Light Weight Profiling Apparatus Distinguishes Layer 7 (HTTP) Distributed Denial of Service Attackers From Genuine Clients
First Claim
1. A method at a firewall apparatus to protect an application server from Distributed Denial of Service attack comprising:
- receiving a response from a web application server intended for a requesting client,injecting client code for execution within the requesting client,transmitting the response with injected client code,receiving a plurality of requests for a subsequent response from the requesting client,counting the number of successful expected answers included with the request for subsequent requests, andfiltering the request according to number of successful versus failed answers received over a period of time to make a decision of the need for a further Turing test before allowing access to a resource intensive entity of the application.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus discerns clients by the requests made to a web application server through a web application firewall, which injects client side code into the responses with a randomized challenge that needs a unique answer to be returned in the cookie. The client side code generates cookies, which identify a browser to the web application server, or the web application firewall in subsequent requests if made by a normally configured browser and a fail threshold is checked for subsequent requests originating from such a browser. Each browser is thus fingerprinted and if the expected answer failures exceed a threshold, the client is marked as suspicious and a subsequent Turing test is enforced to these suspicious clients, failing which, a subsequent defined action is taken.
28 Citations
5 Claims
-
1. A method at a firewall apparatus to protect an application server from Distributed Denial of Service attack comprising:
-
receiving a response from a web application server intended for a requesting client, injecting client code for execution within the requesting client, transmitting the response with injected client code, receiving a plurality of requests for a subsequent response from the requesting client, counting the number of successful expected answers included with the request for subsequent requests, and filtering the request according to number of successful versus failed answers received over a period of time to make a decision of the need for a further Turing test before allowing access to a resource intensive entity of the application.
-
-
2. A method of operation for a processsor coupled to network interfaces to control access from a Client User Agent to a Server Process, the processor further coupled to a bookkeeping store comprises:
-
receiving a request from a Client User Agent at an Internet Protocol (IP) address; examining a book keeping store to determine the condition that the Client User Agent(client) is a known client; on the condition that the client is not already a known client, adding a book keeping store record for the client; marking a client status in book keeping store as suspicious; forwarding the client request to the Server process; when the Server process provides a response for a client, determining if the client status in the book keeping store is trusted; on the condition that the client status is trusted, transmitting the response to the Client User Agent; on the condition that the client status is suspicious, injecting client side code with random challenge into said response and recording the Expected Answer in book keeping store incrementing a first counter NumChallenges for this client in book keeping store; and transmitting said response (now injected with client side code with random challenge) to Client User Agent. - View Dependent Claims (3, 4)
on the condition that the Cookie value is equal to the Expected Answer, marking the client status as Trusted; incrementing a second counter NumAnswers for this client in book keeping store; forwarding the request to the server process; on either of the conditions that the Answer Cookie is not present or does not have the Expected Answer, calculating a Fail Count 660 by subtracting the NumAnswers from the NumChallenges; upon determining the condition Fail Count exceeds Max Fail is false, marking the client status as suspicious; and forwarding the request to Server Process.
-
-
4. The method of claim 3 further comprising;
upon determining the condition Fail Count exceeds Max Fail is true, marking the client as Untrusted in the bookkeeping store, and initiating a Turing tes to further control access by the Client User Agent to the Server Process.
-
5. An apparatus comprising
a processor coupled to a network interface circuit communicatively coupled to a client user agent and further communicatively coupled to a server process at a server; -
the network interface circuit; a bookkeeping store coupled to the processor; a client side code with random challenge circuit; a first counter to record NumChallenges for a first client; a second counter to record Nu Answers for a first client; a fail count circuit to subtract NumAnswers from NumChallenges for a first client; a comparison circuit to determine if a result determined by the fail count circuit exceeds a value stored for Max Fail; and computer readable non-transitory storage devices coupled to the processor.
-
Specification