System and method for the detection of and reaction to denial of service attacks

US 7,107,619 B2
Filed: 08/31/2001
Issued: 09/12/2006
Est. Priority Date: 08/31/2001
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for detecting denial of service attacks, comprising the steps of:

issuing a bit encoded login challenge composed of human viewable images not composed of machine readable text in response to a login request to said computer from a requester of services; and

responsive to an incorrect response to said challenge, said computer placing said requester in a state of limited service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Challenge-response and probative methods together or independent of each other enable detection of devices participating in denial of service (DOS) and distributed DOS (DDOS) attacks upon a network resource, and upon identification of devices participating in attacks, minimize the effect of the attack and/or minimize the ability of the device to continue its attack by placing the attacking devices in a state of reduced or denied service.

Citations

28 Claims

1. A computer implemented method for detecting denial of service attacks, comprising the steps of:
- issuing a bit encoded login challenge composed of human viewable images not composed of machine readable text in response to a login request to said computer from a requester of services; and
  
  responsive to an incorrect response to said challenge, said computer placing said requester in a state of limited service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer implemented method of claim 1, further comprising the steps of:
    - filtering out to said state of limited service iterative connection requests from a network address of a hacker device.
  - 3. The computer implemented method of claim 1, further comprising the step of:
    - responsive to speed, latency and average queuing network delay of connection requests, detecting and placing in a state of limited service repetitive login requests from a hacker device.
  - 4. The computer implemented method of claim 3, further comprising the steps of:
    - determining from said speed, latency and average queuing network delay a time-out value; and
      
      detecting as a request from a hacker device a request that does not complete within said time-out value.
  - 5. The computer implemented method of claim 1, further comprising the steps of:
    - issuing further challenges to subsequent requests for service from said requester and selectively responding to successful responses by continuing service at the same or improved level and to unsuccessful responses by further reduction or complete denial of service.
  - 6. The computer implemented method of claim 1, further comprising the steps of:
    - periodically issuing said challenges throughout connection to a requester successfully responding.
  - 7. The computer implemented method of claim 1, comprising the step of issuing said bit-mapped challenge as logon image from which a user must select or enter a response.
  - 8. The computer implemented method of claim 7, further comprising the step of occasionally shifting the input area for a valid response to said challenge.
  - 9. The computer implemented method of claim 1, further comprising the step of slowing acceptance from and response to systems in a degraded service category.
  - 10. The computer implemented method of claim 1, further comprising the step of counterattacking by executing a denial of service response to attacking systems.

11. A computer implemented method for detecting denial of service attacks, comprising the steps of:
- executing a bit-encoded challenge and response login procedure and a network probing test frame transmission and analysis procedure to detect a hacker denial of service attack, said bit-encoded challenge comprising human viewable images not composed of machine readable text;
  
  said network probing test frame transmission and analysis procedure including defining a signature of discrete speed, streaming speed, and latency of the connecting device failing said bit-encoded challenge-response login procedure, and adding said signature to a router based filter for filtering out login requests from said hacker responsive to said signature; and
  
  responsive to detecting said denial of service attack,placing said hacker in a lower level of service state.

12. A computer implemented method for detecting denial of service attacks, comprising the steps of:
- selecting sending and receiving probative test packets through a network;
  
  responsive to said packets, determining network evaluation parameters for said network;
  
  responsive to said network evaluation parameters, determining presence of network denial of service attacks, said network evaluation parameters including response time and throughput characteristics of said network, said throughput characteristics including capacity, utilization, and performance; and
  
  executing a bit-encoded challenge and response procedure to discourage and repel said attacks, said bit-encoded challenge comprising humanviewable images not composed of machine readable text.
- View Dependent Claims (13, 14)
- - 13. The computer implemented method of claim 12, further comprising the steps of:
    - determining a latency and speed fingerprint of an offending device;
      
      responsive to said fingerprint, operating a router filtering system to reject packets from said offending device.
  - 14. The computer implemented method of claim 13, said fingerprint comprising a rhythm of transmissions of discrete, burst, and stream packets.

15. A computer implemented probative test and analysis method for detecting and responding to denial of service attacks on a network resource, comprising the steps of:
- creating a template of attack patterns;
  
  determining historical, current, and predicted states of said network for each of a plurality of types of network traffic;
  
  responsive to said attack patterns, determining if a spike in network traffic is a distributed denial of service attack and, if so, determining its source; and
  
  denying full service to sources associated with said service attack.
- View Dependent Claims (16)
- - 16. The computer implemented method of claim 15, further comprising the steps of:
    - determining unique speed and latency network attachment characteristics of devices attempting to connect to said network resource; and
      
      responsive to detection of an abusive behavior from a said device, responding to subsequent requests for service from said device by denying said full service to said device.

