Mitigating a Denial-of-Service Attack in a Cloud-Based Proxy Service
First Claim
1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
- receiving a message that indicates that a domain, whose traffic passes through the proxy server may be-under a denial-of-service (DoS) attack;
enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges;
responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a message to the proxy with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser.
1 Assignment
0 Petitions
Accused Products
Abstract
A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.
39 Citations
33 Claims
-
1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
-
receiving a message that indicates that a domain, whose traffic passes through the proxy server may be-under a denial-of-service (DoS) attack; enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a message to the proxy with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser. - View Dependent Claims (3, 4, 6, 7, 8, 9, 10, 11, 12, 31)
-
-
2. (canceled)
-
5. (canceled)
-
13. A non-transitory computer-readable storage medium that provides instructions that, when executed by a processor, will cause said processor to perform operations comprising:
-
receiving a message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, may be under a denial-of-service (DoS) attack; enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a message to the proxy with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser. - View Dependent Claims (15, 16, 18, 19, 20, 21, 22, 23, 24, 32)
-
-
14. (canceled)
-
17. (canceled)
-
25. An apparatus, comprising:
-
a set of one or more processors; a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; receive a message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, may be under a denial-of-service (DoS) attack; enable a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; responsive to receiving a first request for a resource of that domain from a first visitor, automatically present the set of challenges that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a message to the proxy with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser. - View Dependent Claims (27, 28, 30, 33)
-
-
26. (canceled)
-
29. (canceled)
Specification