Application rate limiting without overhead
First Claim
1. A system for managing application service requests, comprising:
- a memory;
a first processor;
a second processor;
an operating system that receives a total number of service requests within a predefined time interval, wherein the total number of service requests comprises a plurality of Internet protocol addresses, copies the total number of service requests from a network capturing tool to the memory, and derives a subset of service requests from the total number of service requests by purging service requests among the total number of service requests that comprise a black listed Internet protocol address;
a domain name service server application stored in the memory that, when executed by the first processor,receives the subset of service requests from the operating system, andprocesses the subset of service requests; and
a service request monitor application stored in the memory of the system that, when executed by the second processor,reads the total number of service requests from the memory,counts the total number of service requests,determines a rate of the total number of service requests associated with the plurality of Internet protocol addresses based on the counts,determines when the rate of the total number of service requests associated with the plurality of Internet protocol addresses exceeds a first threshold, wherein a rate of at least 5,000 is the first threshold for the total number of service requests associated with the plurality of Internet protocol addresses over a five minute interval,responsive to the rate of the total number of service requests associated with the plurality of Internet protocol addresses exceeding the first threshold, analyzes a rate of service requests associated with each Internet protocol address of the plurality of Internet protocol addresses,determines when the rate of service requests associated with an Internet protocol address of the plurality of Internet protocol addresses exceeds a second threshold, andsends a message to the operating system to black list the Internet protocol address responsive to the rate of service requests associated with the Internet protocol address exceeding the second threshold,whereby the service request monitor application limits the rate of service requests associated with a single Internet protocol address.
6 Assignments
0 Petitions
Accused Products
Abstract
A system for managing application service requests. The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor. The requests are visible to the second processor before they are processed by the firewall.
35 Citations
18 Claims
-
1. A system for managing application service requests, comprising:
-
a memory; a first processor; a second processor; an operating system that receives a total number of service requests within a predefined time interval, wherein the total number of service requests comprises a plurality of Internet protocol addresses, copies the total number of service requests from a network capturing tool to the memory, and derives a subset of service requests from the total number of service requests by purging service requests among the total number of service requests that comprise a black listed Internet protocol address; a domain name service server application stored in the memory that, when executed by the first processor, receives the subset of service requests from the operating system, and processes the subset of service requests; and a service request monitor application stored in the memory of the system that, when executed by the second processor, reads the total number of service requests from the memory, counts the total number of service requests, determines a rate of the total number of service requests associated with the plurality of Internet protocol addresses based on the counts, determines when the rate of the total number of service requests associated with the plurality of Internet protocol addresses exceeds a first threshold, wherein a rate of at least 5,000 is the first threshold for the total number of service requests associated with the plurality of Internet protocol addresses over a five minute interval, responsive to the rate of the total number of service requests associated with the plurality of Internet protocol addresses exceeding the first threshold, analyzes a rate of service requests associated with each Internet protocol address of the plurality of Internet protocol addresses, determines when the rate of service requests associated with an Internet protocol address of the plurality of Internet protocol addresses exceeds a second threshold, and sends a message to the operating system to black list the Internet protocol address responsive to the rate of service requests associated with the Internet protocol address exceeding the second threshold, whereby the service request monitor application limits the rate of service requests associated with a single Internet protocol address. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of managing application service requests, comprising:
-
receiving a plurality of application service requests, wherein the plurality of application service requests comprises a plurality of Internet protocol addresses of a plurality of remote hosts; copying the plurality of application service requests to a memory; purging, by a firewall application, application service requests among the plurality of application service requests comprising an Internet protocol address that is black listed by the firewall application; processing, by a processor of a server computer, the application service requests that were not purged by the firewall application; counting, by a service request monitor application executed by a processor of a server computer, the total number of application service requests copied to the memory; determining a total number of the total number of application service requests associated with the plurality of Internet protocol addresses received in a predefined time interval; determining when the total number of the total number of application service requests associated with the plurality of Internet protocol addresses exceeds a first threshold, wherein a rate of at least 5,000 is the first threshold for the total number of application service requests associated with the plurality of Internet protocol addresses over a five minute interval; responsive to the total number of the plurality of application service requests associated with the plurality of Internet protocol addresses exceeding the first threshold, determining a rate of application service requests associated with each Internet protocol address of the plurality of Internet protocol addresses; determining when the rate of application service requests associated with an Internet protocol address of the plurality of Internet protocol addresses exceeds a second threshold, wherein at least 300 is the second threshold for the rate of application service requests associated with the Internet protocol address per second; and taking proactive action responsive to the rate of application service requests associated with the Internet protocol address exceeding the second threshold, whereby the rate of service requests of remote hosts is limited. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method of parrying a domain name service amplification denial of service attack, comprising:
-
receiving a plurality of domain name service requests, wherein the plurality of domain name service requests comprises a plurality of Internet protocol addresses of a plurality of remote hosts; copying the plurality of domain name service requests to a memory; purging, by a firewall application, domain name service requests among the plurality of domain name service requests comprising an Internet protocol address that is black listed by the firewall application; processing, by a processor of a server computer, the domain name service requests that were not purged by the firewall application; counting, by a service request monitor application executed by a processor of a server computer, the plurality of domain name service requests; determining a total number of the plurality of domain name service requests associated with the plurality of Internet protocol addresses received in a predefined time interval; determining when the total number of the plurality of domain name service requests associated with the plurality of Internet protocol addresses exceeds a first threshold, wherein a rate of at least 5,000 is the first threshold for the total number of the plurality of domain name service requests associated with the plurality of Internet protocol addresses over a five minute interval; responsive to the total number of the plurality of domain name service requests associated with the plurality of Internet protocol addresses exceeding the first threshold, determining a rate of domain name service requests associated with each Internet protocol address of the plurality of Internet protocol addresses; determining when the rate of domain name service requests associated with an Internet protocol address of the plurality of Internet protocol addresses exceeds a second threshold, wherein at least 300 is the second threshold for the rate of domain name service requests associated with the Internet protocol address per second; and sending a message to the firewall application to black list the Internet protocol address responsive to the rate of domain name service requests associated with the Internet protocol address exceeding the second threshold, whereby the rate of domain name service requests of remote hosts is limited. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification