Peer-to-peer name resolution protocol (PNRP) security infrastructure and method
First Claim
1. A method of inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, comprising:
- receiving a potentially malicious message at the node in the peer-to-peer network;
wherein the potentially malicious message comprises a RESOLVE message, the RESOLVE message comprising at least one message field;
examining processor capacity at the node; and
rejecting processing of the potentially malicious RESOLVE message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious RESOLVE message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious RESOLVE message will not be processed because the consumption of processor capacity at the node is above the predetermined level; and
accepting processing of the RESOLVE message when examining the node processor capacity indicates that the consumption of processor capacity at the node is below the predetermined level, and processing the RESOLVE message at the node.
1 Assignment
0 Petitions
Accused Products
Abstract
A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.
-
Citations
12 Claims
-
1. A method of inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, comprising:
-
receiving a potentially malicious message at the node in the peer-to-peer network; wherein the potentially malicious message comprises a RESOLVE message, the RESOLVE message comprising at least one message field; examining processor capacity at the node; and rejecting processing of the potentially malicious RESOLVE message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious RESOLVE message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious RESOLVE message will not be processed because the consumption of processor capacity at the node is above the predetermined level; and accepting processing of the RESOLVE message when examining the node processor capacity indicates that the consumption of processor capacity at the node is below the predetermined level, and processing the RESOLVE message at the node. - View Dependent Claims (2, 3)
-
-
4. A computer-readable storage medium having computer-executable instructions for inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, the computer-executable instructions comprising instructions for:
-
receiving a potentially malicious message at the node in the peer-to-peer network; wherein the potentially malicious message comprises a RESOLVE message, the RESOLVE message comprising at least one message field;
examining processor capacity at the node;
rejecting processing of the potentially malicious message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious message will not be processed because the consumption of processor capacity at the node is above the predetermined level; andaccepting processing of the RESOLVE message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is below the predetermined level. - View Dependent Claims (5, 6, 7, 8)
-
-
9. A method of inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, comprising:
-
receiving a potentially malicious message at the node in the peer-to-peer network; wherein the message is a FLOOD message, the FLOOD message containing a peer address certificate (PAC); determining that the PAC should be stored in a cache at the node;
examining processor capacity at the node; and
rejecting processing of the potentially malicious message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious message will not be processed because the consumption of processor capacity at the node is above the predetermined level. - View Dependent Claims (10, 11, 12)
-
Specification