Validating Visitor Internet-Based Security Threats

US 20110283359A1
Filed: 04/01/2011
Published: 11/17/2011
Est. Priority Date: 04/01/2010
Status: Active Grant

First Claim

Patent Images

1. A method in a validating server for validating visitor Internet-based security threats, comprising:

receiving from a first client device a first request that does not include a cookie for a validating domain that resolves to the validating server, wherein the first request is received as a result of a proxy server redirecting the first client device to the validating domain upon a determination that a visitor belonging to the first client device is a potential threat based on an IP (Internet Protocol) address assigned to the first client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain;

setting a cookie for the first client device;

determining a set of one or more characteristics associated with the first client device; and

transmitting the cookie and a block page to the client device that has been customized based on one or more of the set of characteristics, wherein the block page indicates that the second request has been blocked.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked.

121 Citations

26 Claims

1. A method in a validating server for validating visitor Internet-based security threats, comprising:
- receiving from a first client device a first request that does not include a cookie for a validating domain that resolves to the validating server, wherein the first request is received as a result of a proxy server redirecting the first client device to the validating domain upon a determination that a visitor belonging to the first client device is a potential threat based on an IP (Internet Protocol) address assigned to the first client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain;
  
  setting a cookie for the first client device;
  
  determining a set of one or more characteristics associated with the first client device; and
  
  transmitting the cookie and a block page to the client device that has been customized based on one or more of the set of characteristics, wherein the block page indicates that the second request has been blocked.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the block page includes a mechanism to dismiss the block page that is selected from the group consisting of:
    - a link to close the block page, a CAPTCHA, and a dismiss code field; and
      
      indicating in the cookie a successful dismissal of the block page.
  - 3. The method of claim 2, further comprising:
    - receiving from the first client device a third request that includes the cookie set for the first client device, wherein the third request is received as a result of the proxy server redirecting the first client device to the validating domain upon a determination that the visitor belonging to the first client device is a potential threat based on the IP address assigned to the first client device used for a fourth request to perform an action on an identified resource hosted on the origin server for the origin domain;
      
      determining that the visitor is not a threat, wherein the determination is based at least on the cookie included in the third request; and
      
      responsive to determining that the visitor is not a threat, causing first client device to issue a fifth request that corresponds with the forth request that will not be blocked based on the IP address assigned to the first client device
  - 4. The method of claim 3, wherein causing the first client device to issue the fifth request includes redirecting the first client device to issue the fifth request directly to the origin server.
  - 5. The method of claim 3, wherein causing the first client device to issue the fifth request that will not be blocked based on the IP address assigned to the first client device includes causing the IP address assigned to the first client device to be removed from a restricted list and redirecting the first client device to issue the fifth request to the proxy server.
  - 6. The method of claim 1, further comprising:
    - receiving from a second client device a third request that includes a cookie for the validating domain, wherein the third request is received as a result of the proxy server redirecting the second client device to the validating domain upon a determination that a visitor belonging to the second client device is a potential threat based on an IP address assigned to the second client device used for a fourth request to perform an action on an identified resource hosted on the origin server for the origin domain;
      
      determining that the visitor belonging to the second client device is not a threat, wherein the determination is based at least on the cookie included in the third request; and
      
      responsive to determining that the visitor belonging to the second client device is not a threat, causing the second client device to issue a fifth request that corresponds with the forth request that will not be blocked based on the IP address assigned to the second client device.
  - 7. The method of claim 6, wherein causing the second client device to issue the fifth request includes redirecting the second client device to issue the fifth request directly to the origin server.
  - 8. The method of claim 6, wherein causing the second client device to issue the fifth request that will not be blocked based on the IP address assigned to the second client device includes causing the IP address assigned to the second client device to be removed from a restricted list and redirecting the second client device to issue the fifth request to the proxy server.
  - 9. The method of claim 6, wherein the cookie included in the third request includes an indication that the visitor belonging to the second client device has not been previously participating in suspicious activities.
  - 10. The method of claim 6, wherein the cookie included in the third request includes an indication that the visitor belonging to the second client device is a human user and not a bot.

11. A method in a proxy server for validating visitor Internet-based security threats, comprisingreceiving, from a client device, a request to perform an action on an identified resource that is hosted at an origin server for a domain as a result of a DNS (Domain Name System) request for the domain resolving to the proxy server, wherein the origin server is one of a plurality of origin servers that belong to different domains that resolve to the proxy server and are owned by different entities, and wherein the proxy server and the plurality of origin servers are owned by different entities;
- determining, based on an IP (Internet Protocol) address assigned to the client device and associated with the request, that a visitor belonging to the client device is a potential threat; and
  
  transmitting a response to the client device that includes a redirection to a validating domain that resolves to a validating domain server that is to determine whether the visitor is a threat based on a cookie associated with the visitor for the validating domain.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein determining that the visitor is a potential threat includes determining that the IP address assigned to the client device is included in an IP restricted list.
  - 13. The method of claim 11, wherein the response includes a script that when executed by a client network application of the client device causes a request for a resource to be generated and issued to the validating domain.

