Dynamic defense of network attacks
First Claim
1. An intermediate network element comprising a processor programmed to control network traffic to a target network element from a plurality of sources, and further programmed to:
- in response to determining that the target network element is under network attack, reserve a portion of bandwidth to the target resource for serving only trusted ones of the sources;
in response to receiving messages from untrusted ones of the sources, administering respective challenges to the untrusted ones of the sources, wherein each challenge comprises a Turing test that requires a source-specific sentient response, wherein the challenges use stateless cookies such that the challenges are administered without recording associations between the challenges and answers to the challenges, wherein responses to the challenges are verified according to a function of a secret known to the intermediate network element and of respective network addresses of the sources; and
in response to receiving a correct sentient response to one of the administered challenges from one of the untrusted sources, designating the one of the untrusted sources as trusted.
2 Assignments
0 Petitions
Accused Products
Abstract
A distributed denial of service attack can be defended against by challenging requests at a machine upstream from the target of the attack. The upstream machine limits access to the victim machine in response to indication of the victim machine being attacked. The upstream machine begins trapping protocol data units destined for the victim machine and challenging requests to access the victim machine with tests that require sentient responses, such as Turing tests. The upstream machine then updates a set of rules governing access to the victim machine based, at least in part, on responses to the challenges or administered tests.
74 Citations
10 Claims
-
1. An intermediate network element comprising a processor programmed to control network traffic to a target network element from a plurality of sources, and further programmed to:
-
in response to determining that the target network element is under network attack, reserve a portion of bandwidth to the target resource for serving only trusted ones of the sources; in response to receiving messages from untrusted ones of the sources, administering respective challenges to the untrusted ones of the sources, wherein each challenge comprises a Turing test that requires a source-specific sentient response, wherein the challenges use stateless cookies such that the challenges are administered without recording associations between the challenges and answers to the challenges, wherein responses to the challenges are verified according to a function of a secret known to the intermediate network element and of respective network addresses of the sources; and in response to receiving a correct sentient response to one of the administered challenges from one of the untrusted sources, designating the one of the untrusted sources as trusted. - View Dependent Claims (2, 3)
-
-
4. A method of defending against a network attack, comprising:
-
an intermediate network element comprising a processor controlling access to a target network element from a plurality of network sources, the intermediate network element determining that the target network element is under network attack; in response to determining that the target network element is under attack, the intermediate network element reserving a portion of bandwidth to the target resource for serving only trusted ones of the plurality of sources; generating a set of permissions for the target network element responsive to indication of a network attack, wherein the set of permissions include either a default set of permissions or a null set of permissions; in response to receiving messages from untrusted ones of the plurality of sources, the intermediate network element administering respective challenges to the untrusted ones of the sources, wherein each challenge requires a correct source-specific sentient response, wherein the challenges use stateless cookies such that the challenges are administered without recording associations between the challenges and answers to the challenges, wherein responses to the challenges are verified according to a function of a secret known to the intermediate network element and of respective network addresses of the sources; and in response to receiving a correct sentient response to one of the administered challenges from one of the untrusted sources, the intermediate network element designating the one of the untrusted sources as trusted. - View Dependent Claims (5)
-
-
6. An apparatus, comprising:
-
a plurality of network interfaces at least partially implemented in hardware; and a processor; and a memory coupled to the processor, wherein the memory stores program instructions executable for; dynamically generating a set of rules governing access to a target network element based, at least in part, on administration of Turing tests to network elements attempting to communicate with the target network element;
wherein a plurality of messages sent to the target element by a given one of the network elements are delivered to the target element in response to determining that the network element has provided a correct source-specific sentient response to a Turing test administered to it by the apparatus, wherein each Turing test uses a stateless cookie such that each Turing test is administered without recording an association between the Turing test and answers to the Turing test, wherein responses to the Turing tests are verified according to a function of a secret known to the apparatus and of respective network addresses of the network elements; andallocating, to the network element attempting communication, bandwidth to the target network element based, at least in part, on the set of rules governing access. - View Dependent Claims (7, 8)
-
-
9. A non-transitory machine-readable storage medium, storing:
-
a first sequence of instructions executable to administer challenges requiring correct source-specific sentient responses to sources attempting to access a target network element, wherein the challenges are one or more Turing tests administered by a network element that hosts the non-transitory machine-readable storage medium, and wherein the challenges are administered without recording associations between the challenges and answers to the challenges; wherein the first sequence of instructions is further executable to employ a stateless cookie mechanism to verify the responses, wherein the stateless cookie mechanism comprises computing a value that is a function of a secret key known to a network element that hosts the non-transitory machine-readable storage medium and of a network address of a source; a second sequence of instructions executable to update access permissions to the target network element based, at least in part, on responses to the administered challenges; and a third sequence of instructions executable to reserve a portion of bandwidth to the target network element for serving only trusted ones of the sources. - View Dependent Claims (10)
-
Specification