Method and apparatus for protecting web sites from distributed denial-of-service attacks

US 20030035370A1
Filed: 06/19/2002
Published: 02/20/2003
Est. Priority Date: 08/16/2001
Status: Active Grant

First Claim

Patent Images

14. A method at a border router at which a first ISP exchanges packets with a second ISP, the first ISP supporting an SPE service in which packets destined or belonging to a connection to a subscribing site are forwarded in a first, second or third class of service depending the conformance of the packet to a profile provided by the subscribing site, packets in the first class of service belonging to a connection to the subscribing site conforming to and obeying congestion-avoidance rules, packets in the second class of service destined to a subscribing site conforming to the profile and whose obedience to congestion-avoidance rules is not enforced, and packets in the third class of service not qualifying for the first or second classes of service, the second ISP not supporting the SPE service, the method comprising:

marking for forwarding packets arriving from the ISP that does not support the SPE service in a fourth class of service.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Internet Service Provider (ISP), in consideration of being remunerated in some manner by a site, determines whether packets destined to that site conform to a profile provided to the ISP by that site. The profile, indicates, for example, what protocols are allowed by the server, and, for each such protocol, what destination port numbers or message types are allowed, a maximum transmission rate, the maximum number of allowed connections a client may have, and whether to enforce congestion-avoidance. This server profile enforcement (SPE) automatically thwarts denial of service attacks from attackers that send packets to the subscribing server from that ISP using connections or having packet characteristics that do not conform to the acceptable characteristics specified in the profile. SPE is generally performed by an SPE unit, which can be incorporated in the access gateways of an ISP that supports the service. Packets may also be forwarded in multiple classes of service depending upon the type of traffic from which they originate. Multiple classes of service allow the method to be effective even if deployed only by select ISPs.

Citations

33 Claims

14. A method at a border router at which a first ISP exchanges packets with a second ISP, the first ISP supporting an SPE service in which packets destined or belonging to a connection to a subscribing site are forwarded in a first, second or third class of service depending the conformance of the packet to a profile provided by the subscribing site, packets in the first class of service belonging to a connection to the subscribing site conforming to and obeying congestion-avoidance rules, packets in the second class of service destined to a subscribing site conforming to the profile and whose obedience to congestion-avoidance rules is not enforced, and packets in the third class of service not qualifying for the first or second classes of service, the second ISP not supporting the SPE service, the method comprising:
- marking for forwarding packets arriving from the ISP that does not support the SPE service in a fourth class of service.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14 wherein the first, second, third and fourth class of service are ranked from highest to lowest in this order such that load on a given class of service has limited effect on the performance experienced by packets sent in the higher ranked classes of service.
  - 16. The method of claim 15 wherein the third and fourth classes of service are the same.

17. Apparatus for protecting against denial-of-service attacks comprising:
- ingress filtering means for determining whether a packet'"'"'s destination is a subscribing site or the packet belongs to a connection to a subscribing site;
  
  storage means for storing a profile provided by a subscribing site of that defines traffic characteristics of packets that the subscribing site is willing to receive or connections that the subscribing site is willing to have;
  
  the profile indicating one or more of the following packet traffic characteristics;
  
  using an allowed protocol;
  
  using an allowed destination port number for an allowed protocol;
  
  using an allowed message type for an allowed protocol;
  
  having a transmission rate below a maximum rate;
  
  belonging to a connection that is within the maximum number of allowed connections between the packet source and the destination; and
  
  belonging to a connection that obeys congestion-avoidance rules;
  
  first determining means for determining whether a packet is destined to a subscribing site; and
  
  second determining means for determining whether a packet destined to a subscribing site conforms to that subscribing site'"'"'s stored profile; and
  
  wherein the packet is forwarded if the second determining means determines that the packet conforms to its destination subscribing site'"'"'s stored profile.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 1. A method comprising:
    - at or near a point of ingress of a packet into the Internet, determining whether a packet'"'"'s destination is a subscribing site or the packet belongs to a connection to a subscribing site; and
      
