SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS USE OF SERVERS

US 20100031362A1
Filed: 07/30/2008
Published: 02/04/2010
Est. Priority Date: 07/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

a central processing unit; and

first program instructions to identify a rogue Domain Name Service (DNS) by identifying that a DNS metric is outside a historical limit,wherein the first program instructions are stored on the computer system for execution by the central processing unit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to protect web applications from malicious attacks and, in particular, a system and method for identification and blocking of malicious DNS servers. The system includes a central processing unit and first program instructions. The first program instructions identify a rogue Domain Name Service (DNS) by identifying that a DNS metric is outside a historical limit. The first program instructions are stored on the computer system for execution by the central processing unit.

34 Citations

View as Search Results

20 Claims

1. A computer system comprising:
- a central processing unit; and
  
  first program instructions to identify a rogue Domain Name Service (DNS) by identifying that a DNS metric is outside a historical limit,wherein the first program instructions are stored on the computer system for execution by the central processing unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, further comprising second program instructions to take action when the DNS metric is outside the historical limit.
  - 3. The system of claim 2, wherein the action in at least one of:
    - preventing any traffic to an IP address contained in a DNS response that generated the action;
      
      preventing any traffic to a DNS server that provided the IP address; and
      
      providing a dialog to a user, warning of a potential security threat.
  - 4. The system of claim 1, wherein the DNS metric is a response time from a DNS server.
  - 5. The system of claim 4, wherein the response time is measured from one of:
    - an answer to a request with an IP address from cache;
      
      a contact with another server in an attempt to find the IP address;
      
      an answer with an IP address for a name server that may know the IP address; and
      
      a return of an error message because a requested domain name is invalid or does not exist.
  - 6. The system of claim 1, wherein the DNS metric is a redirect to another DNS server.
  - 7. The system of claim 1, wherein the DNS metric is a new DNS server, compared to a previously connected DNS server.
  - 8. The system of claim 1, wherein the first program instructions pings a DNS server by IP address and to check for network congestion/latency and compares a ping time of the pings to historical times.
  - 9. The system of claim 1, wherein the first program instructions calculate a difference between historical and current latency measurement times and historical and current DNS response times.
  - 10. The system of claim 1, wherein the first program instructions determines that a DNS lookup time difference is larger than the latency measurement time difference in order to take action.
  - 11. The system of claim 1, further comprising:
    - measuring latency of a network by sending requests to peer nodes of a DNS server,measuring latency by sending and receiving data to and from network devices on a same network as the DNS server, andcomparing current response times to historical values for the request in order to establish latency to a DNS home network.
  - 12. The system of claim 1, wherein the first program instruction is at least one of maintained, deployed, created and supported on a computing infrastructure by a service provider.

13. A method for preventing use of a rogue DNS server comprising providing a computer infrastructure being operable to identify the rogue DNS server by detecting a DNS metric comprising at least one of number of redirects by the DNS server and a response time to a request for an IP address is outside of a set limit.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the computer infrastructure includes software, hardware or a combination of software and hardware.
  - 15. The method of claim 13, wherein the computer infrastructure is at least one maintained, deployed, created and supported by a service provider.
  - 16. The method of claim 13, wherein the response time includes a ping response time and the computer infrastructure is operable to calculate a difference between historical and current ping times and historical and current DNS response times to account for current network latency.
  - 17. The method of claim 13, wherein the response time is calculated from at least one of:
    - an answer to a request with an IP address from cache;
      
      a contact with another server in an attempt to find the IP address;
      
      an answer with an IP address for a name server that may know the IP address; and
      
      a return of an error message because a requested domain name is invalid or does not exist.
  - 18. The method of claim 13, wherein the detecting a DNS metric encompasses detecting the DNS metric outside a range of a set historical limit.

19. A computer program product for protecting web applications from malicious attacks, the computer program product comprising:
- a computer readable medium;
  
  a first program instructions to determine that a current DNS server is a historical DNS server;
  
  a second program instructions to determine a response time of a connected to DNS server;
  
  a third program instructions to determine a redirection of a response to another DNS server;
  
  fourth program instructions to calculate a difference between historical and current ping times and historical and response times and the response time of the connected to DNS server; and
  
  fifth program instructions to take action when at least one of;
  
  the first program instructions finds the current DNS server to be different than the historical DNS server;
  
  the third program determines that there is a redirection to the another DNS server and the redirection is outside a set limit of redirections; and
  
  the fourth program instructions calculate a difference between the historical and current ping times and the historical and response times and the response time of the connected to DNS server is greater than a set limit,wherein the first, second, third, fourth and fifth program instructions are stored on the computer readable media.
- View Dependent Claims (20)
- - 20. The computer program product of claim 19, wherein the action includes at least one of:
    - preventing any traffic to an IP address contained in a DNS response that generated the action;
      
      preventing any traffic to a DNS server that provided the IP address; and
      
      providing a dialog to a user, warning of a potential security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
HIMBERGER, Kevin D., Parees, Benjamin M.

Granted Patent

US 8,191,137 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/168   above the transport layer

SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS USE OF SERVERS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR IDENTIFICATION AND BLOCKING OF MALICIOUS USE OF SERVERS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links