System and method for managing denial of service attacks
First Claim
Patent Images
1. A method for operating an application in the application layer of a server, comprising the steps of:
- maintaining in said application layer of said server a record of the number of pending service requests from a client; and
upon said application receiving a request for service from said client when said client has more than a configurable number of pending service requests denying service to said client.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for monitoring and controlling the total number of SSL port resources that are allowed to be tied up by a malicious or inept client making multiple requests from a single IP address. Smart SSL handshake timeout detection is used to track and deny service to any SSL clients that do denial of service (DOS) attacks.
-
Citations
26 Claims
-
1. A method for operating an application in the application layer of a server, comprising the steps of:
-
maintaining in said application layer of said server a record of the number of pending service requests from a client; and
upon said application receiving a request for service from said client when said client has more than a configurable number of pending service requests denying service to said client. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for operating a server to manage denial of service attacks, comprising the steps of:
-
receiving from a client a connection request;
responsive to said connection request, determining if said client is identified for denial of service and, if so, closing said connection request;
responsive to said client not being identified for denial of service, incrementing a count M for said client in an outstanding negotiation list;
responsive to said count M being incremented to a value greater than a trigger value T, closing said connection request;
responsive to said count M being incremented to a value equal to or less than said trigger value T, entering into a service negotiation with said client;
responsive to said service negotiation successfully completing within a timeout period N, deleting said client from said outstanding negotiation list and processing said request for service;
responsive to said service negotiation not successfully completing within said timeout period N, incrementing said count M, recalculating said timeout period N and closing said connection request;
responsive to said count M exceeding a trigger value, identifying said client for denial of service.
-
-
12. A server system, comprising:
-
an application server;
an access denied list (ADL) of client addresses to be denied service by an application executing in said server;
a pending negotiation list for identifying clients negotiating server services with said application server;
a counter for maintaining a count M of the number of pending requests for services from a client in said pending negotiation list;
a trigger value T;
a timeout period value N;
said application server being responsive to a request for service from a client to be denied service for closing a secure sockets layer (SSL) connection request from said client;
said server being responsive to a request for service from a client not to be denied service for adding said request for service to said pending negotiation list; and
said server being responsive to a SSL request from a client having more than T pending requests for service for closing said connection request from said client. - View Dependent Claims (13, 14, 15)
-
-
16. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating an application in the application layer of a server, said method steps comprising:
-
maintaining in said application layer a record of the number of pending service requests from a client; and
upon said application receiving a request for service from said client when said client has more than a configurable number of pending service requests denying service to said client. - View Dependent Claims (17, 18)
-
-
19. A computer program product or computer program element for executing method steps comprising:
-
receiving from a client a connection request;
responsive to said connection request, determining if said client is identified for denial of service and, if so, closing said connection request;
responsive to said client not being identified for denial of service, incrementing a count M for said client in an outstanding negotiation list;
responsive to said count M being incremented to a value greater than a trigger value T, closing said connection request;
responsive to said count M being incremented to a value equal to or less than said trigger value T, entering into a service negotiation with said client;
responsive to said service negotiation successfully completing within a timeout period N, deleting said client from said outstanding negotiation list and processing said request for service;
responsive to said service negotiation not successfully completing within said timeout period N, incrementing said count M, recalculating said timeout period N and closing said connection request;
responsive to said count M exceeding a trigger value, identifying said client for denial of service.
-
-
20. A method for operating a server, comprising the steps of:
-
maintaining a record of the number of pending service requests from a client;
upon receiving a request for service from said client when said client has more than a configurable number of pending service requests denying service to said client;
determining when the number of times that negotiations for a service connection from said client exceed a timeout value, and upon said number exceeding a trigger threshold, denying service to said client;
registering a denial of service to a denial of service list;
responsive to registering a client to said denial of service list, closing any connection with said client while not processing any pending request from said client;
maintaining a cache copy and a server copy of said denial of service list;
said server copy for keeping a master denial of service list of clients known to have too many requests for connection pending without responding and for selectively restoring access by administrator action;
said cache copy for tracking connection requests from a given client;
responsive to said request from said given client for server resources, checking said cache copy to determine if service is to be denied to said given client and, responsive to determining from said cache copy that service is to be denied, checking said server copy of said denial of service list to determine if said given client is to be granted service; and
responsive to determining from said cache copy of said denial of service list that said client is to be denied service, refreshing said cache copy from said server copy of said denial of service list, and re-checking said cache copy to determine if service is to be granted to said client. - View Dependent Claims (21, 22, 23, 24, 25)
-
-
26. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a server, said method steps comprising:
-
maintaining a record of the number of pending service requests from a client;
upon receiving a request for service from said client when said client has more than a configurable number of pending service requests denying service to said client;
determining when the number of times that negotiations for a service connection from said client exceed a timeout value, and upon said number exceeding a trigger threshold, denying service to said client;
registering a denial of service to a denial of service list;
responsive to registering a client to said denial of service list, closing any connection with said client while not processing any pending request from said client;
maintaining a cache copy and a server copy of said denial of service list, said server copy for keeping a master denial of service list for clients known to have too many requests for connection pending without responding and for selectively restoring access by administrator action, and said cache copy for tracking connection requests from a given client;
responsive to said request from said given client for server resources, checking said cache copy to determine if service is to be denied to said given client and, responsive to determining from said cache copy that service is to be denied, checking said server copy of said denial of service list to determine if said client is to be granted service;
responsive to determining from said cache copy of said denial of service list that said client is to be denied service, refreshing said cache copy from said server copy of said denial of service list, and re-checking said cache copy to determine if service is to be granted to said client;
responsive to a request for service from said client which completes within a timeout period, decrementing the number of outstanding connection requests from said client;
responsive to a request for service from said client which does not complete within said timeout period, incrementing the number of outstanding connection requests from said client;
further responsive to a request for service from said client which does not complete within said timeout period, recalculating said timeout period;
determining for said client an average round trip time value (RTT);
setting said timeout period as a function of said average round trip value; and
weighting said round trip value selectively to favor historical or more recent values of said round trip time.
-
Specification