational problems in response to requests for the particular content or requests from the set of users during a second time in response to exceeding the third distributed platform request rate threshold after the first time and said redirecting.
-
-
8. A method comprising:
-
serving over a first time, from each of a plurality of servers in a plurality of distribution points of a distributed platform, particular customer content in response to requests for the particular customer content arriving at each server below a first single server request rate threshold; and blocking at each server in the plurality of distribution points over a later second time, each first request directed to the particular customer content in response to (i) a first request rate for the particular customer content at a particular server in a particular distribution point exceeding the first single server request rate threshold, (ii) a second request rate for the particular customer content at the particular distribution point exceeding a different second distribution point request rate threshold, and (iii) a third request rate for the particular customer content across the plurality of distribution points exceeding a different third distributed platform request rate threshold, wherein the third distributed platform request rate threshold is greater than the second distribution point request rate threshold, and the second distribution point request rate threshold is greater than the first single server request rate threshold, and wherein blocking each first request comprises at least one of redirecting the first request, dropping the first request, or responding with a computational problem having a solution that withdraws said blocking. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
Specification