Identifying a denial-of-service attack in a cloud-based proxy service

US 8,613,089 B1
Filed: 10/31/2012
Issued: 12/17/2013
Est. Priority Date: 08/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method in a cloud-based proxy service for identifying a target of a denial-of-service (DoS) attack, the method comprising:

determining that there is an abnormal flow of traffic being directed to an IP address of the cloud-based proxy service that is indicative of the DoS attack;

responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack, wherein the step of identifying includes performing the following;

scattering the plurality of domains to resolve to different IP addresses, wherein a result of the scattering is that each of those domains resolves to a different IP address, andidentifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

Citations

24 Claims

1. A method in a cloud-based proxy service for identifying a target of a denial-of-service (DoS) attack, the method comprising:
- determining that there is an abnormal flow of traffic being directed to an IP address of the cloud-based proxy service that is indicative of the DoS attack;
  
  responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack, wherein the step of identifying includes performing the following;
  
  scattering the plurality of domains to resolve to different IP addresses, wherein a result of the scattering is that each of those domains resolves to a different IP address, andidentifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the step of scattering the plurality of domains to resolve to different IP addresses includes causing one or more Domain Name System (DNS) records for the plurality of domains to resolve to the different IP addresses.
  - 3. The method of claim 1, wherein the step of scattering the plurality of domains to resolve to different IP addresses is performed iteratively;
    - wherein in an initial iteration, at least two of the plurality of domains resolve to the same IP address of the cloud-based proxy service and one of the plurality of domains resolves to a different IP address of the cloud-based proxy service; and
      
      wherein in a final iteration, each of the plurality of domains resolves to a different IP address of the cloud-based proxy service.
  - 4. The method of claim 1, wherein the step of determining that there is the abnormal flow of traffic being directed to the IP address includes determining that there is an abnormally high amount of traffic being directed to the IP address.
  - 5. The method of claim 1, further comprising:
    - after identifying the targeted domain, grouping at least some of those other ones of the plurality of domains to resolve to a same IP address of the cloud-based proxy service, wherein the step of grouping includes causing one or more Domain Name System (DNS) records for those domains to resolve to that same IP address.
  - 6. The method of claim 1, further comprising:
    - after identifying the targeted domain, performing one or more mitigation actions for the targeted domain, including one or more of the following;
      
      rate limiting traffic destined to the targeted domain;
      
      null routing the IP address in which the targeted domain resolves;
      
      installing filtering rules in network equipment of the cloud-based proxy service;
      
      causing traffic destined to the targeted domain to be directed to a dedicated DoS device of the cloud-based proxy service; and
      
      presenting one or more challenges to visitors attempting to connect to the targeted domain.
  - 7. The method of claim 1, further comprising:
    - after identifying the targeted domain, isolating the targeted domain to a set of one or more data centers.
  - 8. The method of claim 7, wherein a set of one or more other domains that are not the targeted domain initially belong to the set of data centers;
    - and moving that set of domains to a different set of one or more data centers after isolating the targeted domain.

9. A non-transitory computer-readable storage medium that provides instructions that, when executed by a processor of a proxy server, will cause said processor to perform operations comprising:
- determining that there is an abnormal flow of traffic being directed to an IP address that is indicative of a Denial of Service (DoS) attack;
  
  responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is a target of the DoS attack, wherein the step of identifying includes performing the following;
  
  scattering the plurality of domains to resolve to different IP addresses, wherein a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The non-transitory computer-readable storage medium of claim 9, wherein the step of scattering the plurality of domains to resolve to different IP addresses includes a proxy server causing one or more Domain Name System (DNS) records for the plurality of domains to resolve to the different IP addresses.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein the step of scattering the plurality of domains to resolve to different IP addresses is performed iteratively;
    - wherein in an initial iteration, at least two of the plurality of domains resolve to the same IP address and one of the plurality of domains resolves to a different IP address; and
      
      wherein in a final iteration, each of the plurality of domains resolves to a different IP address.
  - 12. The non-transitory computer-readable storage medium of claim 9, wherein the step of determining that there is the abnormal flow of traffic being directed to the IP address includes determining that there is an abnormally high amount of traffic being directed to the IP address.
  - 13. The non-transitory computer-readable storage medium of claim 9, further comprising instructions that, when executed by the processor, cause said processor to perform the following operation:
    - after identifying the targeted domain, grouping at least some of those other ones of the plurality of domains to resolve to a same IP address, wherein the step of grouping includes a proxy server causing one or more Domain Name System (DNS) records for those domains to resolve to that same IP address.
  - 14. The non-transitory computer-readable storage medium of claim 9, further comprising instructions that, when executed by the processor, cause said processor to perform the following operation:
    - after identifying the targeted domain, performing one or more mitigation actions for the targeted domain, including one or more of the following;
      
