Method and apparatus for protecting a web server against vandals attacks without restricting legitimate access

US 7,007,169 B2
Filed: 04/04/2001
Issued: 02/28/2006
Est. Priority Date: 04/04/2001
Status: Active Grant

First Claim

Patent Images

1. A method for improving the operation of equipment used to protect a web server against attack, comprising the acts of:

reading a source address of a message received during an attack;

checking a database of privileged source addresses; and

instructing protective equipment for a web server to pass the received message to the web server, regardless of an ongoing attack, when the source address of the received message matches an address contained in the database of privileged source addresses;

when the source address of the received message does not appear in the database of privileged source addresses, checking a database of blocked source addresses; and

when the source address of the received message does not appear in the database of blocked source addresses, adding the source address of the received message to the database of blocked source addresses.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An intrusion detection security system (IDSS) guards a server against vandals'"'"' attacks such as denial of service, distributed denial of service, and common gateway interface attacks. An incoming source address is compared with the contents of a database of privileged addresses. If the incoming address is present in the database, the IDSS instructs protective equipment such as a firewall or router to allow the incoming message to pass to the web server despite any ongoing attack, thus allowing messages from customers or suppliers, for example, through. Otherwise, the IDSS checks a database of blocked addresses. When the incoming address is absent, the IDSS writes the address to the database of blocked addresses and instructs the protective equipment to block subsequent messages from the incoming address.

25 Citations

View as Search Results

10 Claims

1. A method for improving the operation of equipment used to protect a web server against attack, comprising the acts of:
- reading a source address of a message received during an attack;
  
  checking a database of privileged source addresses; and
  
  instructing protective equipment for a web server to pass the received message to the web server, regardless of an ongoing attack, when the source address of the received message matches an address contained in the database of privileged source addresses;
  
  when the source address of the received message does not appear in the database of privileged source addresses, checking a database of blocked source addresses; and
  
  when the source address of the received message does not appear in the database of blocked source addresses, adding the source address of the received message to the database of blocked source addresses.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the database of privileged source addresses includes a source address of a customer known to the web server.
  - 3. The method of claim 1, wherein the database of privileged source addresses includes a source address of a user known to the web server.

4. A method for improving the operation of equipment used to protect a web server against attack by a vandal, comprising the acts of:
- reading a source address of a message received during an attack;
  
  checking a database of privileged source addresses for appearance of the source address of the received message;
  
  when the source address of the received message appears in the database of privileged source addresses, instructing protective equipment to pass the received message to a web server;
  
  when the source address of the received message does not appear in the database of privileged source addresses, checking a database of blocked source addresses for appearance of the source address of the received message; and
  
  when the source address of the received message does not appear in the database of blocked source addresses, adding the source address of the received message to the database of blocked source addresses and instructing the protective equipment to block the received message and to block subsequent messages that bear the source address of the received message.

5. Protective equipment for guarding a web server against attack, comprising:
- an address decoder for reading a source address of a message received during an attack;
  
  a database of privileged source addresses;
  
  a database of blocked source addresses; and
  
  logic for instructing protective equipment for a web server to pass the message received during the attack to the web server when the source address of the message received during the attack matches a privileged source address contained in the database of privileged source addresses, regardless of an ongoing attack;
  
  when the source address of the received message does not appear in the database of privileged source addresses, checking the database of blocked source addresses; and
  
  when the source address of the received message does not appear in the database of blocked source addresses, adding the source address of the received message to the database of blocked source addresses.
- View Dependent Claims (6, 7)
- - 6. The protective equipment as set forth in claim 5, wherein the database of privileged source addresses includes a source address of a customer known to access the web server.
  - 7. The protective equipment as set forth in claim 5, wherein the database of privileged source addresses includes a source address of a known user of the web server.

8. Protective equipment for guarding a web server against attack, comprising:
- an address decoder for reading a source address of a message received during an attack;
  
  a database of privileged source addresses, which passes a packet containing a privileged source address to the web server regardless of an ongoing attack;
  
  a database of blocked source addresses; and
  
  logic for checking the database of privileged source addresses and the database of blocked source addresses for appearance of the source address of the message received during the attack and, responsive to the appearance, instructing protective equipment to block incoming messages that bear the source address of the message received during the attack;
  
  when the source address of the received message does not appear in the database of privileged source addresses, checking the database of blocked source addresses; and
  
  when the source address of the received message does not appear in the database of blocked source addresses, adding the source address of the received message to the database of blocked source addresses.

9. Protective equipment for guarding a web server against attack, comprising:
- an address decoder for reading a source address of a message received during an attack;
  
  a database of privileged source addresses;
  
  a database of blocked source addresses; and
  
  logic for;
  
  checking the database of privileged source addresses for appearance of the source address of the received message;
  
  when the source address of the received message appears in the database of privileged source addresses, instructing protective equipment to pass the received message to a web server, regardless of an ongoing attack;
  
  when the source address of the received message does not appear in the database of privileged source addresses, checking the database of blocked source addresses for appearance of the source address of the received message; and
  
  when the source address of the received message does not appear in the database of blocked source addresses, adding the source address of the received message to the database of blocked source addresses and instructing the protective equipment to block the received message and to block subsequent messages that bear the source address of the received message.

10. A method for improving the operation of equipment used to protect a web server against attack, comprising the acts of:
- reading a source address of a message received during an attack;
  
  checking a database of privileged source addresses;
  
  instructing protective equipment for a web server to pass the received message to the web server, regardless of an ongoing attack, when the source address of the received message matches an address contained in the database of privileged source addresses;
  
  detecting cessation of the attack;
  
  removing one or more source addresses used by an attacker from a database of blocked source addresses; and
  
  unblocking the one or more source addresses just removed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Lingafelt, Charles Steven, McKenna, John Joseph, Sisk, Robert Barry
Primary Examiner(s)
Zand, Kambiz

Application Number

US09/826,046
Publication Number

US 20020147925A1
Time in Patent Office

1,791 Days
Field of Search

713152-154, 713/188, 713/201, 713/163, 713/193, 713/200, 713/202, 380/250, 380/1, 709223-225, 709/229, 709/240, 714/38, 714/763, 705/18, 708/135, 710/36
US Class Current

713/188
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/35   involving non-standard use ...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Method and apparatus for protecting a web server against vandals attacks without restricting legitimate access

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting a web server against vandals attacks without restricting legitimate access

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links