      if the packet'"'"'s destination is a subscribing site or belongs to a connection to the subscribing site;
      
      determining whether the packet conforms to a stored profile that defines traffic characteristics of packets that the destination subscribing site is willing to receive or connections that the subscribing site is willing to have, and forwarding the packet if the packet conforms to the subscribing site'"'"'s stored profile, wherein the profile is provided by the subscribing site and wherein the profile indicates one or more of the following packet traffic characteristics which a packet needs to have;
      
      using an allowed protocol;
      
      using an allowed destination port number for an allowed protocol;
      
      using an allowed message type for an allowed protocol;
      
      having a transmission rate below a maximum rate;
      
      belonging to a connection that is within the maximum number of allowed connections between the packet source and the destination; and
      
      belonging to a connection that obeys congestion-avoidance rules.
  - 2. The method of claim 1 further comprising dropping a packet if the packet doesn'"'"'t conform to the subscribing site'"'"'s profile.
  - 3. The method of claim 1 further comprising marking a packet for preferential dropping if the packet doesn'"'"'t conform to the subscribing site'"'"'s profile.
  - 4. The method of claim 1 further comprising forwarding the packet if the packet'"'"'s destination is not a subscribing site.
  - 5. The method of claim 1 further comprising:
    - determining whether the packet conforms to a stored default profile if the packet'"'"'s destination is not a subscribing site; and
      
      dropping the packet if it doesn'"'"'t conform to the stored default profile.
  - 6. The method of claim 1 further comprising:
    - dropping a packet if its source address is not properly associated with a port on which the packet arrived.
  - 7. The method of claim 1 wherein the method is performed by an Internet Service Provider (ISP) and the subscribing site remunerates the ISP for performing the method on packets destined to it.
  - 8. The method of claim 1 further comprising:
    - determining for a packet destined to a subscribing site or belonging to a connection to a subscribing site, the degree of conformance of the packet to the subscribing site'"'"'s profile, and, as determined by the determined degree of conformance, dropping the packet, marking the packet for preferential dropping, or marking and forwarding the packet in one of a plurality of classes of service.
  - 9. The method of claim 8 further comprising:
    - dropping or marking for preferential dropping a packet if the packet'"'"'s source address is not properly associated with a port on which it arrived;
      
      marking for forwarding a packet in a first class of service if the packet belongs to a connection to a subscribing site, the packet obeys congestion-avoidance rules, and the number of connections between the packet'"'"'s source and destination is below the maximum allowed in the site'"'"'s profile;
      
      marking for forwarding a packet in a second class of service if the packet does not qualify for the first class of service but is destined to a subscribing site and conforms to the subscribing site'"'"'s profile; and
      
      marking for forwarding a packet in a third class of service if the packet does not qualify for the first or second classes of service.
  - 10. The method of claim 9 wherein the first, second, and third classes of service are ranked from highest to lowest in this order such that load on a given class of service has limited effect on the performance of packets sent in higher ranked classes of service.
  - 11. The method of claim 10 wherein a higher ranked class of service has a higher priority for use of network resources than does a lower ranked class of service.
  - 12. The method of claim 10 wherein each of class of service has a proportional share of network resources.
  - 13. The method of claim 9 wherein the second and third classes of service are the same.
  - 18. The apparatus of claim 17 wherein the packed is dropped if the second determining means determines that the packet doesn'"'"'t conform to the subscribing site'"'"'s stored profile.
  - 19. The apparatus of claim 17 wherein the packed is marked for preferential dropping if the second determining means determines that the packet doesn'"'"'t conform to the subscribing site'"'"'s stored profile.
  - 20. The apparatus of claim 17 wherein the packet is forwarded to its destination if the first determining means determines that the packet is not destined to a subscribing site.
  - 21. The apparatus of claim 17 if the first determining means determines that the packet is not destined to a subscribing site, the second determining means then determines whether the packet conforms to a stored default profile, wherein the packet is dropped if it doesn'"'"'t conform to the stored default profile.
  - 22. The apparatus of claim 17 wherein the packet is dropped if the ingress filtering means determines that the packet'"'"'s source address is not properly associated with a port on which the packet arrived.
  - 23. The apparatus of claim 17 wherein the apparatus is incorporated within an Internet Access Provider (ISP).
  - 24. The apparatus of claim 23 wherein the apparatus is incorporated within an access gateway of an ISP.
  - 25. The apparatus of claim 17 wherein the second determining determines for a packet destined to a subscribing site or belonging to a connection to a subscribing site, the degree of conformance of the packet to the subscribing site'"'"'s stored profile, wherein, as determined by the determined degree of conformance, the packed is dropped, marked for preferential dropping, or marked for forwarding in one of a plurality of classes of service.
  - 26. The apparatus of claim 25wherein the packet is dropped or marked for preferential dropping if its source address is not properly associated with a port on which it arrived;
    - wherein the packet is marked for forwarding in a first class of service if the packet belongs to a connection to a subscribing site, the packet obeys congestion-avoidance rules, and the number of connections between the packet'"'"'s source and destination is below the maximum allowed in the site'"'"'s profile;
      
