METHOD FOR THWARTING APPLICATION LAYER HYPERTEXT TRANSPORT PROTOCOL FLOOD ATTACKS FOCUSED ON CONSECUTIVELY SIMILAR APPLICATION-SPECIFIC DATA PACKETS
First Claim
1. A method to thwart hypertext transport protocol (HTTP) attacks, the method implemented on a processor and comprising the steps of:
- receiving a plurality of HTTP packets, the plurality of HTTP packets comprising a first HTTP packet and a second HTTP packet, wherein the second HTTP packet was received prior to the first HTTP packet;
creating a hash of the first HTTP packet using a hash function, wherein the first HTTP packet is a GET request or POST request;
determining if the hash is in a list of previously known hashes, wherein each previously known hash in the list of previously known hashes is associated with a state, wherein the state is either blacklist or other;
if the hash is a previously known hash and the state is blacklist, then blocking a request associated with the first HTTP packet, orif the hash is a previously known hash and the state is other, or the hash is not is not in the list of previously known hashes, thencalculating a difference between a payload of the first HTTP packet and a payload of the second HTTP packet, andcalculating a length of the payload of the first HTTP packet;
incrementing a counter of total payload length by the calculated length of the payload of the first HTTP packet;
incrementing a counter of total difference by calculated difference;
calculating a payload similarity percentage based on the total payload difference and total payload length; and
if the calculated payload similarity percentage is outside a predetermined acceptable range of acceptable percentages, thensetting the state to blacklist if the hash is a previously known hash, orstoring the hash in the list of previously known hashes with its associated state set to blacklist.
0 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a methodology to thwart attacks that utilize consecutive hypertext transport protocol packets with similar structures, arriving from a plurality of computer systems on a network, such as the Internet, destined for a single or more computer systems on a secondary network, at such a rate with sufficient complexity to produce an effect on the target computer system or systems such that legitimate clients are denied access to requested services, thus creating a “denial of service” situation. The methodology focuses on the dynamic and proactive reassessment of data packet payload content to maintain a running value of similarity or dissimilarity, thus permitting intermediary apparatuses that are performing this computation to create distinction between legitimate clients and illegitimate clients.
162 Citations
7 Claims
-
1. A method to thwart hypertext transport protocol (HTTP) attacks, the method implemented on a processor and comprising the steps of:
-
receiving a plurality of HTTP packets, the plurality of HTTP packets comprising a first HTTP packet and a second HTTP packet, wherein the second HTTP packet was received prior to the first HTTP packet; creating a hash of the first HTTP packet using a hash function, wherein the first HTTP packet is a GET request or POST request; determining if the hash is in a list of previously known hashes, wherein each previously known hash in the list of previously known hashes is associated with a state, wherein the state is either blacklist or other; if the hash is a previously known hash and the state is blacklist, then blocking a request associated with the first HTTP packet, or if the hash is a previously known hash and the state is other, or the hash is not is not in the list of previously known hashes, then calculating a difference between a payload of the first HTTP packet and a payload of the second HTTP packet, and calculating a length of the payload of the first HTTP packet; incrementing a counter of total payload length by the calculated length of the payload of the first HTTP packet; incrementing a counter of total difference by calculated difference; calculating a payload similarity percentage based on the total payload difference and total payload length; and if the calculated payload similarity percentage is outside a predetermined acceptable range of acceptable percentages, then setting the state to blacklist if the hash is a previously known hash, or storing the hash in the list of previously known hashes with its associated state set to blacklist. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
Specification