Server with mechanism for changing treatment of client connections determined to be related to attacks

US 9,525,701 B2
Filed: 10/22/2014
Issued: 12/20/2016
Est. Priority Date: 10/04/2012
Status: Active Grant

First Claim

Patent Images

1. A method executed by a server machine interacting with a client over one or more computer communications networks, the method comprising:

establishing a transport control protocol (TCP) connection with a client over one or more computer communications networks;

receiving at least one application layer message over the TCP connection from the client with a first program executing in the server machine, the first program comprising an HTTP server application;

during the time the connection is open, determining that any of the client and the TCP connection exhibits one or more attack characteristics;

as a result of the determination, the server machine;

(a) transitioning responsibility for handling application layer messages arriving via the TCP connection from the first program to a second program, while keeping the TCP connection open, the second program being a user-space application that consumes fewer server machine resources than the first program in handling the application layer messages, and (b) changing its treatment of the TCP connection such that the server machine thereafter;

(i) sends at least one transport-layer message to the client to keep the TCP connection open, and(ii) sends responses to application layer messages from the client with the second program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection.

55 Citations

View as Search Results

10 Claims

1. A method executed by a server machine interacting with a client over one or more computer communications networks, the method comprising:
- establishing a transport control protocol (TCP) connection with a client over one or more computer communications networks;
  
  receiving at least one application layer message over the TCP connection from the client with a first program executing in the server machine, the first program comprising an HTTP server application;
  
  during the time the connection is open, determining that any of the client and the TCP connection exhibits one or more attack characteristics;
  
  as a result of the determination, the server machine;
  
  (a) transitioning responsibility for handling application layer messages arriving via the TCP connection from the first program to a second program, while keeping the TCP connection open, the second program being a user-space application that consumes fewer server machine resources than the first program in handling the application layer messages, and (b) changing its treatment of the TCP connection such that the server machine thereafter;
  
  (i) sends at least one transport-layer message to the client to keep the TCP connection open, and(ii) sends responses to application layer messages from the client with the second program.
- View Dependent Claims (2, 3, 7, 9)
- - 2. The method of claim 1, wherein subsequently any of (i) the server machine closes the TCP connection and (ii) the server machine receives a message from the client that closes the TCP connection.
  - 3. The method of claim 1, wherein the determination is based on at least one of client attributes, connection attributes, and client behavior during the TCP connection.
  - 7. The method of claim 1, wherein the at least one transport layer message comprises any of:
    - acknowledgement, keep-alive, sequence number update.
  - 9. The method of claim 1, wherein the first program determines that the any of client and TCP connection exhibits one or more attack characteristics, and in response the first program passes a connection identifier to a kernel in the service machine, to identify the TCP connection to be transferred to the second program.

4. A server machine, comprising:
- circuitry forming one or more processors that execute computer-readable instructions;
  
  memory holding computer-readable instructions for execution by the one or more processors;
  
  the computer-readable instructions, when executed by the one or more processors, causing the server machine to;
  
  establish a transport control protocol (TCP) connection with a client over one or more computer communications networks;
  
  receive at least one application layer message over the TCP connection from the client with a with a first program executing in the server machine, the first program comprising an HTTP server application;
  
  during the time the TCP connection is open, (a) transition responsibility for handling application layer messages arriving via the TCP connection from the first program to a second program, while keeping the TCP connection open, the second program being a user-space application that consumes fewer server machine resources than the first program in handling the application layer messages, and (b) determine that any of the client and the TCP connection exhibits one or more attack characteristics;
  
  as a result of the determination, the server machine changing its treatment of the TCP connection such that the server machine thereafter;
  
  (i) sends at least one transport-layer message to the client over the connection to keep the TCP connection open, and(ii) sends responses to application layer messages from the client with the second program.
- View Dependent Claims (5, 6, 8, 10)
- - 5. The server machine of claim 4, wherein subsequently any of (i) the server machine closes the TCP connection and (ii) the server machine receives a message from the client that closes the TCP connection.
  - 6. The server machine of claim 4, wherein the determination is based on at least one of client attributes, connection attributes, and client behavior during the connection.
  - 8. The server machine of claim 4, wherein the at least one transport layer message comprises any of:
    - acknowledgement, keep-alive, sequence number update.
  - 10. The server machine of claim 4, wherein the first program determines that the any of client and TCP connection exhibits one or more attack characteristics, and in response the first program passes a connection identifier to a kernel in the service machine, to identify the TCP connection to be transferred to the second program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
Akamai Technologies, Inc.
Inventors
Mishra, Sudhin, Ludin, Stephen L., Lisiecki, Philip A., Nygren, Erik, Dilley, John A., Hallin, Karl-Eliv J., Hunt, Joshua
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US14/521,370
Publication Number

US 20150040221A1
Time in Patent Office

790 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 47/22   Traffic shaping

H04L 47/70   Admission control; Resource...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

Server with mechanism for changing treatment of client connections determined to be related to attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Server with mechanism for changing treatment of client connections determined to be related to attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links