Mitigating a denial-of-service attack in a cloud-based proxy service
First Claim
1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
- receiving a first message that indicates that a domain, whose traffic passes through the proxy server, is suspected to be under a denial-of-service (DoS) attack;
in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges;
while the rule is enabled and responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser.
1 Assignment
0 Petitions
Accused Products
Abstract
A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.
64 Citations
27 Claims
-
1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
-
receiving a first message that indicates that a domain, whose traffic passes through the proxy server, is suspected to be under a denial-of-service (DoS) attack; in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; while the rule is enabled and responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium that provides instructions that, when executed by a processor, will cause said processor to perform operations comprising:
-
receiving a first message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, is suspected to be under a denial-of-service (DoS) attack; in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; while the rule is enabled and responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus, comprising:
-
a set of one or more processors; a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; receive a first message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, is suspected to be under a denial-of-service (DoS) attack; in response to receipt of the first message, enable a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; while the rule is enabled and responsive to receipt of a first request for a resource of that domain from a first visitor, automatically present the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser. - View Dependent Claims (24, 25, 26, 27)
-
Specification