Protecting against denial of service attacks using guard tables

US 8,887,249 B1
Filed: 05/28/2008
Issued: 11/11/2014
Est. Priority Date: 05/28/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method comprising:

receiving a login request at a first processing node, the login request is for network resources located on a server external from the first processing node, the first processing node comprises an intermediate device between a user associated with the login request and the network resources that is part of a distributed network security system from the user and the external network resources, wherein the login request comprises addressing information for the external network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring;

deriving a login key from the login request;

hashing the login key with a hash function, wherein the output of the hash function is a candidate bit position;

determining a value at the candidate bit position in a guard table in a first stage of an information look up procedure by the first processing node;

in a second stage of the information look up procedure, querying user credential data to authenticate the login request for the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the network resources, wherein the second stage is performed by the server with the network resources;

receiving new user credential information for a new user by the first processing node;

deriving a new credential key from the new user credential information by the first processing node;

hashing the new credential key with the hashing function by the first processing node, wherein the output of the hashing function is a new credential bit position;

setting a bit at the new credential bit position in the guard table to generate an updated guard table by the first processing node;

sending the updated guard table to a central authority server by the first processing node;

receiving the updated guard table by the central authority server;

sending the updated guard table to a second processing node by the central authority server; and

storing the updated guard table by the second processing node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Guard tables including absence information are used in a security system to protect a network service from a denial of service attack. A login key corresponding to a login request is hashed and the output of the hash is a bit position in a guard table. The bit value at the bit position in the guard table can be checked to determine if login information corresponding to the key is present. Further processing of the login request can be based on the indicated presence or absence of the information.

Citations

29 Claims

1. A computer implemented method comprising:
- receiving a login request at a first processing node, the login request is for network resources located on a server external from the first processing node, the first processing node comprises an intermediate device between a user associated with the login request and the network resources that is part of a distributed network security system from the user and the external network resources, wherein the login request comprises addressing information for the external network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring;
  
  deriving a login key from the login request;
  
  hashing the login key with a hash function, wherein the output of the hash function is a candidate bit position;
  
  determining a value at the candidate bit position in a guard table in a first stage of an information look up procedure by the first processing node;
  
  in a second stage of the information look up procedure, querying user credential data to authenticate the login request for the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the network resources, wherein the second stage is performed by the server with the network resources;
  
  receiving new user credential information for a new user by the first processing node;
  
  deriving a new credential key from the new user credential information by the first processing node;
  
  hashing the new credential key with the hashing function by the first processing node, wherein the output of the hashing function is a new credential bit position;
  
  setting a bit at the new credential bit position in the guard table to generate an updated guard table by the first processing node;
  
  sending the updated guard table to a central authority server by the first processing node;
  
  receiving the updated guard table by the central authority server;
  
  sending the updated guard table to a second processing node by the central authority server; and
  
  storing the updated guard table by the second processing node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the login request comprises a user identifier and a password.
  - 3. The method of claim 2, wherein the login key is the user identifier.
  - 4. The method of claim 2, wherein the login key is a combination of the user identifier and the password.
  - 5. The method of claim 1, further comprising:
    - generating a guard table indicating the absence of information in the user credential data, the user credential data including a plurality of entries, wherein each entry includes a user identifier and associated password data, generating the guard table comprising;
      
      deriving a credential key from each entry;
      
      hashing the credential key with the hashing function, wherein the output of the hashing function is a credential bit position;
      
      setting a bit at the credential bit position in the guard table,storing the guard table at the processing node.
  - 6. The method of claim 5, further comprising:
    - sending the guard table to a plurality of processing nodes; and
      
      storing the guard table at the plurality of processing nodes.
  - 7. The method of claim 1, further comprising:
    - recording an internet protocol address that sends a threshold of login requests for which a value at the candidate bit position in the guard table indicates that the login requests do not correspond to information included in the user credential data.
  - 8. The method of claim 7, further comprising:
    - ignoring login requests from the recorded internet protocol address.
  - 9. The method of claim 7, wherein the threshold is a rate of login requests.
  - 10. The method of claim 7, wherein the threshold is a number of login requests.
  - 11. The method of claim 7, further comprising:
    - sending the recorded internet protocol address to a central authority server.
  - 12. The method of claim 11, further comprising:
    - sending the recorded internet protocol address from the central authority server to a plurality of processing nodes;
      
