System and method for identification and blocking of malicious use of servers

US 8,191,137 B2
Filed: 07/30/2008
Issued: 05/29/2012
Est. Priority Date: 07/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system for detecting a fraudulent domain name service (DNS) server, the computer system comprising:

a central processing unit;

a computer-readable tangible storage device; and

program instructions to detect a frequency at which requests sent by the computer system to a first DNS server are redirected to another DNS server; and

program instructions to compare the frequency to a predetermined threshold, and determine that the first DNS server is fraudulent based in part on the frequency exceeding the predetermined threshold; and

wherein the program instructions to detect and the program instructions to determine are stored on the computer-readable tangible storage device for execution by the central processing unit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to protect web applications from malicious attacks and, in particular, a system and method for identification and blocking of malicious DNS servers. The system includes a central processing unit and first program instructions. The first program instructions identify a rogue Domain Name Service (DNS) by identifying that a DNS metric is outside a historical limit. The first program instructions are stored on the computer system for execution by the central processing unit.

9 Citations

View as Search Results

7 Claims

1. A computer system for detecting a fraudulent domain name service (DNS) server, the computer system comprising:
- a central processing unit;
  
  a computer-readable tangible storage device; and
  
  program instructions to detect a frequency at which requests sent by the computer system to a first DNS server are redirected to another DNS server; and
  
  program instructions to compare the frequency to a predetermined threshold, and determine that the first DNS server is fraudulent based in part on the frequency exceeding the predetermined threshold; and
  
  wherein the program instructions to detect and the program instructions to determine are stored on the computer-readable tangible storage device for execution by the central processing unit.
- View Dependent Claims (2)
- - 2. The computer system of claim 1, further comprising:
    - program instructions to determine if the first DNS server is different than a prior DNS server to which the computer system previously sent requests for the domain name service; and
      
      whereinthe program instructions to determine that the first DNS server is fraudulent also bases the determination that the first DNS server is fraudulent on whether the first DNS server is different than the prior DNS server to which the computer system previously sent requests for the domain name service; and
      
      the program instructions to determine if the first DNS server is different than a prior DNS server is stored on the computer-readable tangible storage device for execution by the central processing unit.

3. A computer system comprising:
- a central processing unit;
  
  one or more computer-readable tangible storage devices;
  
  program instructions to identify a rogue Domain Name Service (DNS) server in part by determining that a response time metric is outside a historical range by;
  
  sending requests to peer nodes of the DNS server and measuring response times to the requests to the peer nodes,sending data to and receiving data from network devices on a same network as the DNS server and measuring response times to the data which was sent to the network devices, andcomparing current instances of the response times to the requests to the peer nodes and to the data which was sent to the network devices to respective historical ranges of the response times to the requests to the peer nodes and the data which was sent to the network devices; and
  
  wherein the program instructions are stored on the one or more computer-readable tangible storage devices for execution by the central processing unit.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3, wherein the requests to the peer nodes are pings.
  - 5. The method of claim 3, wherein the response times to the requests to the peer nodes are calculated from at least one of:
    - an answer to a request with an IP address from cache;
      
      a contact with another server in an attempt to find the IP address;
      
      an answer with an IP address for a name server that may know the IP address; and
      
      a return of an error message because a requested domain name is invalid or does not exist.

6. A computer program product for detecting a fraudulent domain name service (DNS) server, the computer program product comprising:
- one or more computer-readable tangible storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising;
  
  program instructions to detect a frequency at which requests sent by the computer system to a first DNS server are redirected to another DNS server; and
  
  program instructions to compare the frequency to a predetermined threshold, and determine that the first DNS server is fraudulent based in part on the frequency exceeding the predetermined threshold.
- View Dependent Claims (7)
- - 7. The computer program product of claim 6, further comprising:
    - program instructions, stored on at least one of the one or more storage devices, to determine if the first DNS server is different than a prior DNS server to which the computer system previously sent requests for the domain name service; and
      
      wherein the program instructions to determine that the first DNS server is fraudulent also bases the determination that the first DNS server is fraudulent on whether the first DNS server is different than a prior DNS server to which the computer system previously sent requests for the domain name service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Himberger, Kevin D., Parees, Benjamin M.
Primary Examiner(s)
Song, Hosuk

Application Number

US12/182,633
Publication Number

US 20100031362A1
Time in Patent Office

1,399 Days
Field of Search

726 22- 26, 726 11- 12, 713/150, 713153-154, 713/188, 709223-225
US Class Current

726/22
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/168   above the transport layer

System and method for identification and blocking of malicious use of servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identification and blocking of malicious use of servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links