DNS flood protection platform for a network

US 8,886,930 B1
Filed: 08/06/2012
Issued: 11/11/2014
Est. Priority Date: 01/22/2008
Status: Active Grant

First Claim

Patent Images

1. A network device for managing a resource record request over a network, comprising:

a memory arranged to store data and instructions; and

a processor arranged to enable actions embodied by at least a portion of the stored instructions, the actions comprising;

receiving, from a requestor, a resource record query to resolve a first resource record;

determining whether to perform a double-query challenge on the first resource record based on at least a load of the processor being above a threshold;

if the double-query challenge is performed;

determining a mapping of the first resource record to a second resource record that includes an embedded cookie within the second resource record, the cookie further includes a time to live (TTL) within which a response record query is to be received;

providing a response that includes the mapping to the second resource record without resolving the first resource record;

receiving the resource record query to resolve the second resource record; and

if the request to resolve the second resource record is valid based in part on evaluating an address associated with the requestor that is embedded in the second resource record with another address associated with a source of the query to resolve the second resource record, and further determining that the request is valid based on being received within the TTL, providing a resource record resolution response based on resolution of the first resource record; and

otherwise, providing a resolution response of the first resource record.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards providing protection to DNS servers against DNS flood attacks by causing a requesting device to perform multiple DNS lookup requests for resolving a resource record. A request from a network device for a resolution of a domain name may be received by a device interposed between the requesting network device and a DNS server. Upon receiving the request to resolve the domain name, the interposed device may respond with a CNAME that includes a cookie. The requesting device may then send another request that includes the cookie preceded CNAME. The interposed device may then validate the returned cookie returned in the CNAME and if valid, forward the domain name resolution request on to a DNS server. The response may then be forwarded to the requesting device.

Citations

15 Claims

1. A network device for managing a resource record request over a network, comprising:
- a memory arranged to store data and instructions; and
  
  a processor arranged to enable actions embodied by at least a portion of the stored instructions, the actions comprising;
  
  receiving, from a requestor, a resource record query to resolve a first resource record;
  
  determining whether to perform a double-query challenge on the first resource record based on at least a load of the processor being above a threshold;
  
  if the double-query challenge is performed;
  
  determining a mapping of the first resource record to a second resource record that includes an embedded cookie within the second resource record, the cookie further includes a time to live (TTL) within which a response record query is to be received;
  
  providing a response that includes the mapping to the second resource record without resolving the first resource record;
  
  receiving the resource record query to resolve the second resource record; and
  
  if the request to resolve the second resource record is valid based in part on evaluating an address associated with the requestor that is embedded in the second resource record with another address associated with a source of the query to resolve the second resource record, and further determining that the request is valid based on being received within the TTL, providing a resource record resolution response based on resolution of the first resource record; and
  
  otherwise, providing a resolution response of the first resource record.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The network device of claim 1, wherein providing the response that includes the mapping further comprises, providing the response using a canonical name (CNAME) record mapping the first resource record to the second resource record.
  - 3. The network device of claim 1, wherein providing a resource record resolution response further comprises:
    - sending a request to a domain name system (DNS) server to resolve the first resource record query;
      
      receiving from the DNS server in response, a resource record response associated with the first resource record request;
      
      mapping the resource record into a response for the second resource record resolution; and
      
      providing the mapped resource record response to the requester.
  - 4. The network device of claim 1, wherein the second resource response to the query includes at least one of a random value, or a sub-domain name.
  - 5. The network device of claim 1, wherein the resource record query is to resolve a domain name associated with the first resource record.

6. A physical apparatus having machine-executable instructions stored thereon, which when executed by at least one processor within a network device, causes the at least one processor to perform actions, comprising:
- receiving, from a requestor, a resource record query to resolve a first resource record;
  
  determining whether to perform a double-query challenge on the first resource record based on at least a load of the at least one processor being above a threshold;
  
  if the double-query challenge is performed;
  
  determining a mapping of the first resource record to a second resource record;
  
  providing a response that includes a mapping to the second resource record without resolving the first resource record, wherein the second resource record includes an embedded cookie within the second resource record, the cookie further includes a time to live (TTL) within which a response record query is to be received;
  
  receiving the resource record query to resolve the second resource record; and
  
  if the request to resolve the second resource record is valid based in part on evaluating an address associated with the requestor that is embedded in the second resource record with another address associated with a source of the query to resolve the second resource record, and further determining that the request is valid based on being received within the TTL, providing a resource record resolution response based on resolution of the first resource record,otherwise, providing a resolution response of the first resource record; and
  
  wherein the actions above are performed by the at least one processor operating within the network device.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus of claim 6, wherein providing the response that includes the mapping results in providing at least a three-query challenge to the resolution of the first resource record.
  - 8. The apparatus of claim 6, wherein the mapping includes a canonical name (CNAME) record with the mapping based in part on a random value.
  - 9. The apparatus of claim 6, wherein at least a part of the second resource record is encrypted.
  - 10. The apparatus of claim 6, wherein the second resource record includes the cookie that includes at least one of a random value, an encrypted value, or a sub-domain name.
  - 11. The apparatus of claim 6, wherein providing a resource record resolution response further comprises:
    - sending a request to a domain name system (DNS) server to resolve the first resource record query;
      
      receiving from the DNS server in response, a resource record response associated with the first resource record request;
      
      mapping the resource record into a response for the second resource record resolution; and
      
      providing the mapped resource record response to the requestor.

12. A system, comprising:
- a domain name system server configured to enable resolution of records; and
  
  a network device having a processor that performs actions, including;
  
  receiving, from a requestor, a resource record query to resolve a first resource record;
  
  determining whether to perform a double-query challenge on the first resource record based on at least a load of the processor being above a threshold;
  
  if the double-query challenge is performed;
  
  determining a mapping of the first resource record to a second resource record, wherein the first resource record and the second resource record are at a same protocol layer, wherein the second resource record includes an embedded cookie within the second resource record, the cookie further includes a time to live (TTL) within which a response record query is to be received;
  
  providing a response that includes the mapping to the second resource record;
  
  receiving the resource record query to resolve the second resource record; and
  
  if the request to resolve the second resource record is valid based in part on evaluating an address associated with the requestor that is embedded in the second resource record with another address associated with a source of the query to resolve the second resource record, and further determining that the request is valid based on being received within the TTL, providing a resource record resolution response based on resolution of the first resource record; and
  
  otherwise, providing a resolution response of the first resource record.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein providing the response that includes the mapping further comprises, providing the response using a canonical name (CNAME) record mapping the first resource record to the second resource record.
  - 14. The system of claim 12, wherein the second resource response to the query includes at least one of a random value, or a sub-domain name.
  - 15. The system of claim 12, wherein providing the response that includes the mapping results in providing at least a three-query challenge to the resolution of the first resource record.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Thornewell, Peter M., Golden, Lisa M.
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US13/567,938
Time in Patent Office

827 Days
Field of Search

726/23, 726/5, 726/27, 713/162, 713/165, 713/168, 713/170, 709/225, 709/245
US Class Current

713/162
CPC Class Codes

H04L 61/4511 using domain name system [DNS]

H04L 63/1458 Denial of Service

DNS flood protection platform for a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

DNS flood protection platform for a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links