Method and apparatus for protecting web sites from distributed denial-of-service attacks

US 7,207,062 B2
Filed: 06/19/2002
Issued: 04/17/2007
Est. Priority Date: 08/16/2001
Status: Active Grant

First Claim

Patent Images

1. A method of preventing denial of service attacks against a subscribing site, the method comprising:

at or near a point of ingress of a packet into the Internet, determining whether a packet'"'"'s destination is the subscribing site or the packet belongs to a connection to the subscribing site, the subscribing site being a site whose connections the point of ingress has agreed to monitor for conformance to congestion avoidance rules that limit a packet sender'"'"'s transmission rate according to dynamic route properties;

verifying whether the packet belongs to a connection that conforms to such congestion avoidance rules; and

when the packet'"'"'s destination is determined to be the subscribing site or is determined to belong to a connection to the subscribing site, and the packet is verified as belonging to a connection that conforms to such congestion avoidance rules and that the number of connections between the packet'"'"'s source and destination is below a maximum allowed by the subscribing site, marking the packet for forwarding in a first of service that is distinct from any other class of service used for forwarding other packets; and

when the packet does not qualify for the first class of service, marking the packet for forwarding in one of one or more classes of service that are different than the first class of service.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An Internet Service Provider (ISP), in consideration of being remunerated in some manner by a site, determines whether packets destined to that site conform to a profile provided to the ISP by that site. The profile, indicates, for example, what protocols are allowed by the server, and, for each such protocol, what destination port numbers or message types are allowed, a maximum transmission rate, the maximum number of allowed connections a client may have, and whether to enforce congestion-avoidance. This server profile enforcement (SPE) automatically thwarts denial of service attacks from attackers that send packets to the subscribing server from that ISP using connections or having packet characteristics that do not conform to the acceptable characteristics specified in the profile. SPE is generally performed by an SPE unit, which can be incorporated in the access gateways of an ISP that supports the service. Packets may also be forwarded in multiple classes of service depending upon the type of traffic from which they originate. Multiple classes of service allow the method to be effective even if deployed only by select ISPs.

Citations

7 Claims

1. A method of preventing denial of service attacks against a subscribing site, the method comprising:
- at or near a point of ingress of a packet into the Internet, determining whether a packet'"'"'s destination is the subscribing site or the packet belongs to a connection to the subscribing site, the subscribing site being a site whose connections the point of ingress has agreed to monitor for conformance to congestion avoidance rules that limit a packet sender'"'"'s transmission rate according to dynamic route properties;
  
  verifying whether the packet belongs to a connection that conforms to such congestion avoidance rules; and
  
  when the packet'"'"'s destination is determined to be the subscribing site or is determined to belong to a connection to the subscribing site, and the packet is verified as belonging to a connection that conforms to such congestion avoidance rules and that the number of connections between the packet'"'"'s source and destination is below a maximum allowed by the subscribing site, marking the packet for forwarding in a first of service that is distinct from any other class of service used for forwarding other packets; and
  
  when the packet does not qualify for the first class of service, marking the packet for forwarding in one of one or more classes of service that are different than the first class of service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the method is performed by an Internet Service Provider (ISP) and the subscribing site remunerates the ISP for performing the method on packets destined to it.
  - 3. The method of claim 1 further comprising:
    - marking for forwarding a packet in a second class of service when the packet does not qualify for the first class of service but is destined to the subscribing site and is verified as conforming to such congestion avoidance rules; and
      
      marking for forwarding a packet in a third class of service when the packet does not qualify for the first or second classes of service.
  - 4. The method of claim 3 wherein the first, second, and third classes of service are ranked from highest to lowest in this order such that load on a given class of service has limited effect on the performance of packets sent in higher ranked classes of service.
  - 5. The method of claim 4 wherein a higher ranked class of service has a higher priority for use of network resources than does a lower ranked class of service.
  - 6. The method of claim 4 wherein each of class of service has a proportional share of network resources.

7. A computer readable media tangibly embodying a program of instructions executable by a computer to perform a method at or near a point of ingress of a packet into the Internet that protects against denial of service attacks against a subscribing site, the method comprising the steps of:
- determining whether the packet'"'"'s destination is the subscribing site or the packet belongs to a connection to the subscribing site, the subscribing site being a site whose connections the point of ingress has agreed to monitor for conformance to congestion avoidance rules that limit a packet sender'"'"'s transmission rate according to dynamic route properties;
  
  verifying whether the packet belongs to a connection that conforms to such congestion avoidance rules; and
  
  when the packet'"'"'s destination is determined to be the subscribing site or is determined to belong to a connection to the subscribing site, and the packet is verified as belonging to a connection that conforms to such congestion avoidance rules and that the number of connections between the packet'"'"'s source and destination is below a maximum allowed by the subscribing site, marking the packet for forwarding in first class of service that is distinct from any other class of service used for forwarding other packets; and
  
  when the packet does not qualify for the first class of service, marking the packet for forwarding in one of one or more classes of service that are different than the first class of service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SAS (Thales SA)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Brustoloni, Jose' C
Primary Examiner(s)
Sheikh; Avaz
Assistant Examiner(s)
Chai; Longbit

Application Number

US10/175,458
Publication Number

US 20030035370A1
Time in Patent Office

1,763 Days
Field of Search

726 11- 13, 713151-154, 709220-223, 370229-232
US Class Current

726/13
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/12   Avoiding congestion; Recove...

H04L 47/20   Traffic policing

H04L 47/31   by tagging of packets, e.g....

H04L 47/32   by discarding or delaying d...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 67/61   taking into account QoS or ...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Method and apparatus for protecting web sites from distributed denial-of-service attacks

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for protecting web sites from distributed denial-of-service attacks

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links