Mitigating a denial-of-service attack in a cloud-based proxy service
First Claim
1. A method in a proxy server in a cloud-based proxy service, comprising:
- receiving, at the proxy server from a first visitor, a first request for a first resource of a domain whose traffic passes through the proxy server;
determining that a rule has been enabled for a domain as a result of a suspected denial of service (DoS) attack against the domain, the rule specifying that requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and
responsive to the determining, transmitting a first page to the first visitor that includes an embedded client-side script that, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a message to be transmitted to the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine whether the first visitor passed at least one of the set of one or more challenges, wherein the first page is not the requested first resource.
1 Assignment
0 Petitions
Accused Products
Abstract
A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.
-
Citations
24 Claims
-
1. A method in a proxy server in a cloud-based proxy service, comprising:
-
receiving, at the proxy server from a first visitor, a first request for a first resource of a domain whose traffic passes through the proxy server; determining that a rule has been enabled for a domain as a result of a suspected denial of service (DoS) attack against the domain, the rule specifying that requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and responsive to the determining, transmitting a first page to the first visitor that includes an embedded client-side script that, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a message to be transmitted to the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine whether the first visitor passed at least one of the set of one or more challenges, wherein the first page is not the requested first resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium that provides instructions that, if executed by a processor of a proxy server, will cause said processor to perform operations comprising:
-
receiving, at the proxy server from a first visitor, a first request for a first resource of a domain whose traffic passes through the proxy server; determining that a rule has been enabled for a domain as a result of a suspected denial of service (DoS) attack against the domain, the rule specifying that requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and responsive to the determining, transmitting a first page to the first visitor that includes an embedded client-side script that, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a message to be transmitted to the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine whether the first visitor passed at least one of the set of one or more challenges, wherein the first page is not the requested first resource. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus, comprising:
a proxy server that includes a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions that, when executed by the set of processors, cause the set of processors to perform the following operations; receive, at the proxy server from a first visitor, a first request for a first resource of a domain whose traffic passes through the proxy server; determine that a rule has been enabled for a domain as a result of a suspected denial of service (DoS) attack against the domain, the rule specifying that requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and responsive to the determination, transmit a first page to the first visitor that includes an embedded client-side script that, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a message to be transmitted to the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine whether the first visitor passed at least one of the set of one or more challenges, wherein the first page is not the requested first resource. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
Specification