17. A computer program product for detecting denial of service attacks, comprising:
- a computer readable medium;
  
  first program instructions to issue a bit encoded login challenge comprising human viewable images not composed of machine readable text in response to a login request from a requester of services;
  
  second program instructions, responsive to an incorrect response to said challenge, to place said requester in a state of limited service; and
  
  whereinsaid first and second program instructions are recorded on said computer readable medium.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 18. The computer program product of claim 17, further comprising:
    - third program instructions for filtering out to said state of limited service iterative connection requests from a network address of a hacker device; and
      
      whereinsaid third program instructions are recorded on said computer readable medium.
  - 19. The computer program product of claim 17, further comprising:
    - third program instructions, responsive to speed, latency and average queuing network delay of connection requests, for detecting and placing in a state of limited service repetitive login requests from a hacker device; and
      
      whereinsaid third program instructions are recorded on said computer readable medium.
  - 20. The computer program product of claim 17, further comprising:
    - third program instructions for determining from said speed, latency and average queuing network delay a time-out value;
      
      fourth program instructions for detecting as a request from a hacker device a request that does not completewithin said time-out value; and
      
      whereinsaid third and fourth program instructions are recorded on said computer readable medium.
  - 21. The computer program product of claim 17, further comprising:
    - third program instructions for issuing further challenges to subsequent requests for service from said requester and selectively responding to successful responses by continuing service at the same or improved level and to unsuccessful responses by further reduction or complete denial of service; and
      
      whereinsaid third program instructions are recorded on said computer readable medium.
  - 22. The computer program product of claim 17, further comprising:
    - third program instructions for periodically issuing said challenges throughout connection to a requester successfully responding; and
      
      whereinsaid third program instructions are recorded on said computer readable medium.
  - 23. The computer program product of claim 17, further comprisingthird program instructions for issuing said bit-mapped challenge as logon image from which a user must select or enter a response;
    - and whereinsaid third program instructions are recorded on said computer readable medium.
  - 24. The computer program product of claim 23, further comprisingfourth program instructions for occasionally shifting the input area for a valid response to said challenge;
    - and whereinsaid fourth program instructions are recorded on said computer readable medium.
  - 25. The computer program product of claim 17, further comprisingthird program instructions for slowing acceptance from and response to systems in a degraded service category;
    - and whereinsaid third program instructions are recorded on said computer readable medium.
  - 26. The computer program product of claim 17, further comprisingthird program instructions for counterattacking by executing a denial of service response to attacking systems;
    - and whereinsaid third program instructions are recorded on said computer readable medium.

27. A computer program product for detecting denial of service attacks, comprising:
- a computer readable medium;
  
  first program instructions for executing a networkprobing test frame transmission and analysis procedure including requiring response of a user to presentation of human viewable images not composed of machine readable text to detect a hacker denial of service attack;
  
  second program instructions, responsive to detecting a denial of service attack, for placing said hacker in a state of lower level of service; and
  
  whereinsaid first and second program instructions are recorded on said computer readable medium.

28. A computer program product for detecting denial of service attacks, comprising:
- a computer readable mediumfirst program instructions to selectively send and receive probative test packets through a network;
  
  second program instructions, responsive to said packets, to determine network evaluation parameters for said network;
  
  third program instructions, responsive to said network evaluation parameters, to determine presence of network denial of service attacks, said network evaluation parameters including response time and throughput characteristics of said network, said throughput characteristics including capacity, utilization, and performance;
  
  fourth program instructions to execute a bit-encoded challenge and response procedure to discourage and repel said attacks, said bit-encoded challenge comprising human viewable images not composed of machine readable text; and
  
  whereinsaid first, second, third, and fourth program instructions are recorded on said computer readable medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Silverman, Robert M.
Primary Examiner(s)
JUNG, DAVID YIUK

Application Number

US09/945,172
Publication Number

US 20030046577A1
Time in Patent Office

1,838 Days
Field of Search

713200-202, 726/3, 726/27, 726/22, 726/23
US Class Current

726/27
CPC Class Codes

H04L 41/12 Discovery or management of ...

System and method for the detection of and reaction to denial of service attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for the detection of and reaction to denial of service attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links