Network and application attack protection based on application layer message inspection
First Claim
1. A method of preventing a network and application denial-of-service attack, the method comprising the computer-implemented steps of:
- receiving, at a network element, one or more data packets that collectively contain an application layer message;
determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
determining whether the application layer message satisfies one or more specified criteria; and
if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is disclosed for protecting a network against a denial-of-service attack by inspecting application layer messages at a network element. According to one aspect, when a network element intercepts data packets that contain an application layer message, the network element constructs the message from the payload portions of the packets. The network element determines whether the message satisfies specified criteria. The criteria may indicate characteristics of messages that are suspected to be involved in a denial-of-service attack, for example. If the message satisfies the specified criteria, then the network element prevents the data packets that contain the message from being received by the application for which the message was intended. The network element may accomplish this by dropping the packets, for example. As a result, the application'"'"'s host does not waste processing resources on messages whose only purpose might be to deluge and overwhelm the application.
265 Citations
38 Claims
-
1. A method of preventing a network and application denial-of-service attack, the method comprising the computer-implemented steps of:
-
receiving, at a network element, one or more data packets that collectively contain an application layer message;
determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
determining whether the application layer message satisfies one or more specified criteria; and
if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A method of preventing a denial-of-service attack at a network router, the method comprising the computer-implemented steps of:
-
intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
determining, at the network router, whether the XML document conforms to a specified schema; and
if the XML document fails to conform to the specified schema, then dropping the two or more data packets such that the application does not receive the two or more data packets.
-
-
33. A computer-readable medium carrying one or more sequences of instructions for preventing a network or application denial-of-service attack, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
receiving, at a network element, one or more data packets that collectively contain an application layer message;
determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
determining whether the application layer message satisfies one or more specified criteria; and
if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.
-
-
34. A computer-readable medium carrying one or more sequences of instructions for preventing a denial-of-service attack at a network router, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
determining, at the network router, whether the XML document conforms to a specified schema; and
if the XML document fails to conform to the specified schema, then dropping the two or more data packets such that the application does not receive the two or more data packets.
-
-
35. An apparatus for preventing a denial-of-service attack at a network element, the apparatus comprising:
-
means for receiving, at a network element, one or more data packets that collectively contain an application layer message;
means for determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
means for determining whether the application layer message satisfies one or more specified criteria; and
means for preventing the one or more data packets from being received by an application for which the application layer message was intended if the application layer message satisfies the one or more specified criteria.
-
-
36. An apparatus for preventing a denial-of-service attack at a network router, the apparatus comprising:
-
means for intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
means for constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
means for determining, at the network router, whether the XML document conforms to a specified schema; and
means for dropping the two or more data packets if the XML document fails to conform to the specified schema, such that the application does not receive the two or more data packets.
-
-
37. An apparatus for preventing a denial-of-service attack at a network element, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
receiving, at a network element, one or more data packets that collectively contain an application layer message;
determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
determining whether the application layer message satisfies one or more specified criteria; and
if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.
-
-
38. An apparatus for preventing a denial-of-service attack at a network router, the apparatus comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
determining, at the network router, whether the XML document conforms to a specified schema; and
if the XML document fails to conform to the specified schema, then dropping the two or more data packets such that the application does not receive the two or more data packets.
-
Specification