Mitigating a denial-of-service attack in a cloud-based proxy service

US 8,856,924 B2
Filed: 10/31/2012
Issued: 10/07/2014
Est. Priority Date: 08/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:

receiving a first message that indicates that a domain, whose traffic passes through the proxy server, is suspected to be under a denial-of-service (DoS) attack;

in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges;

while the rule is enabled and responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.

64 Citations

View as Search Results

27 Claims

1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
- receiving a first message that indicates that a domain, whose traffic passes through the proxy server, is suspected to be under a denial-of-service (DoS) attack;
  
  in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges;
  
  while the rule is enabled and responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - responsive to not receiving the second message in a certain period of time from the client-side script embedded into the page transmitted to the first visitor, determining that the first request did not originate from a web browser, anddropping the first request without transmitting a corresponding request to an origin server corresponding to the domain.
  - 3. The method of claim 1, further comprising:
    - responsive to receiving the second message from the client-side script embedded into the page transmitted to the first visitor, determining whether that second message has an expected value;
      
      responsive to the determination that the second message has the expected value, setting a cookie that indicates that the first visitor has passed the client-side script challenge; and
      
      causing the requested resource to be transmitted to the first visitor.
  - 4. The method of claim 3, wherein causing the requested resource to be transmitted to the first visitor includes performing the following:
    - transmitting a response to the first visitor that includes the cookie and causes the first visitor to re-submit the first request;
      
      receiving the resubmitted request from the first visitor, the resubmitted request including the cookie;
      
      retrieving the requested resource; and
      
      transmitting the requested resource to the first visitor.
  - 5. The method of claim 4, wherein retrieving the requested resource includes the following:
    - transmitting a request for the resource to an origin server corresponding to the domain; and
      
      receiving a response from the origin server that includes the requested resource.
  - 6. The method of claim 4, wherein retrieving the requested resource includes accessing a local cache on the proxy server for the requested resource.
  - 7. The method of claim 1, wherein traffic for the domain is received at the proxy server as a result of the domain resolving to the proxy server, wherein the domain is one of a plurality of different domains owned by different entities that each resolve to the proxy server.
  - 8. The method of claim 1, wherein prior to presenting the set of challenges, the proxy server performs the following responsive to receiving the first request for the resource of that domain:
    - determining that the first request does not include a cookie that indicates that the first visitor has passed the set of challenges.
  - 9. The method of claim 1, further comprising:
    - receiving a second request for a resource of the domain from a second visitor, wherein the second request includes a cookie that indicates that the second visitor has passed the one or more challenges;
      
      retrieving the requested resource; and
      
      transmitting the requested resource to the second visitor without presenting the one or more challenges to the second visitor.
  - 10. The method of claim 1, wherein the set of challenges further includes one or more challenges that require input, wherein the one or more challenges that require input are selected from the group consisting of an image Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), an audio CAPTCHA, a math question, and a trivia question.
  - 11. The method of claim 1, wherein the page transmitted to the first visitor does not have a same style as the requested resource.

12. A non-transitory computer-readable storage medium that provides instructions that, when executed by a processor, will cause said processor to perform operations comprising:
- receiving a first message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, is suspected to be under a denial-of-service (DoS) attack;
  
  in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges;
  
  while the rule is enabled and responsive to receiving a first request for a resource of that domain from a first visitor, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the operations further comprise:
    - responsive to not receiving the second message in a certain period of time from the client-side script embedded into the page transmitted to the first visitor, determining that the first request did not originate from a web browser, anddropping the first request without transmitting a corresponding request to an origin server corresponding to the domain.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein the operations further comprise:
    - responsive to receiving the second message from the client-side script embedded into the page transmitted to the first visitor, determining whether that second message has an expected value;
      
      responsive to the determination that the second message has the expected value, setting a cookie that indicates that the first visitor has passed the client-side script challenge; and
      
      causing the requested resource to be transmitted to the first visitor.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein causing the requested resource to be transmitted to the first visitor includes performing the following:
    - transmitting a response to the first visitor that includes the cookie and causes the first visitor to re-submit the first request;
      
      receiving the resubmitted request from the first visitor, the resubmitted request including the cookie;
      
      retrieving the requested resource; and
      
      transmitting the requested resource to the first visitor.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein retrieving the requested resource includes the following:
    - transmitting a request for the resource to an origin server corresponding to the domain; and
      
      receiving a response from the origin server that includes the requested resource.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein retrieving the requested resource includes accessing a local cache on the proxy server for the requested resource.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein traffic for the domain is received at the proxy server as a result of the domain resolving to the proxy server, wherein the domain is one of a plurality of different domains owned by different entities that each resolve to the proxy server.
  - 19. The non-transitory computer-readable storage medium of claim 12, wherein prior to presenting the set of challenges, the proxy server performs the following responsive to receiving the first request for the resource of that domain:
    - determining that the first request does not include a cookie that indicates that the first visitor has passed the set of challenges.
  - 20. The non-transitory computer-readable storage medium of claim 12, further comprising:
    - receiving a second request for a resource of the domain from a second visitor, wherein the second request includes a cookie that indicates that the second visitor has passed the one or more challenges;
      
      retrieving the requested resource; and
      
      transmitting the requested resource to the second visitor without presenting the one or more challenges to the second visitor.
  - 21. The non-transitory computer-readable storage medium of claim 12, wherein the set of challenges includes one or more challenges that require input, wherein the one or more challenges that require input are selected from the group consisting of an image Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), an audio CAPTCHA, a math question, and a trivia question.
  - 22. The non-transitory computer-readable storage medium of claim 12, wherein the page transmitted to the first visitor does not have a same style as the requested resource.

23. An apparatus, comprising:
- a set of one or more processors;
  
  a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations;
  
  receive a first message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, is suspected to be under a denial-of-service (DoS) attack;
  
  in response to receipt of the first message, enable a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges;
  
  while the rule is enabled and responsive to receipt of a first request for a resource of that domain from a first visitor, automatically present the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and transmits a second message to the proxy server with the solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The apparatus of claim 23, wherein the operations further compriseresponsive to not receiving the second message in a certain period of time from the client-side script embedded into the page transmitted to the first visitor, determine that the first request did not originate from a web browser, anddrop the first request without transmitting a corresponding request to an origin server corresponding to the domain.
  - 25. The apparatus of claim 23, wherein the operations further compriseresponsive to receiving the second message from the client-side script, determine whether that second message has an expected value;
    - responsive to the determination that the second message has the expected value, set a cookie that indicates that the first visitor has passed the client-side script challenge; and
      
      cause the requested resource to be transmitted to the first visitor.
  - 26. The apparatus of claim 23, wherein traffic for the domain is received at the proxy server as a result of the domain resolving to the proxy server, wherein the domain is one of a plurality of different domains owned by different entities that each resolve to the proxy server.
  - 27. The apparatus of claim 23, wherein the page transmitted to the first visitor does not have a same style as the requested resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Holloway, Lee Hahn, Rao, Srikanth N., Prince, Matthew Browning, Tourne, Matthieu Philippe Franois, Pye, Ian Gerald, Bejjani, Ray Raymond, Rodery, Terry Paul Jr.
Primary Examiner(s)
Schwartz, Darren B

Application Number

US13/665,811
Publication Number

US 20140047542A1
Time in Patent Office

706 Days
Field of Search

726 1- 5, 726/8, 726/10, 726 22- 23
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

Mitigating a denial-of-service attack in a cloud-based proxy service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

64 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating a denial-of-service attack in a cloud-based proxy service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links