Identifying a denial-of-service attack in a cloud-based proxy service
First Claim
1. A method in a cloud-based proxy service for identifying a target of a denial-of-service (DoS) attack, the method comprising:
- determining that there is traffic indicative of the DoS attack directed to an IP address of the cloud-based proxy service;
responsive to determining that there are a plurality of domains that resolve to that same IP address, identifying the one of the plurality of domains that is the target of the DoS attack, wherein the step of identifying includes performing the following;
causing each of the plurality of domains to resolve to a respectively different IP address,determining that the traffic indicative of the DoS attack is directed to a single one of the different IP addresses, andidentifying the target of the DoS attack as the one of the plurality of domains that resolves to the single one of the different IP addresses in which the traffic indicative of the DoS attack is directed; and
after identifying the target of the DoS attack, isolating the target of the DoS attack to a set of one or more data centers, wherein a set of one or more other domains that are not the target of the DoS attack initially belong to the set of data centers; and
moving that set of other domains to a different set of one or more data centers after identifying the target of the DoS attack.
1 Assignment
0 Petitions
Accused Products
Abstract
A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
-
Citations
18 Claims
-
1. A method in a cloud-based proxy service for identifying a target of a denial-of-service (DoS) attack, the method comprising:
-
determining that there is traffic indicative of the DoS attack directed to an IP address of the cloud-based proxy service; responsive to determining that there are a plurality of domains that resolve to that same IP address, identifying the one of the plurality of domains that is the target of the DoS attack, wherein the step of identifying includes performing the following; causing each of the plurality of domains to resolve to a respectively different IP address, determining that the traffic indicative of the DoS attack is directed to a single one of the different IP addresses, and identifying the target of the DoS attack as the one of the plurality of domains that resolves to the single one of the different IP addresses in which the traffic indicative of the DoS attack is directed; and after identifying the target of the DoS attack, isolating the target of the DoS attack to a set of one or more data centers, wherein a set of one or more other domains that are not the target of the DoS attack initially belong to the set of data centers; and moving that set of other domains to a different set of one or more data centers after identifying the target of the DoS attack. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory computer-readable storage medium that provides instructions that, when executed by a processor of a proxy server, will cause said processor to perform operations comprising:
-
determining that there is traffic indicative of a DoS attack directed to an IP address; responsive to determining that there are a plurality of domains that resolve to that same IP address, identifying the one of the plurality of domains that is a target of the DoS attack, wherein the step of identifying includes performing the following; causing each of the plurality of domains to resolve to a respectively different IP address, determining that the traffic indicative of the DoS attack is directed to a single one of the different IP addresses, and identifying the target of the DoS attack as the one of the plurality of domains that resolves to the single one of the different IP addresses in which the traffic indicative of the DoS attack is directed; and after identifying the target of the DoS attack, isolating the target of the DoS attack to a set of one or more data centers, wherein a set of one or more other domains that are not the target of the DoS attack initially belong to the set of data centers; and moving that set of other domains to a different set of one or more data centers after identifying the target of the DoS attack. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An apparatus to identify a target of a denial-of-service (DoS) attack in a cloud-based proxy service, comprising:
a cloud-based proxy service node that includes a processor and a non-transitory machine-readable medium, the cloud-based proxy service node embodied in a single device or multiple devices and configured to perform the following; determine that there is traffic indicative of the DoS attack directed to an IP address of the cloud-based proxy service; responsive to a determination that there are a plurality of domains that resolve to that same IP address, identify the one of the plurality of domains that is the target of the DoS attack by performing the following; cause each of the plurality of domains to resolve to a respectively different IP address, determine that the traffic indicative of the DoS attack is directed to a single one of the different IP addresses, and identify the target of the DoS attack as the one of the plurality of domains that resolves to the single one of the different IP addresses in which the traffic indicative of the DoS attack is directed; and after identifying the target of the DoS attack, isolate the target of the DoS attack to a set of one or more data centers, wherein a set of one or more other domains that are not the target of the DoS attack initially belong to the set of data centers; and move that set of other domains to a different set of one or more data centers after identifying the target of the DoS attack. - View Dependent Claims (14, 15, 16, 17, 18)
Specification