Method and apparatus for protecting web sites from distributed denial-of-service attacks
First Claim
14. A method at a border router at which a first ISP exchanges packets with a second ISP, the first ISP supporting an SPE service in which packets destined or belonging to a connection to a subscribing site are forwarded in a first, second or third class of service depending the conformance of the packet to a profile provided by the subscribing site, packets in the first class of service belonging to a connection to the subscribing site conforming to and obeying congestion-avoidance rules, packets in the second class of service destined to a subscribing site conforming to the profile and whose obedience to congestion-avoidance rules is not enforced, and packets in the third class of service not qualifying for the first or second classes of service, the second ISP not supporting the SPE service, the method comprising:
- marking for forwarding packets arriving from the ISP that does not support the SPE service in a fourth class of service.
9 Assignments
0 Petitions
Accused Products
Abstract
An Internet Service Provider (ISP), in consideration of being remunerated in some manner by a site, determines whether packets destined to that site conform to a profile provided to the ISP by that site. The profile, indicates, for example, what protocols are allowed by the server, and, for each such protocol, what destination port numbers or message types are allowed, a maximum transmission rate, the maximum number of allowed connections a client may have, and whether to enforce congestion-avoidance. This server profile enforcement (SPE) automatically thwarts denial of service attacks from attackers that send packets to the subscribing server from that ISP using connections or having packet characteristics that do not conform to the acceptable characteristics specified in the profile. SPE is generally performed by an SPE unit, which can be incorporated in the access gateways of an ISP that supports the service. Packets may also be forwarded in multiple classes of service depending upon the type of traffic from which they originate. Multiple classes of service allow the method to be effective even if deployed only by select ISPs.
-
Citations
33 Claims
-
14. A method at a border router at which a first ISP exchanges packets with a second ISP, the first ISP supporting an SPE service in which packets destined or belonging to a connection to a subscribing site are forwarded in a first, second or third class of service depending the conformance of the packet to a profile provided by the subscribing site, packets in the first class of service belonging to a connection to the subscribing site conforming to and obeying congestion-avoidance rules, packets in the second class of service destined to a subscribing site conforming to the profile and whose obedience to congestion-avoidance rules is not enforced, and packets in the third class of service not qualifying for the first or second classes of service, the second ISP not supporting the SPE service, the method comprising:
marking for forwarding packets arriving from the ISP that does not support the SPE service in a fourth class of service. - View Dependent Claims (15, 16)
-
17. Apparatus for protecting against denial-of-service attacks comprising:
-
ingress filtering means for determining whether a packet'"'"'s destination is a subscribing site or the packet belongs to a connection to a subscribing site;
storage means for storing a profile provided by a subscribing site of that defines traffic characteristics of packets that the subscribing site is willing to receive or connections that the subscribing site is willing to have;
the profile indicating one or more of the following packet traffic characteristics;
using an allowed protocol;
using an allowed destination port number for an allowed protocol;
using an allowed message type for an allowed protocol;
having a transmission rate below a maximum rate;
belonging to a connection that is within the maximum number of allowed connections between the packet source and the destination; and
belonging to a connection that obeys congestion-avoidance rules;
first determining means for determining whether a packet is destined to a subscribing site; and
second determining means for determining whether a packet destined to a subscribing site conforms to that subscribing site'"'"'s stored profile; and
wherein the packet is forwarded if the second determining means determines that the packet conforms to its destination subscribing site'"'"'s stored profile. - View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
28-1. The apparatus of claim 27 wherein each class of service has a proportional share of network resources.
-
30. An article of manufacture comprising one or more software programs or applications for protecting against denial of service attacks, wherein the one or more software programs or applications when executed by a computer at or near a point of ingress of a packet into the Internet implements the steps of:
-
determining whether the packet'"'"'s destination is a subscribing site or the packet belongs to a connection to a subscribing site; and
if the packet'"'"'s destination is a subscribing site or belongs to a connection to the subscribing site;
determining whether the packet conforms to a stored profile that defines traffic characteristics of packets that the destination subscribing site is willing to receive or connections that the subscribing site is willing to have, and forwarding the packet if the packet conforms to the subscribing site'"'"'s stored profile, wherein the profile is provided by the subscribing site and wherein the profile indicates one or more of the following packet traffic characteristics which a packet needs to have;
using an allowed protocol;
using an allowed destination port number for an allowed protocol;
using an allowed message type for an allowed protocol;
having a transmission rate below a maximum rate;
belonging to a connection that is within the maximum number of allowed connections between the packet source and the destination; and
belonging to a connection that obeys congestion-avoidance rules. - View Dependent Claims (31, 32, 33)
-
Specification