      rate limiting traffic destined to the targeted domain;
      
      null routing the IP address in which the targeted domain resolves;
      
      broadcasting filtering rules to network equipment downstream from a proxy server;
      
      causing traffic destined to the targeted domain to be directed to a dedicated DoS device; and
      
      presenting one or more challenges to visitors attempting to connect to the targeted domain.
  - 15. The non-transitory computer-readable storage medium of claim 9, further comprising instructions that, when executed by the processor, cause said processor to perform the following operation:
    - after identifying the targeted domain, isolating the targeted domain to a set of one or more data centers.
  - 16. The non-transitory computer-readable storage medium of claim 15, further comprising instructions that, when executed by the processor, cause said processor to perform the following operation:
    - wherein a set of one or more other domains that are not the targeted domain initially belong to the set of data centers; and
      
      moving that set of domains to a different set of one or more data centers after isolating the targeted domain.

17. An apparatus to identify a target of a denial-of-service (DoS) attack in a cloud-based proxy service, comprising:
- a cloud-based proxy service node that is configured to perform the following;
  
  determine that there is an abnormal flow of traffic being directed to an IP address of the cloud-based proxy service that is indicative of the DoS attack;
  
  responsive to a determination that there are a plurality of domains that resolve to that IP address, identify the one of the plurality of domains that is the target of the DoS attack by performing the following;
  
  scatter the plurality of domains to resolve to different IP addresses, wherein a result of the scattering is that each of those domains resolves to a different IP address, and identify one of those plurality of domains as the target of the DoS attack by a determination that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The apparatus of claim 17, wherein the cloud-based proxy service node is configured to scatter the plurality of domains to resolve to different IP addresses by causing one or more Domain Name System (DNS) records for the plurality of domains to resolve to the different IP addresses.
  - 19. The apparatus of claim 17, wherein the cloud-based proxy service node is configured to scatter the plurality of domains to resolve to different IP addresses iteratively;
    - wherein in an initial iteration, at least two of the plurality of domains resolve to the same IP address of the cloud-based proxy service and one of the plurality of domains resolves to a different IP address of the cloud-based proxy service; and
      
      wherein in a final iteration, each of the plurality of domains resolves to a different IP address of the cloud-based proxy service.
  - 20. The apparatus of claim 17, wherein the cloud-based proxy service node is configured to determine that there is the abnormal flow of traffic being directed to the IP address includes determining that there is an abnormally high amount of traffic being directed to the IP address.
  - 21. The apparatus of claim 17, further comprising:
    - after identifying the targeted domain, the cloud-based proxy service node is configured to group at least some of those other ones of the plurality of domains to resolve to a same IP address of the cloud-based proxy service, wherein the cloud-based proxy service node is configured to group the at least some of those other ones of the plurality of domains by causing one or more Domain Name System (DNS) records for those domains to resolve to that same IP address.
  - 22. The apparatus of claim 17, further comprising:
    - after identifying the targeted domain, the cloud-based proxy service node is configured to perform one or more mitigation actions for the targeted domain, including one or more of the following;
      
      rate limiting traffic destined to the targeted domain;
      
      null routing the IP address in which the targeted domain resolves;
      
      install filtering rules in network equipment of the cloud-based proxy service;
      
      cause traffic destined to the targeted domain to be directed to a dedicated DoS device of the cloud-based proxy service; and
      
      present one or more challenges to visitors attempting to connect to the targeted domain.
  - 23. The apparatus of claim 17, further comprising:
    - after identifying the targeted domain, the cloud-based proxy service node is configured to isolate the targeted domain to asset of one or more data centers.
  - 24. The apparatus of claim 23, wherein a set of one or more other domains that are not the targeted domain initially belong to the set of data centers;
    - and wherein the cloud-based proxy service node is further configured to move that set of domains to a different set of one or more data centers after isolating the targeted domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Holloway, Lee Hahn, Rao, Srikanth N., Prince, Matthew Browning, Tourne, Matthieu Philippe Franois, Pye, Ian Gerald, Bejjani, Ray Raymond, Rodery, Terry Paul Jr.
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Baum, Ronald

Application Number

US13/665,802
Time in Patent Office

412 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

Identifying a denial-of-service attack in a cloud-based proxy service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying a denial-of-service attack in a cloud-based proxy service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links