Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests
First Claim
1. In a client/server environment, a method for preventing a denial of service (DoS) attack by a requesting client on a server computer, comprising:
- receiving a connection request at a time tn;
if the time tn is within throttling interval m, incrementing an interval m connection request count;
determining if the interval m connection request count is greater than a rejection threshold associated with the requesting client;
if it is determined that the interval m connection request count is greater than the rejection threshold, rejecting the connection request;
if it is determined that the interval m connection request count is not greater than the rejection threshold, waiting an interval m wait time; and
accepting the request by the server computer.
0 Assignments
0 Petitions
Accused Products
Abstract
According to the present invention, method, apparatus, and computer readable medium for preventing a DoS attack without notifying the DoS attacker are disclosed. In one embodiment, in a client/server environment, a DoS defense module determines a connection request rate for a particular client. The client is blocked if the connection request rate is determined to be above a first pre-determined threshold. If, however, the connection request rate is below the first threshold but above a second threshold, then the client'"'"'s connection request rate is slowed, or throttled, down to a rate consistent with a connection delay interval that'"'"'s is based upon a throttling factor.
-
Citations
17 Claims
-
1. In a client/server environment, a method for preventing a denial of service (DoS) attack by a requesting client on a server computer, comprising:
-
receiving a connection request at a time tn;
if the time tn is within throttling interval m, incrementing an interval m connection request count;
determining if the interval m connection request count is greater than a rejection threshold associated with the requesting client;
if it is determined that the interval m connection request count is greater than the rejection threshold, rejecting the connection request;
if it is determined that the interval m connection request count is not greater than the rejection threshold, waiting an interval m wait time; and
accepting the request by the server computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
if the time tn is at a beginning of a throttling interval m+1, where the throttling interval m+1 is subsequent to the throttling interval m, calculating a throttling interval m+1 wait time based upon, a slow down threshold associated with the requesting client, a total number of connection requests for the throttling interval m, and the interval m wait time;
setting a throttling interval m+1 connection request count to zero;
waiting the throttling interval m+1 wait time; and
accepting the request by the server computer.
-
-
3. A method as recited in claim 2, wherein the throttling interval m+1 wait time is related to a difference between a throttling interval m+1 connection request count and the slowdown threshold.
-
4. A method as recited in claim 3, wherein the connection request is a TCP/IP type connection request.
-
5. A method as recited in claim 4, wherein the waiting the throttling interval m+1wait time for the connection request is a duration of time between a TCP accepted event and a connection accepted by an application event.
-
6. A method as recited in claim 1, wherein the requesting client is identified based upon a requesting client IP address uniquely associated with the requesting client.
-
7. A method as recited in claim 6, wherein the requesting client is one of a plurality of requesting clients, each of which is uniquely identified by an associated requesting client IP address.
-
8. A method as recited in claim 7, wherein the rejection threshold is one of a plurality of rejection thresholds each being associated with an associated one of the plurality of requesting clients.
-
9. A method as recited in claim 7, wherein the slowdown threshold is one of a plurality of slowdown thresholds each being associated with an associated one of the plurality of requesting clients.
-
10. A method as recited in claim 1, wherein the server computer is an electronic messaging system.
-
11. An apparatus for preventing a denial of service (DoS) attack by a requesting client on a server computer in a client/server environment, comprising:
-
a connection request receiver unit for receiving a connection request at a time tn from the requesting client;
an incrementing unit coupled to the connection request receiver unit for incrementing an interval m connection request count when the time tn is within but not at a beginning of a throttling interval m;
a processor unit coupled to the interval m connection request count buffer arrainged to determine if the interval m connection request count is greater than a rejection threshold associated with the requesting client; and
a request throttler unit coupled to the processor unit arrainged to, reject the connection request when it is determined that the interval m connection request count is greater than the rejection threshold, and wait an interval m wait time when it is determined that the interval m connection request count is not greater than the rejection threshold before the request is accepted by the server computer. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A computer readable media including computer program code for preventing a denial of service (DoS) attack by a requesting client on a server computer, said computer readable media comprising:
-
computer program code for receiving a connection request at a time tn;
computer program code for incrementing an interval m connection request count if the time tn is within a throttling interval m;
computer program code for determining if the interval m connection request count is greater than a rejection threshold associated with the requesting client;
rejecting the connection request if it is determined that the interval m connection request count is greater than the rejection threshold;
computer program code for waiting an interval m wait time if it is determined that the interval m connection request count is not greater than the rejection threshold; and
computer program code for accepting the request by the server computer. - View Dependent Claims (17)
computer program code for calculating a throttling interval m+1 wait time when the time tn is at a beginning of a throttling interval m+1, where the throttling interval m+1 is subsequent to the throttling interval m, wherein the calculating is based upon a slow down threshold associated with the request client, a total number of connection requests for the throttling interval m, and the interval m wait time;
computer program code for setting a throttling interval m+1 connection request count to zero;
computer program code for waiting the throttling interval m+1 wait dime; and
computer program code for accepting the request by the server computer.
-
Specification