Method and apparatus for improving the resilience of content distribution networks to distributed denial of service attacks

US 7,836,295 B2
Filed: 07/29/2002
Issued: 11/16/2010
Est. Priority Date: 07/29/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for improving the resilience of a content distribution network (CDN) to distributed denial of service (DDoS) attacks, comprising:

sending, from a client to a router, a request to access a web site that is hosted by at least one of a plurality of servers in the CDN, the request including a source address of the client and a site address of the web site;

hashing, at the router, the source address and the site address with a hash function that is shared between the router and the servers to obtain an address of one of the servers that hosts the web site;

sending, from the router to the client, the address of one of the servers that hosts the web site;

sending, from the client to the server with the address, a request for content of the web site, the request including the source address and the site address;

hashing, at the server, the source address and the site address with the shared hash function to obtain a hash value, wherein the request is inserted into a normal queue in response to the hash value matching the address of the server, and the request is inserted into a low priority queue in response to the hash value not matching the address of the server; and

sending, from the server to the client, the requested content in response to the request being inserted into the normal queue.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Several deterrence mechanisms suitable for content distribution networks (CDN) are provided. These include a hash-based request routing scheme and a site allocation scheme. The hash-based request routing scheme provides a way to distinguish legitimate requests from bogus requests. Using this mechanism, an attacker is required to generate O(n²)amount of traffic to victimize a CDN-hosted site when the site content is served from n CDN caches. Without these modifications, the attacker must generate only O(n) traffic to bring down the site. The site allocation scheme provides sufficient isolation among CDN-hosted Web sites to prevent an attack on one Web site from making other sites unavailable. Using an allocation strategy based on binary codes, it can be guaranteed that a successful attack on any individual Web site that disables its assigned servers, does not also bring down other Web sites hosted by the CDN.

58 Citations

View as Search Results

13 Claims

1. A method for improving the resilience of a content distribution network (CDN) to distributed denial of service (DDoS) attacks, comprising:
- sending, from a client to a router, a request to access a web site that is hosted by at least one of a plurality of servers in the CDN, the request including a source address of the client and a site address of the web site;
  
  hashing, at the router, the source address and the site address with a hash function that is shared between the router and the servers to obtain an address of one of the servers that hosts the web site;
  
  sending, from the router to the client, the address of one of the servers that hosts the web site;
  
  sending, from the client to the server with the address, a request for content of the web site, the request including the source address and the site address;
  
  hashing, at the server, the source address and the site address with the shared hash function to obtain a hash value, wherein the request is inserted into a normal queue in response to the hash value matching the address of the server, and the request is inserted into a low priority queue in response to the hash value not matching the address of the server; and
  
  sending, from the server to the client, the requested content in response to the request being inserted into the normal queue.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the requested content in the low priority queue is sent from the server to the client in response to the normal queue being empty.
  - 3. The method of claim 1, wherein further incoming requests are dropped in response to the low priority queue being full.
  - 4. The method of claim 1, wherein the request, which is inserted into the normal queue, is inserted into an i^thlevel of a multi-level priority queue, wherein i is a priority level of the client at the server.
  - 5. The method of claim 1, wherein the hash function is periodically updated.
  - 6. The method of claim 5, wherein during a predetermined period of time both old and new hash functions are honored.
  - 7. The method of claim 1, wherein the router and the server are two separate devices found in two separate locations.

8. A program storage device readable by a machine, tangibly embodying a program of instructions executable on the machine to perform a method for improving the resilience of a content distribution network (CDN) to distributed denial of service (DDoS) attacks, the method comprising:
- sending, from a client to a router, a request to access a web site that is hosted by at least one of a plurality of servers in the CDN, the request including a source address of the client and a site address of the web site;
  
  hashing, at the router, the source address and the site address with a hash function that is shared between the router and the servers to obtain an address of one of the servers that hosts the web site;
  
  sending, from the router to the client, the address of one of the servers that hosts the web site;
  
  sending, from the client to the server with the address, a request for content of the web site, the request including the source address and the site address;
  
  hashing, at the server, the source address and the site address with the shared hash function to obtain a hash value, wherein the request is inserted into a normal queue in response to the hash value matching the address of the server, and the request is inserted into a low priority queue in response to the hash value not matching the address of the server; and
  
  sending, from the server to the client, the requested content in response to the request being inserted into the normal queue.

9. A method for distinguishing legitimate requests from attack requests to increase the amount of attack traffic necessary to bring down a content distribution network (CDN) server, comprising:
- sending, from a client to a request router, a hypertext transfer protocol (HTTP) request to discover an address of a CDN server to contact, the request including a source address of the client and a site address of a web site that the client wants to access;
  
  selecting, at the request router, a CDN server by hashing the site address and the source address with a hash function that is shared between the request router and CDN servers into a server address;
  
  sending, from the request router to the client, the address of the CDN server to contact;
  
  sending, from the client an HTTP request to the CDN server with the address;
  
  hashing, at the CDN server, the source address and the site address in the received HTTP request with the shared hash function to obtain a hash value, wherein the HTTP request is determined to be a legitimate request in response to the hash value matching the address of the CDN server, and the HTTP request is determined to be an attack request in response to the hash value not matching the address of the CDN server; and
  
  sending, from the server to the client, the web site in response to the HTTP request being legitimate.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the legitimate requests are inserted into a normal queue and the attack requests are inserted into a low priority queue.
  - 11. The method of claim 10, wherein the legitimate requests in the normal queue get served before the attack requests in the low priority queue.
  - 12. The method of claim 11, wherein the low priority queue includes a small amount of buffer that rapidly fills when the CDN server is flooded with attack requests so that subsequent attack requests are dropped.
  - 13. The method of claim 12, wherein the legitimate requests in the normal queue continue to get served by the CDN server when the CDN server is flooded with attack requests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chari, Suresh N., Shaikh, Anees A., Sahu, Sambit, Lee, Kang-Won, Cheng, Pau-Chen
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Teslovich; Tamara

Application Number

US10/207,695
Publication Number

US 20040019781A1
Time in Patent Office

3,032 Days
Field of Search

None
US Class Current

713/154
CPC Class Codes

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

Method and apparatus for improving the resilience of content distribution networks to distributed denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

58 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for improving the resilience of content distribution networks to distributed denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links