      wherein the packet is marked for forwarding in a second class of service if the packet does not qualify for the first class of service but is destined to a subscribing site and conforms to the subscribing site'"'"'s profile; and
      
      wherein the packet is marked for forwarding in a third class of service if the packet does not qualify for the first or second classes of service.
  - 27. The apparatus of claim 26 wherein the first, second and third classes of service are ranked from highest to lowest in this order such that load on a given class of service has limited effect on the performance of packets sent in the higher ranked classes of service.
  - 28. The apparatus of claim 27 wherein a higher ranked class of service has a higher priority for use of network resources than does a lower ranked class of service.
  - 29. The apparatus of claim 26 wherein the second and third classes of service are the same.

28-1. The apparatus of claim 27 wherein each class of service has a proportional share of network resources.

30. An article of manufacture comprising one or more software programs or applications for protecting against denial of service attacks, wherein the one or more software programs or applications when executed by a computer at or near a point of ingress of a packet into the Internet implements the steps of:
- determining whether the packet'"'"'s destination is a subscribing site or the packet belongs to a connection to a subscribing site; and
  
  if the packet'"'"'s destination is a subscribing site or belongs to a connection to the subscribing site;
  
  determining whether the packet conforms to a stored profile that defines traffic characteristics of packets that the destination subscribing site is willing to receive or connections that the subscribing site is willing to have, and forwarding the packet if the packet conforms to the subscribing site'"'"'s stored profile, wherein the profile is provided by the subscribing site and wherein the profile indicates one or more of the following packet traffic characteristics which a packet needs to have;
  
  using an allowed protocol;
  
  using an allowed destination port number for an allowed protocol;
  
  using an allowed message type for an allowed protocol;
  
  having a transmission rate below a maximum rate;
  
  belonging to a connection that is within the maximum number of allowed connections between the packet source and the destination; and
  
  belonging to a connection that obeys congestion-avoidance rules.
- View Dependent Claims (31, 32, 33)
- - 31. The article of manufacture of claim 30 wherein the one or more computer programs or applications implements the further step of dropping a packet if the packet doesn'"'"'t conform to the subscribing site'"'"'s profile.
  - 32. The article of manufacture of claim 30 wherein the one or more computer programs or applications implements the further step of forwarding the packet if the packet'"'"'s destination is not a subscribing site.
  - 33. The article of manufacture of claim 30 wherein the one or more computer programs or applications implements the further step of dropping a packet if its source address is not properly associated with a port on which the packet arrived.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SAS (Thales SA)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Brustoloni, Jose?apos; C.

Granted Patent

US 7,207,062 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/229
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/12   Avoiding congestion; Recove...

H04L 47/20   Traffic policing

H04L 47/31   by tagging of packets, e.g....

H04L 47/32   by discarding or delaying d...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 67/61   taking into account QoS or ...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Method and apparatus for protecting web sites from distributed denial-of-service attacks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting web sites from distributed denial-of-service attacks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links