Method and apparatus for protecting web sites from distributed denial-of-service attacks
First Claim
1. A method of preventing denial of service attacks against a subscribing site, the method comprising:
- at or near a point of ingress of a packet into the Internet, determining whether a packet'"'"'s destination is the subscribing site or the packet belongs to a connection to the subscribing site, the subscribing site being a site whose connections the point of ingress has agreed to monitor for conformance to congestion avoidance rules that limit a packet sender'"'"'s transmission rate according to dynamic route properties;
verifying whether the packet belongs to a connection that conforms to such congestion avoidance rules; and
when the packet'"'"'s destination is determined to be the subscribing site or is determined to belong to a connection to the subscribing site, and the packet is verified as belonging to a connection that conforms to such congestion avoidance rules and that the number of connections between the packet'"'"'s source and destination is below a maximum allowed by the subscribing site, marking the packet for forwarding in a first of service that is distinct from any other class of service used for forwarding other packets; and
when the packet does not qualify for the first class of service, marking the packet for forwarding in one of one or more classes of service that are different than the first class of service.
9 Assignments
0 Petitions
Accused Products
Abstract
An Internet Service Provider (ISP), in consideration of being remunerated in some manner by a site, determines whether packets destined to that site conform to a profile provided to the ISP by that site. The profile, indicates, for example, what protocols are allowed by the server, and, for each such protocol, what destination port numbers or message types are allowed, a maximum transmission rate, the maximum number of allowed connections a client may have, and whether to enforce congestion-avoidance. This server profile enforcement (SPE) automatically thwarts denial of service attacks from attackers that send packets to the subscribing server from that ISP using connections or having packet characteristics that do not conform to the acceptable characteristics specified in the profile. SPE is generally performed by an SPE unit, which can be incorporated in the access gateways of an ISP that supports the service. Packets may also be forwarded in multiple classes of service depending upon the type of traffic from which they originate. Multiple classes of service allow the method to be effective even if deployed only by select ISPs.
-
Citations
7 Claims
-
1. A method of preventing denial of service attacks against a subscribing site, the method comprising:
-
at or near a point of ingress of a packet into the Internet, determining whether a packet'"'"'s destination is the subscribing site or the packet belongs to a connection to the subscribing site, the subscribing site being a site whose connections the point of ingress has agreed to monitor for conformance to congestion avoidance rules that limit a packet sender'"'"'s transmission rate according to dynamic route properties; verifying whether the packet belongs to a connection that conforms to such congestion avoidance rules; and when the packet'"'"'s destination is determined to be the subscribing site or is determined to belong to a connection to the subscribing site, and the packet is verified as belonging to a connection that conforms to such congestion avoidance rules and that the number of connections between the packet'"'"'s source and destination is below a maximum allowed by the subscribing site, marking the packet for forwarding in a first of service that is distinct from any other class of service used for forwarding other packets; and when the packet does not qualify for the first class of service, marking the packet for forwarding in one of one or more classes of service that are different than the first class of service. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer readable media tangibly embodying a program of instructions executable by a computer to perform a method at or near a point of ingress of a packet into the Internet that protects against denial of service attacks against a subscribing site, the method comprising the steps of:
-
determining whether the packet'"'"'s destination is the subscribing site or the packet belongs to a connection to the subscribing site, the subscribing site being a site whose connections the point of ingress has agreed to monitor for conformance to congestion avoidance rules that limit a packet sender'"'"'s transmission rate according to dynamic route properties; verifying whether the packet belongs to a connection that conforms to such congestion avoidance rules; and when the packet'"'"'s destination is determined to be the subscribing site or is determined to belong to a connection to the subscribing site, and the packet is verified as belonging to a connection that conforms to such congestion avoidance rules and that the number of connections between the packet'"'"'s source and destination is below a maximum allowed by the subscribing site, marking the packet for forwarding in first class of service that is distinct from any other class of service used for forwarding other packets; and when the packet does not qualify for the first class of service, marking the packet for forwarding in one of one or more classes of service that are different than the first class of service.
-
Specification