Distributed denial of service mitigation for web conferencing
First Claim
1. A computer-implemented method comprising:
- receiving one-time password (OTP) data for validating one or more connectivity checks for establishing a media session, the OTP data including a sequencing function;
determining a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys;
sending at least one of an offer or an answer to an endpoint for establishing the media session, at least one of the offer or the answer including a first username that includes a passkey from the set of passkeys and a successive passkey from the set of passkeys;
receiving a request for a connectivity check from the endpoint for establishing the media session, the request including a second username that includes the passkey and the successive passkey; and
validating the second username based at least in part by applying the sequencing function to the passkey included in the second username to acquire a computed value and comparing the computed value to the successive passkey included in the second username.
1 Assignment
0 Petitions
Accused Products
Abstract
A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving one-time password (OTP) data for validating one or more connectivity checks for establishing a media session, the OTP data including a sequencing function; determining a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys; sending at least one of an offer or an answer to an endpoint for establishing the media session, at least one of the offer or the answer including a first username that includes a passkey from the set of passkeys and a successive passkey from the set of passkeys; receiving a request for a connectivity check from the endpoint for establishing the media session, the request including a second username that includes the passkey and the successive passkey; and validating the second username based at least in part by applying the sequencing function to the passkey included in the second username to acquire a computed value and comparing the computed value to the successive passkey included in the second username. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising:
-
a processor; and a non-transitory computer-readable medium storing instructions that, upon execution by the processor, cause the system to; acquire one-time password (OTP) data for validating one or more connectivity checks for establishing a media session with a media distribution device (MDD), the OTP data including a sequencing function; determine a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys; receive a request for a connectivity check from an endpoint external to a web conferencing network for establishing the media session with the MDD, the request including a username that includes a sequence value and a passkey; and validate the username based at least in part by applying the sequencing function to the sequence value to acquire a computed value and comparing the computed value to the passkey. - View Dependent Claims (12, 13)
-
-
14. A computer-implemented method comprising:
-
acquiring one-time password (OTP) data for validating one or more connectivity checks for establishing a media session, the OTP data including a sequencing function and a secret key; determining a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys; determining a username including a passkey from the set of passkeys, a successive passkey from the set of passkeys, a counter, and a timestamp; determining a password by applying a cryptographic hash function to the counter and the timestamp using the secret key; and sending at least one of an offer or an answer to an endpoint for establishing the media session, at least one of the offer or the answer including the username and the password. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification