Distributed denial of service mitigation for web conferencing

US 10,397,271 B2
Filed: 07/11/2017
Issued: 08/27/2019
Est. Priority Date: 07/11/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving one-time password (OTP) data for validating one or more connectivity checks for establishing a media session, the OTP data including a sequencing function;

determining a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys;

sending at least one of an offer or an answer to an endpoint for establishing the media session, at least one of the offer or the answer including a first username that includes a passkey from the set of passkeys and a successive passkey from the set of passkeys;

receiving a request for a connectivity check from the endpoint for establishing the media session, the request including a second username that includes the passkey and the successive passkey; and

validating the second username based at least in part by applying the sequencing function to the passkey included in the second username to acquire a computed value and comparing the computed value to the successive passkey included in the second username.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving one-time password (OTP) data for validating one or more connectivity checks for establishing a media session, the OTP data including a sequencing function;
  
  determining a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys;
  
  sending at least one of an offer or an answer to an endpoint for establishing the media session, at least one of the offer or the answer including a first username that includes a passkey from the set of passkeys and a successive passkey from the set of passkeys;
  
  receiving a request for a connectivity check from the endpoint for establishing the media session, the request including a second username that includes the passkey and the successive passkey; and
  
  validating the second username based at least in part by applying the sequencing function to the passkey included in the second username to acquire a computed value and comparing the computed value to the successive passkey included in the second username.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving second OTP data for validating the one or more connectivity checks, the second OTP data including a secret key;
      
      concatenating a first counter and a first timestamp to the first username;
      
      determining a first password for at least one of the offer or the answer by applying a cryptographic hash function to the first counter and the first timestamp using the secret key; and
      
      validating a message integrity of the request based at least in part by applying the cryptographic hash function to a second counter included in the request and a second timestamp included in the request using the secret key to acquire a second computed value and comparing the second computed value to a second password included in the request.
  - 3. The computer-implemented method of claim 2, further comprising:
    - determining that the second computed value matches the second password;
      
      determining that the second counter has not been included in a previous request; and
      
      forwarding the request to a next destination.
  - 4. The computer-implemented method of claim 2, further comprising:
    - determining at least one of the second computed value mismatching the second password or the second counter being included in a previous request; and
      
      dropping the request.
  - 5. The computer-implemented method of claim 2, further comprising:
    - sending at least one of a second offer or a second answer to a second endpoint for establishing a second media session, at least one of the second offer or the second answer including a third username that includes a second passkey from the set of passkeys and a second successive passkey from the set of passkeys.
  - 6. The computer-implemented method of claim 5, further comprising:
    - incrementing the second counter to acquire a new counter;
      
      acquiring a current timestamp as a new timestamp; and
      
      determining a new password for at least one of the second offer or the second answer by applying the cryptographic hash function to the new counter and the new timestamp using the secret key.
  - 7. The computer-implemented method of claim 1, further comprising:
    - determining that a number of requests for connectivity checks for establishing the media session exceeds a capacity of a middlebox; and
      
      sending a signal to a distributed denial of service attack (DDoS) open threat signaling (DOTS) server for receiving the requests for connectivity checks.
  - 8. The computer-implemented method of claim 7, further comprising:
    - sending the OTP data to the DOTS server.
  - 9. The computer-implemented method of claim 1, further comprising:
    - determining that the computed value matches the successive passkey;
      
      determining that the set of passkeys includes the successive passkey;
      
      purging the successive passkey from the set of passkeys; and
      
      forwarding the request to a next destination.
  - 10. The computer-implemented method of claim 1, further comprising:
    - determining at least one of the computed value mismatching the successive passkey or the set of passkeys excluding the successive passkey; and
      
      dropping the request.

11. A system comprising:
- a processor; and
  
  a non-transitory computer-readable medium storing instructions that, upon execution by the processor, cause the system to;
  
  acquire one-time password (OTP) data for validating one or more connectivity checks for establishing a media session with a media distribution device (MDD), the OTP data including a sequencing function;
  
  determine a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys;
  
  receive a request for a connectivity check from an endpoint external to a web conferencing network for establishing the media session with the MDD, the request including a username that includes a sequence value and a passkey; and
  
  validate the username based at least in part by applying the sequencing function to the sequence value to acquire a computed value and comparing the computed value to the passkey.
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein the instructions further cause the system to:
    - receive, from a conference server, a secure representational state transfer (REST) application programming interface (API) request including the OTP data.
  - 13. The system of claim 11, wherein the instructions further cause the system to:
    - generate the OTP data in response to receiving a secure REST API request from a conference server; and
      
      send to the conference server a secure REST API response including the OTP data.

14. A computer-implemented method comprising:
- acquiring one-time password (OTP) data for validating one or more connectivity checks for establishing a media session, the OTP data including a sequencing function and a secret key;
  
  determining a set of passkeys by applying the sequencing function to a seed value to acquire a first passkey and successively applying the sequencing function to a latest passkey to acquire one or more additional passkeys;
  
  determining a username including a passkey from the set of passkeys, a successive passkey from the set of passkeys, a counter, and a timestamp;
  
  determining a password by applying a cryptographic hash function to the counter and the timestamp using the secret key; and
  
  sending at least one of an offer or an answer to an endpoint for establishing the media session, at least one of the offer or the answer including the username and the password.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-implemented method of claim 14, further comprising:
    - determining that a number of requests for connectivity checks for establishing the media session exceeds a capacity of a middlebox; and
      
      sending a signal to a distributed denial of service attack (DDos) open threat signaling (DOTS) server for receiving the requests for connectivity checks.
  - 16. The computer-implemented method of claim 15, further comprising:
    - sending the OTP data to the DOTS server.
  - 17. The computer-implemented method of claim 16, wherein the DOTS server uses the OTP data to validate the requests for connectivity checks.
  - 18. The computer-implemented method of claim 16, further comprising:
    - incrementing the counter to acquire a second counter;
      
      acquiring a current timestamp as a second timestamp;
      
      determining a second username including a second passkey from the set of passkeys and a second successive passkey from the set of passkeys, the second counter, and the second timestamp;
      
      determining a second password for at least one of a second offer or a second answer by applying the cryptographic hash function to the second counter and the second timestamp using the secret key; and
      
      sending at least one of the second offer or the second answer to a second endpoint for establishing a second media session, at least one of the second offer or the second answer including the second username and the second password.
  - 19. The computer-implemented method of claim 14, further comprising:
    - provisioning a media distribution device (MDD) for establishing the media session; and
      
      configuring a network to locate a middlebox for validating one or more requests for connectivity checks for establishing the media session between an external network and the MDD.
  - 20. The computer-implemented method of claim 19, wherein the OTP data is acquired via at least one of a secure representational state transfer (REST) application programming interface (API) request or a secure REST API response between a conference server and the middlebox.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Reddy, K Tirumaleswar, Ravindranath, Ram Mohan, Patil, Prashanth, Pignataro, Carlos M.
Primary Examiner(s)
Song, Hee K

Application Number

US15/646,429
Publication Number

US 20190020678A1
Time in Patent Office

777 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0838   using one-time-passwords

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 65/1104   Session initiation protocol...

H04L 65/403   Arrangements for multi-part...

H04L 9/3228   One-time or temporary data,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3297   involving time stamps, e.g....

Distributed denial of service mitigation for web conferencing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed denial of service mitigation for web conferencing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links