Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

US 9,313,205 B2
Filed: 04/24/2012
Issued: 04/12/2016
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method executed by one or more processors, the method comprising:

receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address;

determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name;

in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address;

in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address;

receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address;

determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and

selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.

Citations

21 Claims

1. A computer-implemented method executed by one or more processors, the method comprising:
- receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address;
  
  determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name;
  
  in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address;
  
  in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address;
  
  receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address;
  
  determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and
  
  selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein:
    - the spoofed address includes an internet protocol (IP) address,receiving the request to resolve the domain name includes receiving a Domain Name System (DNS) request, andsending the response to the request to resolve the domain name includes sending a DNS response.
  - 3. The method of claim 1, wherein the domain name is a first domain name, the method further comprising:
    - receiving a request to resolve a second domain name different than the first domain name;
      
      determining that secure requests from the client directed to the second domain name can be distinguished by the domain name server; and
      
      sending a response to the request to resolve the second domain name, the response including an address associated with the second domain name.
  - 4. The method of claim 1, further comprising:
    - receiving a second request to resolve the domain name;
      
      determining that the domain name is associated with the spoofed address; and
      
      sending a response to the second request to resolve the domain name, the response including the spoofed address.
  - 5. The method of claim 1, wherein the spoofed address includes an internet protocol (IP) address and an IP port.
  - 6. The method of claim 1, wherein selectively allowing the secure request includes:
    - determining that the secure request should be blocked based at least in part on a rule associated with the domain name; and
      
      blocking the secure request.
  - 7. The method of claim 1, wherein selectively allowing the secure request includes:
    - determining that the secure request should not be blocked based at least in part on a rule associated with the domain name; and
      
      forwarding the secure request to an address associated with the domain name and different than the spoofed address.
  - 8. The method of claim 1, wherein receiving the secure request for the resource includes receiving a request according to Hypertext Transfer Protocol Secure (HTTPS).
  - 9. The method of claim 1, wherein determining that secure requests directed to the domain name cannot be distinguished from secure requests directed to at least one other domain name includes determining that the domain name is included in a predetermined set of remapped domain names.

10. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
- receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address;
  
  determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name;
  
  in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address;
  
  in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address;
  
  receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address;
  
  determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and
  
  selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The computer-readable medium of claim 10, wherein:
    - the spoofed address includes an internet protocol (IP) address,receiving the request to resolve the domain name includes receiving a Domain Name System (DNS) request, andsending the response to the request to resolve the domain name includes sending a DNS response.
  - 12. The computer-readable medium of claim 10, wherein the domain name is a first domain name, the operations further comprising:
    - receiving a request to resolve a second domain name different than the first domain name;
      
      determining that secure requests from the client directed to the second domain name can be distinguished by the domain name server; and
      
      sending a response to the request to resolve the second domain name, the response including an address associated with the second domain name.
  - 13. The computer-readable medium of claim 10, the operations further comprising:
    - receiving a second request to resolve the domain name;
      
      determining that the domain name is associated with the spoofed address; and
      
      sending a response to the second request to resolve the domain name, the response including the spoofed address.
  - 14. The computer-readable medium of claim 10, wherein the spoofed address includes an internet protocol (IP) address and an IP port.
  - 15. The computer-readable medium of claim 10, wherein selectively allowing the secure request includes:
    - determining that the secure request should be blocked based at least in part on a rule associated with the domain name; and
      
      blocking the secure request.
  - 16. The computer-readable medium of claim 10, wherein selectively allowing the secure request includes:
    - determining that the secure request should not be blocked based at least in part on a rule associated with the domain name; and
      
      forwarding the secure request to an address associated with the domain name and different than the spoofed address.
  - 17. The computer-readable medium of claim 10, wherein receiving the secure request for the resource includes receiving a request according to Hypertext Transfer Protocol Secure (HTTPS).

18. A system comprising:
- memory for storing data; and
  
  one or more processors operable to perform operations comprising;
  
  receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address;
  
  determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name;
  
  in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address;
  
  in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address;
  
  receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address;
  
  determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and
  
  selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name.
- View Dependent Claims (19, 20, 21)
- - 19. The system of claim 18, wherein:
    - the spoofed address includes an internet protocol (IP) address,receiving the request to resolve the domain name includes receiving a Domain Name System (DNS) request, andsending the response to the request to resolve the domain name includes sending a DNS response.
  - 20. The system of claim 18, wherein the domain name is a first domain name, the operations further comprising:
    - receiving a request to resolve a second domain name different than the first domain name;
      
      determining that secure requests from the client directed to the second domain name can be distinguished by the domain name server; and
      
      sending a response to the request to resolve the second domain name, the response including an address associated with the second domain name.
  - 21. The system of claim 18, the operations further comprising:
    - receiving a second request to resolve the domain name;
      
      determining that the domain name is associated with the spoofed address; and
      
      sending a response to the second request to resolve the domain name, the response including the spoofed address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US13/455,116
Publication Number

US 20130283385A1
Time in Patent Office

1,449 Days
Field of Search

726/26, 709/225
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links