Method and apparatus for trust-based, fine-grained rate limiting of network requests
First Claim
1. A method of limiting unauthorized network requests, comprising the steps of:
- identifying entities legitimately entitled to service, wherein an entity comprises a user id-client pair, said user id-client pair comprising an individual user-machine combination;
establishing said identified entities as trusted entities by, during a first session, issuing a trust token for each entity successfully authenticating to said network service, said trust token comprising a data object that includes a client identifier, said client identifier comprising at least one client-originated item of data that uniquely identifies the client machine, wherein said user ID-client pair represents a unique entity;
storing said issued trust token on said client machine;
in sessions subsequent to said first session, transmitting with a network request from a trusted entity said stored issued trust token along with said user ID, authentication credentials, and client identifier from said client machine to said network service;
processing said request from said trusted entity according to a first policy; and
responsive to a determination that a request is from an untrusted entity, said untrusted entity comprising an entity lacking a valid trust token;
processing said request from said untrusted entity according to at least a second policy;
wherein processing a request according to at least a second policy comprises adding a specified amount of incremental response latency when processing requests from untrusted entities.
9 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.
-
Citations
56 Claims
-
1. A method of limiting unauthorized network requests, comprising the steps of:
-
identifying entities legitimately entitled to service, wherein an entity comprises a user id-client pair, said user id-client pair comprising an individual user-machine combination; establishing said identified entities as trusted entities by, during a first session, issuing a trust token for each entity successfully authenticating to said network service, said trust token comprising a data object that includes a client identifier, said client identifier comprising at least one client-originated item of data that uniquely identifies the client machine, wherein said user ID-client pair represents a unique entity; storing said issued trust token on said client machine; in sessions subsequent to said first session, transmitting with a network request from a trusted entity said stored issued trust token along with said user ID, authentication credentials, and client identifier from said client machine to said network service; processing said request from said trusted entity according to a first policy; and responsive to a determination that a request is from an untrusted entity, said untrusted entity comprising an entity lacking a valid trust token; processing said request from said untrusted entity according to at least a second policy; wherein processing a request according to at least a second policy comprises adding a specified amount of incremental response latency when processing requests from untrusted entities. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer program product comprising computer readable code means embodied on a tangible medium, said computer readable code means comprising code for performing a method of limiting unauthorized network requests, said method comprising the steps of:
-
identifying entities legitimately entitled to service, wherein an entity comprises a user id-client pair, said user id-client pair comprising an individual user-machine combination; establishing said identified entities as trusted entities by, during a first session, issuing a trust token for each entity successfully authenticating to said network service, said trust token comprising a data object that includes a client identifier, said client identifier comprising at least one client-originated item of data that uniquely identifies the client machine, wherein said user ID-client pair represents a unique entity; storing said issued trust token on said client machine; in sessions subsequent to said first session, transmitting with a network request from a trusted entity said stored issued trust token along with said user ID, authentication credentials, and client identifier from said client machine to said network service; processing said request from said trusted entity according to a first policy; and responsive to a determination that a request is from an untrusted entity, said untrusted entity comprising an entity lacking a valid trust token; processing said request from said untrusted entity according to at least a second policy; wherein processing a request according to at least a second policy comprises adding a specified amount of incremental response latency when processing requests from untrusted entities. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
-
Specification