Method and system for overcoming denial of service attacks
First Claim
1. A security service for a shared network server comprising:
- providing a network and a shared network server coupled to the network, the shared network server having a fixed quantity of resources for responding to network requests;
providing a constellation of front-end servers within the network;
using the front-end servers to receive requests destined for the shared network server;
forwarding the received requests from the front-end servers to the shared network server at a governed rate;
coupling a management server to each of the front-end servers;
communicating metrics between the front-end servers and the management server;
using the metrics to detect a denial of service attack targeted at the shared network server;
using the metrics to determine configuration parameters for the front-end servers; and
communicating the configuration parameters from the management server to the front-end servers.
7 Assignments
0 Petitions
Accused Products
Abstract
A system for handling denial of service attacks on behalf of a shared network resource. A request processing component deployed within a network, the request processing component having an interface configured to receive requests on behalf of the shared network resource. A rate control component coupled to the request processing component, the rate control component comprising program and data structures operable to selectively forward received requests to the shared network resource at a rate selected to prevent the shared network resource from crashing or becoming undesirably busy. Preferably, the system includes a denial of service attack detection component coupled to the request processing component and the rate control component and operable to monitor request metrics from the request processing component and provide configuration information to the rate control component.
-
Citations
15 Claims
-
1. A security service for a shared network server comprising:
-
providing a network and a shared network server coupled to the network, the shared network server having a fixed quantity of resources for responding to network requests; providing a constellation of front-end servers within the network; using the front-end servers to receive requests destined for the shared network server; forwarding the received requests from the front-end servers to the shared network server at a governed rate; coupling a management server to each of the front-end servers; communicating metrics between the front-end servers and the management server; using the metrics to detect a denial of service attack targeted at the shared network server; using the metrics to determine configuration parameters for the front-end servers; and communicating the configuration parameters from the management server to the front-end servers. - View Dependent Claims (2, 3, 4)
-
-
5. A system for handling denial of service attacks on behalf of a shared network resource, the system comprising:
-
a request processing component deployed within a network, the request processing component having an interface configured to receive requests on behalf of the shared network server; a rate control component coupled to the request processing component, the rate control component comprising program and data structures operable to selectively forward received requests to the shared network server at a rate selected to prevent the shared network server from crashing or becoming undesirably busy; and a DoS attack detection component coupled to the request processing component and the rate control component and operable to monitor request metrics from the request processing component and provide configuration information to the rate control component, wherein the rate control component comprises mechanisms for preferentially forwarding requests not related to the DoS attack in favor of request related to the DoS attack to the shared network resource. - View Dependent Claims (6, 7, 8)
-
-
9. A system for handling denial of service attacks on behalf of a shared network resource, the system comprising:
-
a request processing component deployed within a network, the request processing component having an interface configured to receive requests on behalf of the shared network server; a rate control component coupled to the request processing component, the rate control component comprising program and data structures operable to selectively forward received requests to the shared network server at a rate selected to prevent the shared network server from crashing or becoming undesirably busy; a plurality of front-end servers deployed throughout a network, wherein the front-end servers are configured to implement the request processing component and the rate control component; a management server coupled to each of the front-end servers, the management server including mechanisms to send configuration information to the front-end servers, and receive request processing metrics from the request processing component; a back-end server coupled to receive the forwarded requests from the front-end servers; and a rate governor within the back-end server for selectively forwarding received requests to the shared network resource at a rate selected to prevent the shared network resource from crashing becoming undesirably busy.
-
-
10. A method for mitigating a denial of service attack comprising the acts of:
-
providing a shared network resource coupled to a public network and receiving requests from the public network; providing a plurality of front-end servers, each having a unique network address and coupled to the shared network resource; assigning a plurality of front-end servers to the shared network resource, wherein the aggregate request processing capacity of the assigned front-end servers is greater than the request handling capacity of the shared network resource; causing requests for the shared network resource to be redirected through one of the front-end servers; and forwarding the requests from the front-end server to the shared network resource at a rate selected to inhibit a likelihood of a crash or an undesirable level of business; detecting a condition in which the number of requests is greater than the request capacity of the shared network resource; and generating a response to the requests from the front-end servers instead of forwarding the requests to the shared network resource, wherein the act of detecting comprises distinguishing requests associated with a DoS attach from legitimate requests and the step of generating a response comprises generating a response only to requests associated with the DoS attack while forwarding legitimate requests to the shared network resource. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification