Short term certificate management during distributed denial of service attacks

US 10,104,119 B2
Filed: 05/11/2016
Issued: 10/16/2018
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method of providing a short term certificate during a distributed denial of service attack on a network, the method comprising:

identifying, by a processor, a distributed denial of service attack on a network;

executing, by the processor, a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate;

receiving the short term certificate generated by a certificate server;

updating a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate;

generating, by the processor, an instruction to redirect traffic from the network during the distributed denial of service attack to a protection service using the short term certificate and associated private key,wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and

wherein filtered traffic is provided from the protection service to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.

Citations

18 Claims

1. A method of providing a short term certificate during a distributed denial of service attack on a network, the method comprising:
- identifying, by a processor, a distributed denial of service attack on a network;
  
  executing, by the processor, a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate;
  
  receiving the short term certificate generated by a certificate server;
  
  updating a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate;
  
  generating, by the processor, an instruction to redirect traffic from the network during the distributed denial of service attack to a protection service using the short term certificate and associated private key,wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and
  
  wherein filtered traffic is provided from the protection service to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the distributed denial of service attack is identified by an on premise security device coupled with the network.
  - 3. The method of claim 1, wherein the distributed denial of service attack is identified by a security device in a service provider network.
  - 4. The method of claim 1, further comprising:
    - advertising a gateway protocol message including an address for the protection service.
  - 5. The method of claim 4, further comprising:
    - advertising a gateway protocol message including an address for the network after the distributed denial of service attack.
  - 6. The method of claim 1, further comprising:
    - sending a request to revoke the short term certificate to the certificate server.
  - 7. The method of claim 1, wherein the script to request the short term certificate includes an expiration time period for the short term certificate.
  - 8. The method of claim 1, further comprising:
    - establishing a secure channel between the protection service and the network.

9. An apparatus for providing a short term certificate during a distributed denial of service attack on a network, the apparatus comprising:
- a processor; and
  
  a memory comprising one or more instructions executable by the processor to perform;
  
  identify a distributed denial of service attack on a network;
  
  execute the processor, a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate;
  
  receive the short term certificate generated by a certificate server;
  
  update a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate;
  
  generate an instruction to a protection service to service traffic from the network during the distributed denial of service attack using the short term certificate and private key,wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and
  
  wherein filtered traffic is provided from the protection service to the network.
- View Dependent Claims (10)
- - 10. The apparatus of claim 9, wherein the distributed denial of service attack is identified by an on premise security device coupled with the network or by a security device in a service provider network.

11. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations for providing a short term certificate during a distributed denial of service attack on a network, the operations including:
- identifying a distributed denial of service attack on a network;
  
  executing a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate;
  
  receiving the short term certificate generated by a certificate server;
  
  updating a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate;
  
  generating an instruction to redirect traffic from the network during the distributed denial of service attack to a protection service using the short term certificate and associated private key,wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and
  
  wherein filtered traffic is provided from the protection service to the network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The computer readable storage media of claim 11, wherein the instructions for identifying include instructions for identifying, by an on premise security device coupled with the network, the distributed denial of service attack.
  - 13. The computer readable storage media of claim 11, wherein the instructions for identifying include instructions for identifying, by a security device in a service provider network, the distributed denial of service attack.
  - 14. The computer readable storage media of claim 11, further comprising instructions for:
    - advertising a gateway protocol message including an address for the protection service.
  - 15. The computer readable storage media of claim 11, further comprising instructions for:
    - advertising a gateway protocol message including an address for the network after the distributed denial of service attack.
  - 16. The computer readable storage media of claim 11, further comprising instructions for:
    - sending a request to revoke the short term certificate to the certificate server.
  - 17. The computer readable storage media of claim 11, wherein the script to request the short term certificate includes an expiration time period for the short term certificate.
  - 18. The computer readable storage media of claim 11, further comprising instructions for:
    - establishing a secure channel between the protection service and the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Reddy, Tirumaleswar, Wing, Daniel, Patil, Prashanth
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
Lakhia, Viral S

Application Number

US15/151,709
Publication Number

US 20170331854A1
Time in Patent Office

888 Days
Field of Search

726 5- 7, 713180-182
US Class Current
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0823   using certificates cryptogr...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/168   above the transport layer

H04L 65/1104   Session initiation protocol...

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 69/329   in the application layer [O...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3263   involving certificates, e.g...

Short term certificate management during distributed denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Short term certificate management during distributed denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links