SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK USING CLOUD COMPUTING

US 20110083179A1
Filed: 10/07/2010
Published: 04/07/2011
Est. Priority Date: 10/07/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method for mitigating a denial of service attack comprising:

distributing network communication messages directed at a resource within a resource cloud using a load balancer;

directing the distributed network communication messages to a plurality of filter nodes;

filtering the network communication messages with filter nodes according to filter parameters that relate to legitimacy of a communication message; and

selectively sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for mitigating a denial of service attack that includes distributing network communication messages directed at a resource within a resource cloud, directing the distributed network communication messages, filtering the network communication messages according to filter parameters that relate to the legitimacy of the communication message, and sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate.

338 Citations

20 Claims

1. A method for mitigating a denial of service attack comprising:
- distributing network communication messages directed at a resource within a resource cloud using a load balancer;
  
  directing the distributed network communication messages to a plurality of filter nodes;
  
  filtering the network communication messages with filter nodes according to filter parameters that relate to legitimacy of a communication message; and
  
  selectively sending the communication message to the resource if the communication message is filtered as legitimate or performing a request limiting response to the communication message if the communication message is filtered as illegitimate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein distributing network communication messages includes a load balancer distributing network communication messages to a second load balancer prior to directing the network communication messages to the plurality of filter nodes.
  - 3. The method of claim 2, wherein the load balancer is a logical traffic distribution configuration.
  - 4. The method of claim 1, further comprising a capacity manager measuring the amount of communication message traffic;
    - and allocating additional load balancers and filter nodes in response to the amount of network communication message traffic.
  - 5. The method of claim 1, wherein filtering the network communication messages with filter nodes includes analyzing network communication on network layers 3 through network layer 7.
  - 6. The method of claim 1, wherein filtering the network communication messages with filter nodes includes filtering requests based on application layer parameters of the network communication message.
  - 7. The method of claim 6, further comprising storing application layer parameters of a network communication message in a state management system;
    - and relaying the application layer parameters to a filter node for a second communication message that is associated with the application layer parameters.
  - 8. The method of claim 1, wherein performing a request limiting response to the communication message if the communication message is filtered as illegitimate further includes queuing the communication message before sending the network communication message to the resource.
  - 9. The method of claim 1, wherein performing a request limiting response to the communication message if the communication message is filtered as illegitimate further includes discarding the communication message.
  - 10. The method of claim 1, wherein performing a request limiting response to the communication message if the communication message is filtered as illegitimate further includes sending an alternate response to the communication message without accessing the resource.
  - 11. The method of claim 1, wherein performing a request limiting response to the communication message if the communication message is filtered as illegitimate where the request limiting response is selected from a plurality of request limiting responses, and the selection is dependent on a level of legitimacy determined by the filter nodes.
  - 12. The method of claim 1, wherein the resource cloud is a multitenancy platform shared by a plurality of entities.

13. A system for mitigating a denial of service (DoS) attack comprising:
- a resource cloud with a plurality of resources with a network interface for outside requests;
  
  traffic filter nodes that uses filter parameters to pass expected legitimate requests to a resource of the shared resource cloud and performs a request limiting response to an expected illegitimate request; and
  
  a load balancing system that receive incoming requests and distributes the requests to the plurality of communication fillers.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the resource cloud is a shared platform with a plurality of resources for a plurality of entities.
  - 15. The system of claim 13, wherein the load balancing system includes a domain name server (DNS) round robin configuration for logical traffic distribution.
  - 16. The system of claim 13, wherein the load balancing system includes a plurality of load balancers arranged in a pyramid configuration.
  - 17. The system of claim 13, wherein the filter parameters include filters set for parameters of network layer 3 through layer 7.
  - 18. The system of claim 13, wherein the filter parameters include filters for application layer parameters.
  - 19. The system of claim 13, further comprising a messaging system that stores application layer information of a first incoming request and communicates the application layer information to a second incoming request when the second request is at a communication traffic filter node.

20. The system of claim SYSTEM, further comprising an analysis system that identifies properties of a potential DoS attack and updates filter parameters of the traffic filter nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Twilio, Inc.
Original Assignee
Twilio, Inc.
Inventors
Cooke, Evan, Lawson, Jeffrey, Wolthuis, John

Application Number

US12/900,368
Publication Number

US 20110083179A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/101   based on network conditions

H04L 67/1017   based on a round robin mech...

H04L 67/1031   Controlling of the operatio...

SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK USING CLOUD COMPUTING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

338 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

SYSTEM AND METHOD FOR MITIGATING A DENIAL OF SERVICE ATTACK USING CLOUD COMPUTING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

338 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others