Method and apparatus for improving the resilience of content distribution networks to distributed denial of service attacks
First Claim
1. A method for improving the resilience of a content distribution network (CDN) to distributed denial of service (DDoS) attacks, comprising:
- sending, from a client to a router, a request to access a web site that is hosted by at least one of a plurality of servers in the CDN, the request including a source address of the client and a site address of the web site;
hashing, at the router, the source address and the site address with a hash function that is shared between the router and the servers to obtain an address of one of the servers that hosts the web site;
sending, from the router to the client, the address of one of the servers that hosts the web site;
sending, from the client to the server with the address, a request for content of the web site, the request including the source address and the site address;
hashing, at the server, the source address and the site address with the shared hash function to obtain a hash value, wherein the request is inserted into a normal queue in response to the hash value matching the address of the server, and the request is inserted into a low priority queue in response to the hash value not matching the address of the server; and
sending, from the server to the client, the requested content in response to the request being inserted into the normal queue.
1 Assignment
0 Petitions
Accused Products
Abstract
Several deterrence mechanisms suitable for content distribution networks (CDN) are provided. These include a hash-based request routing scheme and a site allocation scheme. The hash-based request routing scheme provides a way to distinguish legitimate requests from bogus requests. Using this mechanism, an attacker is required to generate O(n2)amount of traffic to victimize a CDN-hosted site when the site content is served from n CDN caches. Without these modifications, the attacker must generate only O(n) traffic to bring down the site. The site allocation scheme provides sufficient isolation among CDN-hosted Web sites to prevent an attack on one Web site from making other sites unavailable. Using an allocation strategy based on binary codes, it can be guaranteed that a successful attack on any individual Web site that disables its assigned servers, does not also bring down other Web sites hosted by the CDN.
58 Citations
13 Claims
-
1. A method for improving the resilience of a content distribution network (CDN) to distributed denial of service (DDoS) attacks, comprising:
-
sending, from a client to a router, a request to access a web site that is hosted by at least one of a plurality of servers in the CDN, the request including a source address of the client and a site address of the web site; hashing, at the router, the source address and the site address with a hash function that is shared between the router and the servers to obtain an address of one of the servers that hosts the web site; sending, from the router to the client, the address of one of the servers that hosts the web site; sending, from the client to the server with the address, a request for content of the web site, the request including the source address and the site address; hashing, at the server, the source address and the site address with the shared hash function to obtain a hash value, wherein the request is inserted into a normal queue in response to the hash value matching the address of the server, and the request is inserted into a low priority queue in response to the hash value not matching the address of the server; and sending, from the server to the client, the requested content in response to the request being inserted into the normal queue. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A program storage device readable by a machine, tangibly embodying a program of instructions executable on the machine to perform a method for improving the resilience of a content distribution network (CDN) to distributed denial of service (DDoS) attacks, the method comprising:
-
sending, from a client to a router, a request to access a web site that is hosted by at least one of a plurality of servers in the CDN, the request including a source address of the client and a site address of the web site; hashing, at the router, the source address and the site address with a hash function that is shared between the router and the servers to obtain an address of one of the servers that hosts the web site; sending, from the router to the client, the address of one of the servers that hosts the web site; sending, from the client to the server with the address, a request for content of the web site, the request including the source address and the site address; hashing, at the server, the source address and the site address with the shared hash function to obtain a hash value, wherein the request is inserted into a normal queue in response to the hash value matching the address of the server, and the request is inserted into a low priority queue in response to the hash value not matching the address of the server; and sending, from the server to the client, the requested content in response to the request being inserted into the normal queue.
-
-
9. A method for distinguishing legitimate requests from attack requests to increase the amount of attack traffic necessary to bring down a content distribution network (CDN) server, comprising:
-
sending, from a client to a request router, a hypertext transfer protocol (HTTP) request to discover an address of a CDN server to contact, the request including a source address of the client and a site address of a web site that the client wants to access; selecting, at the request router, a CDN server by hashing the site address and the source address with a hash function that is shared between the request router and CDN servers into a server address; sending, from the request router to the client, the address of the CDN server to contact; sending, from the client an HTTP request to the CDN server with the address; hashing, at the CDN server, the source address and the site address in the received HTTP request with the shared hash function to obtain a hash value, wherein the HTTP request is determined to be a legitimate request in response to the hash value matching the address of the CDN server, and the HTTP request is determined to be an attack request in response to the hash value not matching the address of the CDN server; and sending, from the server to the client, the web site in response to the HTTP request being legitimate. - View Dependent Claims (10, 11, 12, 13)
-
Specification