Mitigating a denial-of-service attack in a cloud-based proxy service
First Claim
1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
- receiving a first message that indicates that a domain, whose traffic passes through the proxy server, is suspected to be under a denial-of-service (DoS) attack;
in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and
while the rule is enabled;
receiving a first request for a first resource of the domain from a first visitor,responsive to determining that the first request does not include a cookie that indicates that the first visitor has passed the set of challenges, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested first resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a second message to be transmitted the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser,receiving a second request for a second resource of the domain from a second visitor, andresponsive to determining that the second request includes a cookie that indicates that the second visitor has passed the set of challenges;
retrieving the requested second resource, andtransmitting the requested second resource to the second visitor.
1 Assignment
0 Petitions
Accused Products
Abstract
A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.
-
Citations
20 Claims
-
1. A method in a proxy server in a cloud-based proxy service, wherein the proxy server is situated between client computing devices that request network resources and origin servers that serve network resources, the method comprising:
-
receiving a first message that indicates that a domain, whose traffic passes through the proxy server, is suspected to be under a denial-of-service (DoS) attack; in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and while the rule is enabled; receiving a first request for a first resource of the domain from a first visitor, responsive to determining that the first request does not include a cookie that indicates that the first visitor has passed the set of challenges, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested first resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a second message to be transmitted the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser, receiving a second request for a second resource of the domain from a second visitor, and responsive to determining that the second request includes a cookie that indicates that the second visitor has passed the set of challenges; retrieving the requested second resource, and transmitting the requested second resource to the second visitor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer-readable storage medium that provides instructions that, if executed by a processor of a proxy server, will cause said processor to perform operations comprising:
-
receiving a first message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, is suspected to be under a denial-of-service (DoS) attack; in response to receiving the first message, enabling a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and while the rule is enabled; receiving a first request for a first resource of the domain from a first visitor, responsive to determining that the first request does not include a cookie that indicates that the first visitor has passed the set of challenges, automatically presenting the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presenting the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested first resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a second message to be transmitted the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser, receiving a second request for a second resource of the domain from a second visitor, and responsive to determining that the second request includes a cookie that indicates that the second visitor has passed the set of challenges; retrieving the requested second resource, and transmitting the requested second resource to the second visitor. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus, comprising:
a proxy server that includes a set of one or more processors and a set of one or more non-transitory computer-readable storage mediums storing instructions, that when executed by the set of processors, cause the set of processors to perform the following operations; receive a first message that indicates that a domain, whose traffic passes through a proxy server of a cloud-based proxy service, is suspected to be under a denial-of-service (DoS) attack; in response to receipt of the first message, enable a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges; and while the rule is enabled; receive a first request for a first resource of the domain from a first visitor, responsive to a determination that the first request does not include a cookie that indicates that the first visitor has passed the set of challenges, automatically present the set of challenges based on the enabled rule that if not passed are an indication that the first visitor is part of the DoS attack, wherein automatically presentation of the set of challenges includes automatically embedding a client-side script into a page and transmitting the page to the first visitor, wherein the page is not the requested first resource, and wherein the client-side script, when executed by a client network application that supports client-side script execution, solves a math or other computationally expensive problem and causes a second message to be transmitted the proxy server with a solution to the math or other computationally expensive problem to allow the proxy server to determine a likelihood of whether the first request originated from a web browser receive a second request for a second resource of the domain from a second visitor, and responsive to a determination that the second request includes a cookie that indicates that the second visitor has passed the set of challenges; retrieve the requested second resource, and transmit the requested second resource to the second visitor. - View Dependent Claims (18, 19, 20)
Specification