Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

US 10,257,157 B2
Filed: 05/17/2018
Issued: 04/09/2019
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method executed by one or more hardware processors, the method comprising:

receiving an encrypted request for a resource, the encrypted request directed to a particular IP address;

determining that the particular IP address is a spoofed IP address associated with a particular domain name;

determining that the encrypted request is directed to the particular domain name based on the association between the spoofed IP address and the particular domain name, wherein the determination is made without decrypting the encrypted request; and

selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the particular domain name.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.

14 Citations

17 Claims

1. A computer-implemented method executed by one or more hardware processors, the method comprising:
- receiving an encrypted request for a resource, the encrypted request directed to a particular IP address;
  
  determining that the particular IP address is a spoofed IP address associated with a particular domain name;
  
  determining that the encrypted request is directed to the particular domain name based on the association between the spoofed IP address and the particular domain name, wherein the determination is made without decrypting the encrypted request; and
  
  selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the particular domain name.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be blocked based at least in part on a rule associated with the particular domain name; and
      
      blocking the encrypted request.
  - 3. The method of claim 1, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be allowed based at least in part on a rule associated with the particular domain name; and
      
      forwarding the encrypted request to a corresponding IP address for the particular domain name.
  - 4. The method of claim 1, wherein the association between the spoofed IP address and the particular domain name is created by a domain name server in response to receiving a request to resolve the particular domain name.
  - 5. The method of claim 1, wherein the spoofed IP address includes an IP port.
  - 6. The method of claim 1, wherein receiving the encrypted request for the resource includes receiving a request according to Hypertext Transfer Protocol Secure (HTTPS).

7. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one hardware processor to perform operations comprising:
- receiving an encrypted request for a resource, the encrypted request directed to a particular IP address;
  
  determining that the particular IP address is a spoofed IP address associated with a particular domain name;
  
  determining that the encrypted request is directed to the particular domain name based on the association between the spoofed IP address and the particular domain name, wherein the determination is made without decrypting the encrypted request; and
  
  selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the particular domain name.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory, computer-readable medium of claim 7, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be blocked based at least in part on a rule associated with the particular domain name; and
      
      blocking the encrypted request.
  - 9. The non-transitory, computer-readable medium of claim 7, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be allowed based at least in part on a rule associated with the particular domain name; and
      
      forwarding the encrypted request to a corresponding IP address for the particular domain name.
  - 10. The non-transitory, computer-readable medium of claim 7, wherein the association between the spoofed IP address and the particular domain name is created by a domain name server in response to receiving a request to resolve the particular domain name.
  - 11. The non-transitory, computer-readable medium of claim 7, wherein the spoofed IP address includes an IP port.
  - 12. The non-transitory, computer-readable medium of claim 7, wherein receiving the encrypted request for the resource includes receiving a request according to Hypertext Transfer Protocol Secure (HTTPS).

13. A system comprising:
- memory for storing data; and
  
  one or more hardware processors operable to perform operations comprising;
  
  receiving an encrypted request for a resource, the encrypted request directed to a particular IP address;
  
  determining that the particular IP address is a spoofed IP address associated with a particular domain name;
  
  determining that the encrypted request is directed to the particular domain name based on the association between the spoofed IP address and the particular domain name, wherein the determination is made without decrypting the encrypted request; and
  
  selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the particular domain name.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The system of claim 13, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be blocked based at least n part on a rule associated with the particular domain name; and
      
      blocking the encrypted request.
  - 15. The system of claim 13, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be allowed based at least in part on a rule associated with the particular domain name; and
      
      forwarding the encrypted request to a corresponding IP address for the particular domain name.
  - 16. The system of claim 13, wherein the association between the spoofed IP address and the particular domain name is created by a domain name server in response to receiving a request to resolve the particular domain name.
  - 17. The system of claim 13, wherein the spoofed IP address includes an IP port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
Shaw, Brian F

Application Number

US15/982,753
Publication Number

US 20180270192A1
Time in Patent Office

327 Days
Field of Search

726 26
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links