Server with mechanism for changing treatment of client connections determined to be related to attacks
First Claim
1. A method executed by a server machine interacting with a client over one or more computer communications networks, the method comprising:
- establishing a transport control protocol (TCP) connection with a client over one or more computer communications networks;
receiving at least one application layer message over the TCP connection from the client with a first program executing in the server machine, the first program comprising an HTTP server application;
during the time the connection is open, determining that any of the client and the TCP connection exhibits one or more attack characteristics;
as a result of the determination, the server machine;
(a) transitioning responsibility for handling application layer messages arriving via the TCP connection from the first program to a second program, while keeping the TCP connection open, the second program being a user-space application that consumes fewer server machine resources than the first program in handling the application layer messages, and (b) changing its treatment of the TCP connection such that the server machine thereafter;
(i) sends at least one transport-layer message to the client to keep the TCP connection open, and(ii) sends responses to application layer messages from the client with the second program.
1 Assignment
0 Petitions
Accused Products
Abstract
According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection.
-
Citations
10 Claims
-
1. A method executed by a server machine interacting with a client over one or more computer communications networks, the method comprising:
-
establishing a transport control protocol (TCP) connection with a client over one or more computer communications networks; receiving at least one application layer message over the TCP connection from the client with a first program executing in the server machine, the first program comprising an HTTP server application; during the time the connection is open, determining that any of the client and the TCP connection exhibits one or more attack characteristics; as a result of the determination, the server machine;
(a) transitioning responsibility for handling application layer messages arriving via the TCP connection from the first program to a second program, while keeping the TCP connection open, the second program being a user-space application that consumes fewer server machine resources than the first program in handling the application layer messages, and (b) changing its treatment of the TCP connection such that the server machine thereafter;(i) sends at least one transport-layer message to the client to keep the TCP connection open, and (ii) sends responses to application layer messages from the client with the second program. - View Dependent Claims (2, 3, 7, 9)
-
-
4. A server machine, comprising:
-
circuitry forming one or more processors that execute computer-readable instructions; memory holding computer-readable instructions for execution by the one or more processors; the computer-readable instructions, when executed by the one or more processors, causing the server machine to; establish a transport control protocol (TCP) connection with a client over one or more computer communications networks; receive at least one application layer message over the TCP connection from the client with a with a first program executing in the server machine, the first program comprising an HTTP server application; during the time the TCP connection is open, (a) transition responsibility for handling application layer messages arriving via the TCP connection from the first program to a second program, while keeping the TCP connection open, the second program being a user-space application that consumes fewer server machine resources than the first program in handling the application layer messages, and (b) determine that any of the client and the TCP connection exhibits one or more attack characteristics; as a result of the determination, the server machine changing its treatment of the TCP connection such that the server machine thereafter; (i) sends at least one transport-layer message to the client over the connection to keep the TCP connection open, and (ii) sends responses to application layer messages from the client with the second program. - View Dependent Claims (5, 6, 8, 10)
-
Specification