Virtual server and method for identifying zombie, and sinkhole server and method for integratedly managing zombie information
First Claim
1. A virtual server for identifying a zombie, the virtual server executed by at least one computer processor and comprising:
- a cookie checking module loaded on said at least one computer processor configured to check whether a cookie is present in a web server access request message received from a host;
an authentication processing module loaded on said at least one computer processor configured to authenticate the host using a completely automated public Turing test to tell computers and humans apart (CAPTCHA) test and provide a cookie to the authenticated host when the web server access request message received from the host does not include a cookie;
a defense mechanism trigger module loaded on said at least one computer processor configured to trigger a defense mechanism (a cookie value verification, a web page inducement, a zombie identification) when a current traffic statistics value (TCP SYN packet count, UDP packet count, ICMP packet count) is greater than a predefined threshold value and bypass a request traffic to the web server when the current traffic statistics value is less than the threshold value;
a CAPTCHA generation module loaded on said at least one computer processor configured to generate a different CAPTCHA value whenever the host requests to access;
a cookie value verification module loaded on said at least one computer processor configured to extract a cookie value from the web server access request message and verify the extracted cookie value when the web server access request message includes a cookie;
a web page access inducement module loaded on said at least one computer processor configured to induce the host to access a web server when the cookie value is verified; and
a zombie identification module loaded on said at least one computer processor configured to block access of the host when the cookie value is not verified, and identify the host as a zombie when a number of blocking operations exceeds a threshold value,wherein when the host does not submit a correct answer to the CAPTCHA test, the authentication processing module provides as many opportunities to submit the correct answer as a threshold value, andwherein when the host does not submit the correct answer in the as many opportunities as the threshold value, the authentication processing module identifies the host as a zombie, blocks access of the host, and transfers an access request message or an Internet protocol (IP) address of the host to a sinkhole server.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are a virtual server and method for identifying a zombie, and a sinkhole server and method for integratedly managing zombie information. The virtual server includes an authentication processing module authenticating a host using a CAPTCHA test and providing a cookie to the authenticated host when a web server access request message received from the host does not include a cookie, a cookie value verification module for extracting a cookie value from the web server access request message and verifying the extracted cookie value when the web server access request message includes a cookie, a web page access inducement module for inducing the host to access a web server when the cookie value is verified, and a zombie identification module for blocking access of the host when the cookie value is not verified, and identifying the host as a zombie when the number of blocking operations exceeds a threshold value.
-
Citations
6 Claims
-
1. A virtual server for identifying a zombie, the virtual server executed by at least one computer processor and comprising:
-
a cookie checking module loaded on said at least one computer processor configured to check whether a cookie is present in a web server access request message received from a host; an authentication processing module loaded on said at least one computer processor configured to authenticate the host using a completely automated public Turing test to tell computers and humans apart (CAPTCHA) test and provide a cookie to the authenticated host when the web server access request message received from the host does not include a cookie; a defense mechanism trigger module loaded on said at least one computer processor configured to trigger a defense mechanism (a cookie value verification, a web page inducement, a zombie identification) when a current traffic statistics value (TCP SYN packet count, UDP packet count, ICMP packet count) is greater than a predefined threshold value and bypass a request traffic to the web server when the current traffic statistics value is less than the threshold value; a CAPTCHA generation module loaded on said at least one computer processor configured to generate a different CAPTCHA value whenever the host requests to access; a cookie value verification module loaded on said at least one computer processor configured to extract a cookie value from the web server access request message and verify the extracted cookie value when the web server access request message includes a cookie; a web page access inducement module loaded on said at least one computer processor configured to induce the host to access a web server when the cookie value is verified; and a zombie identification module loaded on said at least one computer processor configured to block access of the host when the cookie value is not verified, and identify the host as a zombie when a number of blocking operations exceeds a threshold value, wherein when the host does not submit a correct answer to the CAPTCHA test, the authentication processing module provides as many opportunities to submit the correct answer as a threshold value, and wherein when the host does not submit the correct answer in the as many opportunities as the threshold value, the authentication processing module identifies the host as a zombie, blocks access of the host, and transfers an access request message or an Internet protocol (IP) address of the host to a sinkhole server. - View Dependent Claims (2, 3, 4)
-
-
5. A method of identifying a zombie, comprising:
-
determining whether a web server access request message received from a host includes a cookie; transmitting a completely automated public Turing test to tell computers and humans apart (CAPTCHA) page to the host when the access request message does not include a cookie; transmitting a cookie corresponding to an Internet protocol (IP) address of the host when a correct answer to the CAPTCHA page is received from the host; triggering a defense mechanism (a cookie value verification, a web page inducement, a zombie identification) when a current traffic statistics value (TCP SYN packet count, UDP packet count, ICMP packet count) is greater than a predefined threshold value and bypassing a request traffic to the web server when the current traffic statistics value is less than the threshold value; generating a different CAPTCHA value whenever the host requests to access; extracting a cookie value from the access request message and checking whether the extracted cookie value corresponds to the IP address of the host when the access request message includes a cookie; blocking access to a web server when the cookie value does not correspond to the IP address of the host, and identifying the host as a zombie when a number of blocking operations exceeds a threshold value, repeatedly transmitting the CAPTCHA page to the host to provide as many opportunities to submit a correct answer as a threshold value when the correct answer to the CAPTCHA page is not received from the host, identifying the host as a zombie when a number of times that the host fails to submit the correct answer exceeds the threshold value, and retransferring an access request message received from the host identified as a zombie or the IP address of the host to a sinkhole server. - View Dependent Claims (6)
-
Specification