Systems and methods to detect and respond to distributed denial of service (DDoS) attacks

US 8,869,275 B2
Filed: 11/28/2012
Issued: 10/21/2014
Est. Priority Date: 11/28/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:

receiving, by a server, a response message from an application server;

determining a source internet protocol (IP) address corresponding to a source client based on a request message received from the source client, wherein the request message received from the source client corresponds to the response message received from the application server;

identifying, by the server, a plurality of counters corresponding to the source IP address, wherein the plurality of counters includes a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address;

identifying, by the server, a response type of the response message; and

causing a value of at least one of the plurality of counters to change based on the response message and the response type.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method can include receiving, by a server, a response message from an application server. The method can further include determining a source internet protocol (IP) address associated with the source client based on a request message received from a source client. The request message received from the source client corresponds to the response message received from the application server. In addition, the method can include identifying, by the server, a plurality of counters associated with the source IP address, and identifying, by the server, a response type of the response message. Further, the method can include causing a value of at least one of the plurality of counters to change based on the response message and the response type.

Citations

21 Claims

1. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
- receiving, by a server, a response message from an application server;
  
  determining a source internet protocol (IP) address corresponding to a source client based on a request message received from the source client, wherein the request message received from the source client corresponds to the response message received from the application server;
  
  identifying, by the server, a plurality of counters corresponding to the source IP address, wherein the plurality of counters includes a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address;
  
  identifying, by the server, a response type of the response message; and
  
  causing a value of at least one of the plurality of counters to change based on the response message and the response type.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21)
- - 2. The computer-implemented method of claim 1, wherein the response type is a status code of the response message, and the plurality of counters includes a discrete bad request counter (DBRC) that is used to track a number of bad requests received from the source IP address.
  - 3. The computer-implemented method of claim 2, further including:
    - determining, by the server, if the status code of the response message is a 4xx status code of interest;
      
      upon determining that the status code is the 4xx status code of interest, incrementing the CBRC and the DBRC;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      adding, by the server, the source IP address corresponding to the source client to a blacklist based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.
  - 4. The computer-implemented method of claim 2, further including:
    - determining, by the server, if the status code of the response message is a 3xx status code of interest;
      
      upon determining that the status code is the 3xx status code of interest, evaluating header data of the response message; and
      
      determining, by the server, if a location data in the header data matches a predetermined location pattern.
  - 5. The computer-implemented method of claim 4, further including:
    - upon determining that the location data does not match the predetermined location pattern, resetting the CBRC to zero.
  - 6. The computer-implemented method of claim 4, further including:
    - upon determining that the location data matches the predetermined location pattern, incrementing the CBRC and the DBRC;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      performing, by the server, a mitigating action in connection with the source client based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.
  - 7. The computer-implemented method of claim 2, further including:
    - determining, by the server, if the status code of the response message is a 2xx status code of interest;
      
      upon determining that the status code is the 2xx status code of interest, evaluating payload data of the response message; and
      
      determining, by the server, if the payload data matches a predetermined payload data pattern.
  - 8. The computer-implemented method of claim 7, further including:
    - upon determining that the payload data does not match the predetermined payload data pattern, resetting the CBRC to zero.
  - 9. The computer-implemented method of claim 7, further including:
    - upon determining that the payload data matches the predetermined payload data pattern, incrementing the CBRC and the DBRC;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      performing, by the server, a mitigating action in connection with the source client based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.
  - 10. The computer-implemented method of claim 1, wherein the response message is one of a hypertext transfer protocol (HTTP) message or a hypertext transfer protocol secure (HTTPS) message, and the response type is one of an HTTP status code or an HTTPS status code.
  - 21. The computer-implemented method of claim 2, wherein the plurality of counters further includes a rolling window counter (RWC) that is used to track a number of total requests received from the source IP address.

11. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
- receiving, by a server, a response message from an application server;
  
  determining, from a request message corresponding to the response message, a source internet protocol (IP) address corresponding to a source client;
  
  locating, by the server, a plurality of counters corresponding to the source IP address, including a rolling window counter (RWC) that is used to track a number of total requests received from the source IP address, a discrete bad request counter (DBRC) that is used to track a number of bad requests received from the source IP address, and a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address;
  
  identifying, by the server, a response type of the response message;
  
  determining, by the server, if the response message corresponds to a malicious request based on the response type and the source IP address; and
  
  causing a value of at least one of the plurality of counters to change based on the determining if the response message corresponds to the malicious request.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computer-implemented method of claim 11, wherein the response type is a status code, further including:
    - determining, by the server, if the status code of the response message is a status code of interest; and
      
      upon determining that the status code is not a status code of interest, resetting the CBRC to zero.
  - 13. The computer-implemented method of claim 12, wherein determining if the status code of the response message is the status code of interest, further includes:
    - determining, by the server, if the status code of the response message is one of a 4xx status code of interest, a 3xx status code of interest, or a 2xx status code of interest.
  - 14. The computer-implemented method of claim 13, further including:
    - upon determining that the status code is the 4xx status code of interest, incrementing the CBRC and the DBRC;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      performing, by the server, a mitigating action in connection with the source client based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.
  - 15. The computer-implemented method of claim 13, further including:
    - upon determining that the status code is the 3xx status code of interest, evaluating header data of the response message;
      
      determining, by the server, if a location data in the header data matches a predetermined location pattern;
      
      upon determining that the location data matches the predetermined location pattern, incrementing the CBRC and the DBRC;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      performing, by the server, a mitigating action in connection with the source client based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.
  - 16. The computer-implemented method of claim 13, further including:
    - upon determining that the status code is the 2xx status code of interest, evaluating payload data of the response message;
      
      determining, by the server, if the payload data matches a predetermined payload data pattern;
      
      upon determining that the payload data matches the predetermined payload data pattern, incrementing the CBRC and the DBRC;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      performing, by the server, a mitigating action in connection with the source client based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.
  - 17. The computer-implemented method of claim 11, wherein the response message is one of a hypertext transfer protocol (HTTP) message or a hypertext transfer protocol secure (HTTPS) message, and the status code is one of an HTTP status code or an HTTPS status code.

18. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
- receiving, by a server, a response message corresponding to a source client, wherein the response message is one of a hypertext transfer protocol (HTTP) message or a hypertext transfer protocol secure (HTTPS) message;
  
  determining, from a request message corresponding to the response message, a source internet protocol (IP) address corresponding to the source client;
  
  locating, by the server, a plurality of counters corresponding to the source IP address, the plurality of counters including a discrete bad request counter (DBRC) that is used to track a number of bad requests received from the source IP address, and a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address;
  
  identifying, by the server, a status of the response message;
  
  determining, by the server, if the response message corresponds to a malicious request based on the status of the response message and the source IP address;
  
  causing a value of at least one of the plurality of counters to change based on the determining if the response message corresponds to the malicious request; and
  
  performing a mitigating action in connection with the source IP address based on the determining if the response message corresponds to the malicious request and at least one of a value of the DBRC and a value of the CBRC.
- View Dependent Claims (19, 20)
- - 19. The computer-implemented method of claim 18, wherein the status is one of an HTTP status code or an HTTPS status code, further including:
    - determining, by the server, if the status code of the response message is one of a 4xx status code of interest, a 3xx status code of interest, or a 2xx status code of interest; and
      
      upon determining that the status code is not a status code of interest, resetting the CBRC to zero.
  - 20. The computer-implemented method of claim 19, further including:
    - upon determining that the status code is the 4xx status code of interest;
      
      incrementing the CBRC and the DBRC;
      
      upon determining that the status code is the 3xx status code of interest;
      
      evaluating header data of the response message,determining, by the server, if a location data in the header data matches a predetermined location pattern, andincrementing the CBRC and the DBRC when the location data matches the predetermined location pattern;
      
      upon determining that the status code is the 2xx status code of interest;
      
      evaluating payload data of the response message,determining, by the server, if the payload data matches a predetermined payload data pattern, andincrementing the CBRC and the DBRC when the payload data matches the predetermined payload data pattern;
      
      comparing, by the server, the CBRC that has been incremented against a CBRC threshold;
      
      comparing, by the server, the DBRC that has been incremented against a DBRC threshold; and
      
      adding, by the server, the source IP address corresponding to the source client to a blacklist based on at least one of the comparing the CBRC that has been incremented against the CBRC threshold and the comparing the DBRC that has been incremented against the DBRC threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Zhao, Yujie, Bhogavilli, Suresh, Guimaraes, Roberto
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Nipa, Wasika

Application Number

US13/688,069
Publication Number

US 20140150095A1
Time in Patent Office

692 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1458   Denial of Service

H04L 9/40   Network security protocols

Systems and methods to detect and respond to distributed denial of service (DDoS) attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods to detect and respond to distributed denial of service (DDoS) attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links