      receiving the recorded internet protocol address at the plurality of processing nodes;
      
      ignoring, at the plurality of processing nodes, login requests from the recorded internet protocol address.
  - 13. The method of claim 1, further comprising:
    - receiving new user credential information for a new user;
      
      deriving a new credential key from the new user credential information;
      
      hashing the new credential key with a hashing function, wherein the output of the hashing function is a new credential bit position;
      
      setting a bit at the new credential bit position in the guard table to generate an updated guard table.
  - 14. The method of claim 13, further comprising:
    - sending the updated guard table to a central authority server;
      
      receiving the updated guard table at the central authority server;
      
      sending the updated guard table to a plurality of processing nodes;
      
      storing the updated guard table at the plurality of processing nodes.
  - 15. The method of claim 1, wherein the user credential information is stored in disk based memory.

16. A system comprising:
- a central authority server configured to communicate at least one security policy to a plurality of processing nodes; and
  
  a plurality of processing nodes comprising server computer devices and configured to;
  
  receive a login request for network resources located on a server external from the plurality of processing nodes, the plurality of processing nodes comprise intermediate devices between a user associated with the login request and the network resources that are part of a distributed network security system external from the user and the network resources, wherein the login request comprises addressing information for the network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring;
  
  derive a login key from the login request;
  
  hash the login key with a hash function, wherein the output of the hash function is a candidate bit position;
  
  determine a value at the candidate bit position in a guard table in a first stage of an information look up procedure; and
  
  in a second stage of the information look up procedure, send the login request to the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the external network resources, wherein the server with the network resources is configured to query user credential data to authorize the login request;
  
  wherein the first processing node is further configured to;
  
  receive new user credential information for a new user;
  
  derive a new credential key from the new user credential information;
  
  hash the new credential key with the hashing function, wherein the output of the hashing function is a new credential bit position; and
  
  set a bit at the new credential bit position in the guard table to generate an updated guard table;
  
  wherein the first processing node is further configured to send the updated guard table to a central authority server, and wherein the central authority server is configured to;
  
  receive the updated guard table; and
  
  send the updated guard table to a second processing node of the plurality of processing nodes; and
  
  wherein the second processing node is configured to store the updated guard table.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The system of claim 16, wherein:
    - the plurality of processing nodes include transistor-based random access memory and disk-based memory, and wherein the guard table is stored in the random access memory.
  - 18. The system of claim 17, wherein:
    - the user credential data is stored in the disk-based memory.
  - 19. The system of claim 18, wherein the user credential data comprises user credential data for a plurality of security system customers.
  - 20. The system of claim 19, wherein the login request includes a security system customer indication.
  - 21. The system of claim 16, wherein the login request comprises a user identifier and a password.
  - 22. The system of claim 21, wherein the login key is the user identifier.
  - 23. The system of claim 21, wherein the login key is a combination of the user identifier and the password.
  - 24. The system of claim 16, wherein a first processing node of the plurality of processing nodes is further configured to record an internet protocol address that sends a threshold of login requests for which a value at the candidate bit position in the guard table indicates that the login requests do not correspond to information included in the user credential data.
  - 25. The system of claim 24, wherein the first processing node is further configured to ignore login requests from the recorded internet protocol address.
  - 26. The system of claim 24, wherein the threshold is a rate of login requests.
  - 27. The system of claim 24, wherein the threshold is a number of login requests.
  - 28. The system of claim 24, wherein the first processing node is further configured to send the recorded internet protocol address to the central authority server.
  - 29. The system of claim 28, wherein the central authority server is configured to send the recorded internet protocol address a second processing node of the plurality of processing nodes, and wherein the second processing node is configured to:
    - receive the recorded internet protocol address; and
      
      ignore login requests from the recorded internet protocol address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Schekochikhin, Arcady V., Devarajan, Srikanth, Paul, Narinder, Kailash, Kailash
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
TURCHEN, JAMES R

Application Number

US12/128,481
Time in Patent Office

2,358 Days
Field of Search

726/5
US Class Current

726/5
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Protecting against denial of service attacks using guard tables

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting against denial of service attacks using guard tables

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links