14. A non-transitory machine-readable storage medium that provides instructions that, when executed by a processor of a validating server, cause said processor to perform operations comprising:
- receiving from a first client device a first request that does not include a cookie for a validating domain that resolves to the validating server, wherein the first request is received as a result of a proxy server redirecting the first client device to the validating domain upon a determination that a visitor belonging to the first client device is a potential threat based on an IP (Internet Protocol) address assigned to the first client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain;
  
  setting a cookie for the first client device;
  
  determining a set of one or more characteristics associated with the first client device; and
  
  transmitting the cookie and a block page to the client device that has been customized based on one or more of the set of characteristics, wherein the block page indicates that the second request has been blocked.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The non-transitory machine-readable storage medium of claim 14, wherein the block page includes a mechanism to dismiss the block page that is selected from the group consisting of:
    - a link to close the block page, a CAPTCHA, and a dismiss code field; and
      
      indicating in the cookie a successful dismissal of the block page.
  - 16. The non-transitory machine-readable storage medium of claim 15, further comprising:
    - receiving from the first client device a third request that includes the cookie set for the first client device, wherein the third request is received as a result of the proxy server redirecting the first client device to the validating domain upon a determination that the visitor belonging to the first client device is a potential threat based on the IP address assigned to the first client device used for a fourth request to perform an action on an identified resource hosted on the origin server for the origin domain;
      
      determining that the visitor is not a threat, wherein the determination is based at least on the cookie included in the third request; and
      
      responsive to determining that the visitor is not a threat, causing first client device to issue a fifth request that corresponds with the forth request that will not be blocked based on the IP address assigned to the first client device
  - 17. The non-transitory machine-readable storage medium of claim 16, wherein causing the first client device to issue the fifth request includes redirecting the first client device to issue the fifth request directly to the origin server.
  - 18. The non-transitory machine-readable storage medium of claim 16, wherein causing the first client device to issue the fifth request that will not be blocked based on the IP address assigned to the first client device includes causing the IP address assigned to the first client device to be removed from a restricted list and redirecting the first client device to issue the fifth request to the proxy server.
  - 19. The non-transitory machine-readable storage medium of claim 14, further comprising:
    - receiving from a second client device a third request that includes a cookie for the validating domain, wherein the third request is received as a result of the proxy server redirecting the second client device to the validating domain upon a determination that a visitor belonging to the second client device is a potential threat based on an IP address assigned to the second client device used for a fourth request to perform an action on an identified resource hosted on the origin server for the origin domain;
      
      determining that the visitor belonging to the second client device is not a threat, wherein the determination is based at least on the cookie included in the third request; and
      
      responsive to determining that the visitor belonging to the second client device is not a threat, causing the second client device to issue a fifth request that corresponds with the forth request that will not be blocked based on the IP address assigned to the second client device.
  - 20. The non-transitory machine-readable storage medium of claim 19, wherein causing the second client device to issue the fifth request includes redirecting the second client device to issue the fifth request directly to the origin server.
  - 21. The non-transitory machine-readable storage medium of claim 19, wherein causing the second client device to issue the fifth request that will not be blocked based on the IP address assigned to the second client device includes causing the IP address assigned to the second client device to be removed from a restricted list and redirecting the second client device to issue the fifth request to the proxy server.
  - 22. The non-transitory machine-readable storage medium of claim 19, wherein the cookie included in the third request includes an indication that the visitor belonging to the second client device has not been previously participating in suspicious activities.
  - 23. The non-transitory machine-readable storage medium of claim 19, wherein the cookie included in the third request includes an indication that the visitor belonging to the second client device is a human user and not a bot.

24. A non-transitory machine-readable storage medium that provides instructions that, when executed by a processor of a proxy server, cause said processor to perform operations comprising:
- receiving, from a client device, a request to perform an action on an identified resource that is hosted at an origin server for a domain as a result of a DNS (Domain Name System) request for the domain resolving to the proxy server, wherein the origin server is one of a plurality of origin servers that belong to different domains that resolve to the proxy server and are owned by different entities, and wherein the proxy server and the plurality of origin servers are owned by different entities;
  
  determining, based on an IP (Internet Protocol) address assigned to the client device and associated with the request, that a visitor belonging to the client device is a potential threat; and
  
  transmitting a response to the client device that includes a redirection to a validating domain that resolves to a validating domain server that is to determine whether the visitor is a threat based on a cookie associated with the visitor for the validating domain.
- View Dependent Claims (25, 26)
- - 25. The non-transitory machine-readable storage medium of claim 24, wherein determining that the visitor is a potential threat includes determining that the IP address assigned to the client device is included in an IP restricted list.
  - 26. The non-transitory machine-readable storage medium of claim 24, wherein the response includes a script that when executed by a client network application of the client device causes a request for a resource to be generated and issued to the validating domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Pye, Ian Gerald, Prince, Matthew Browning, Holloway, Lee Hahn

Granted Patent

US 8,850,580 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 16/95   Retrieval from the web

G06F 16/958   Organisation or management ...

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

G06F 40/14   Tree-structured documents p...

G06F 40/143   Markup, e.g. Standard Gener...

G06Q 10/107   Computer-aided management o...

G06Q 30/0241   Advertisements

G06Q 30/0251   Targeted advertisements

G06Q 30/0277   Online advertisement

H04L 47/745   Reaction in network

H04L 51/42   Mailbox-related aspects, e....

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/59   using proxies for addressing

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/083 : using passwords cryptograph...

H04L 63/0861 : using biometrical features,...

H04L 63/102 : Entity profiles

H04L 63/126 : the source of the received ...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 67/02 : based on web technology, e....

H04L 67/146 : Markers for unambiguous ide...

H04L 67/56 : Provisioning of proxy servi...

H04L 67/561 : Adding application-function...

H04L 67/568 : Storing data temporarily at...

H04L 69/40 : for recovering from a failu...

View All

Validating Visitor Internet-Based Security Threats

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Validating Visitor Internet-Based Security Threats

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links