Method of validating requests for sender reputation information

US 7,877,493 B2
Filed: 05/05/2006
Issued: 01/25/2011
Est. Priority Date: 05/05/2005
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus, comprising:

a network interface that is coupled to a data network for receiving one or more packet flows therefrom;

a processor;

one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;

storing in the apparatus a secret string;

wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;

receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;

wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;

in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by;

computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, anddetermining that the validation is successful if the first authentication code and the second authentication code match;

only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;

wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of validating queries for reputation scores of message senders comprises receiving, from a first host computer, a DNS format query to obtain a reputation score associated with a second host computer, wherein the query includes an authentication code; validating the authentication code; and only when validating the authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer.

Citations

28 Claims

1. An apparatus, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to perform;
  
  storing in the apparatus a secret string;
  
  wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
  
  receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;
  
  wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
  
  in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by;
  
  computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, anddetermining that the validation is successful if the first authentication code and the second authentication code match;
  
  only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;
  
  wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
  - 3. The apparatus of claim 1, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
  - 4. The apparatus of claim 1, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
      
      receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
  - 5. The apparatus of claim 4, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
      
      determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
      
      performing the particular responsive action.
  - 6. The apparatus of claim 1, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
      
      periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
  - 7. The apparatus of claim 1, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
      
      determining whether the time has expired;
      
      adding the first host computer to a blacklist when the time has expired.

8. An apparatus, comprising:
- one or more processors;
  
  a non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  storing in the apparatus a secret string;
  
  wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
  
  receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string,wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
  
  determining whether the first host computer is allowed to use services from the apparatus;
  
  validating the first authentication code in response to the determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, by;
  
  computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, anddetermining that the validation is successful if the first authentication code and the second authentication code match; and
  
  performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful;
  
  wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
  - 10. The apparatus of claim 8, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
  - 11. The apparatus of claim 8, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform:
    - establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
      
      receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
  - 12. The apparatus of claim 11, wherein the non-transitory computer-readable storage medium further comprise instructions which, when executed, cause the one or more processors to perform:
    - retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
      
      determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
      
      performing the particular responsive action.
  - 13. The apparatus of claim 8, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform:
    - creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
      
      periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and for adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
  - 14. The apparatus of claim 8, wherein the non-transitory computer-readable storage medium further comprises instructions, which when executed, cause the one or more processors to perform:
    - retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
      
      determining whether the time has expired;
      
      adding the first host computer to a blacklist when the time has expired.

15. A machine-implemented method comprising:
- storing in an apparatus a secret string;
  
  wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
  
  receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;
  
  wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
  
  in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by;
  
  computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, anddetermining that the validation is successful if the first authentication code and the second authentication code match;
  
  only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;
  
  wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, further comprising sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
  - 17. The method of claim 15, further comprising determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
  - 18. The method of claim 15, further comprising:
    - establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
      
      receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
  - 19. The method of claim 18, further comprising:
    - retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
      
      determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
      
      performing the particular responsive action.
  - 20. The method of claim 15, further comprising:
    - creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
      
      periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
  - 21. The method of claim 15, further comprising:
    - retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
      
      determining whether the time has expired;
      
      adding the first host computer to a blacklist when the time has expired.

22. A non-transitory computer-readable volatile or non-volatile storage medium storing one or more sequences of instructions, which when executed by one or more processors, cause the one or more processors to carry out the steps of:
- storing in an apparatus a secret string;
  
  wherein the secret string and a message authentication code algorithm identifier are distributed to a first host computer;
  
  receiving, from the first host computer, a DNS format query to obtain a reputation score associated with a second host computer,wherein the query includes a first authentication code that has been computed at the first host computer by executing the message authentication code algorithm over the secret string;
  
  wherein the DNS format query comprises an inverted Internet Protocol (IP) address of the second host computer concatenated with the first authentication code of the first host computer;
  
  in response to determining that the first host computer has a valid customer license to use services from the apparatus and that the customer license has not expired, validating the first authentication code by;
  
  computing, at the apparatus, a second authentication code by executing the message authentication code algorithm over the secret string, both stored in the apparatus, anddetermining that the validation is successful if the first authentication code and the second authentication code match;
  
  only when the first host computer has the valid customer license to use services from the apparatus, the customer license has not expired, and validating the first authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer;
  
  wherein the DNS lookup comprises determining which of paranoid, cautious, moderate and aggressive characteristics describes the second host computer.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The computer-readable medium of claim 22, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform sending an NXDOMAIN record to the first host computer when validating the first authentication code is unsuccessful.
  - 24. The computer-readable medium of claim 22, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform determining whether the first host computer is listed in a blacklist, and sending an NXDOMAIN record to the first host computer without validating the authentication code when the first host computer is listed in the blacklist.
  - 25. The computer-readable medium of claim 22, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - establishing a master domain and a plurality of subdomains, wherein each of the subdomains is associated with a respective customer group;
      
      receiving the DNS format query from the first host computer at a particular subdomain that is associated with a particular customer group, wherein the first host computer is associated with the particular customer group, wherein the DNS format query includes an identifier of the particular customer group.
  - 26. The computer-readable medium of claim 25, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - retrieving configuration information associated with the particular customer group, wherein the configuration information for the particular customer group maps one or more discrete sets of reputation values to respective responsive actions;
      
      determining, by mapping the reputation score for the second host computer to one of the discrete sets in the configuration information, a particular responsive action; and
      
      performing the particular responsive action.
  - 27. The computer-readable medium of claim 22, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - creating and storing, in a log file, a log entry that identifies the first host computer and whether validation of the DNS format query was successful;
      
      periodically reading the log file, determining whether the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer, and adding the first host computer to a blacklist when the first host computer has issued a number of queries that exceeds an invalidation threshold for the first host computer.
  - 28. The computer-readable medium of claim 22, further comprising sequences of instructions which, when executed by the processor, cause the processor to perform:
    - retrieving configuration information associated with the first host computer, wherein the configuration information identifies a time in which the first host computer is allowed to send queries;
      
      determining whether the time has expired.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
IronPort Systems Inc (Cisco Systems, Inc.)
Original Assignee
IronPort Systems Inc (Cisco Systems, Inc.)
Inventors
Quinlan, Daniel
Primary Examiner(s)
Nawaz; Asad M
Assistant Examiner(s)
Biagini; Christopher D

Application Number

US11/429,393
Publication Number

US 20070073660A1
Time in Patent Office

1,726 Days
Field of Search

709/229
US Class Current

709/229
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/234   for tracking messages

H04L 61/4511   using domain name system [DNS]

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/145   the attack involving the pr...

Method of validating requests for sender reputation information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method of validating requests for sender reputation information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links