Systems and methods to detect and respond to distributed denial of service (DDoS) attacks
First Claim
1. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
- receiving, by a server, a response message from an application server;
determining a source internet protocol (IP) address corresponding to a source client based on a request message received from the source client, wherein the request message received from the source client corresponds to the response message received from the application server;
identifying, by the server, a plurality of counters corresponding to the source IP address, wherein the plurality of counters includes a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address;
identifying, by the server, a response type of the response message; and
causing a value of at least one of the plurality of counters to change based on the response message and the response type.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method can include receiving, by a server, a response message from an application server. The method can further include determining a source internet protocol (IP) address associated with the source client based on a request message received from a source client. The request message received from the source client corresponds to the response message received from the application server. In addition, the method can include identifying, by the server, a plurality of counters associated with the source IP address, and identifying, by the server, a response type of the response message. Further, the method can include causing a value of at least one of the plurality of counters to change based on the response message and the response type.
-
Citations
21 Claims
-
1. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
-
receiving, by a server, a response message from an application server; determining a source internet protocol (IP) address corresponding to a source client based on a request message received from the source client, wherein the request message received from the source client corresponds to the response message received from the application server; identifying, by the server, a plurality of counters corresponding to the source IP address, wherein the plurality of counters includes a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address; identifying, by the server, a response type of the response message; and causing a value of at least one of the plurality of counters to change based on the response message and the response type. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 21)
-
-
11. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
-
receiving, by a server, a response message from an application server; determining, from a request message corresponding to the response message, a source internet protocol (IP) address corresponding to a source client; locating, by the server, a plurality of counters corresponding to the source IP address, including a rolling window counter (RWC) that is used to track a number of total requests received from the source IP address, a discrete bad request counter (DBRC) that is used to track a number of bad requests received from the source IP address, and a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address; identifying, by the server, a response type of the response message; determining, by the server, if the response message corresponds to a malicious request based on the response type and the source IP address; and causing a value of at least one of the plurality of counters to change based on the determining if the response message corresponds to the malicious request. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer-implemented method for mitigating a distributed denial of service (DDoS) attack, comprising:
-
receiving, by a server, a response message corresponding to a source client, wherein the response message is one of a hypertext transfer protocol (HTTP) message or a hypertext transfer protocol secure (HTTPS) message; determining, from a request message corresponding to the response message, a source internet protocol (IP) address corresponding to the source client; locating, by the server, a plurality of counters corresponding to the source IP address, the plurality of counters including a discrete bad request counter (DBRC) that is used to track a number of bad requests received from the source IP address, and a consecutive bad request counter (CBRC) that is used to track a number of consecutive bad requests received from the source IP address; identifying, by the server, a status of the response message; determining, by the server, if the response message corresponds to a malicious request based on the status of the response message and the source IP address; causing a value of at least one of the plurality of counters to change based on the determining if the response message corresponds to the malicious request; and performing a mitigating action in connection with the source IP address based on the determining if the response message corresponds to the malicious request and at least one of a value of the DBRC and a value of the CBRC. - View Dependent Claims (19, 20)
-
Specification