Identifying a denial-of-service attack in a cloud-based proxy service
First Claim
1. A method in a cloud-based proxy service for identifying a denial-of-service (DoS) attack, the method comprising:
- determining that there is a potential DoS attack being directed to a first IP address of the cloud-based proxy service;
responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is a target of the potential DoS attack, wherein the step of identifying includes performing the following;
scattering the plurality of domains to resolve to different IP addresses of the cloud-based proxy service, wherein the scattering is performed iteratively, wherein in an initial iteration, at least two of the plurality of domains resolve to a same IP address of the cloud-based proxy service and one of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and wherein in a final iteration, each of the plurality of domains resolves to a different IP address of the cloud-based proxy service, andidentifying one of those plurality of domains as the target of the potential DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address of the cloud-based proxy service in which that domain resolves; and
responsive to identifying the one of the plurality of domains that is the target of the potential DoS attack, performing one or more mitigation actions for the targeted domain.
2 Assignments
0 Petitions
Accused Products
Abstract
A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
-
Citations
21 Claims
-
1. A method in a cloud-based proxy service for identifying a denial-of-service (DoS) attack, the method comprising:
-
determining that there is a potential DoS attack being directed to a first IP address of the cloud-based proxy service; responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is a target of the potential DoS attack, wherein the step of identifying includes performing the following; scattering the plurality of domains to resolve to different IP addresses of the cloud-based proxy service, wherein the scattering is performed iteratively, wherein in an initial iteration, at least two of the plurality of domains resolve to a same IP address of the cloud-based proxy service and one of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and wherein in a final iteration, each of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and identifying one of those plurality of domains as the target of the potential DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address of the cloud-based proxy service in which that domain resolves; and responsive to identifying the one of the plurality of domains that is the target of the potential DoS attack, performing one or more mitigation actions for the targeted domain. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations comprising:
-
determining that there is a potential Denial-of-Service (DoS) attack being directed to a first IP address of a cloud-based proxy service; responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is a target of the potential DoS attack, wherein the step of identifying includes performing the following; scattering the plurality of domains to resolve to different IP addresses of the cloud-based proxy service, wherein the scattering is performed iteratively, wherein in an initial iteration, at least two of the plurality of domains resolve to a same IP address of the cloud-based proxy service and one of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and wherein in a final iteration, each of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and identifying one of those plurality of domains as the target of the potential DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address of the cloud-based proxy service in which that domain resolves; and responsive to identifying the one of the plurality of domains that is the target of the potential DoS attack, performing one or more mitigation actions for the targeted domain. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus to identify a denial-of-service (DoS) attack in a cloud-based proxy service, comprising:
a cloud-based proxy service node operating on one or more physical devices that is configured to perform the following; determine that there is a potential DoS attack being directed to a first IP address of the cloud-based proxy service; responsive to a determination that there are a plurality of domains that resolve to that IP address, identify the one of the plurality of domains that is a target of the potential DoS attack by performing the following; scatter the plurality of domains to resolve to different IP addresses of the cloud-based proxy service, wherein the scattering is performed iteratively, wherein in an initial iteration, at least two of the plurality of domains resolve to a same IP address of the cloud-based proxy service and one of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and wherein in a final iteration, each of the plurality of domains resolves to a different IP address of the cloud-based proxy service, and identify one of those plurality of domains as the target of the potential DoS attack by a determination that there is an abnormally high amount of traffic being directed to the IP address of the cloud-based proxy service in which that domain resolves; and responsive to identifying the one of the plurality of domains that is the target of the potential DoS attack, performing one or more mitigation actions for the targeted domain. - View Dependent Claims (16, 17, 18, 19, 20, 21)
Specification