Identifying sources of network attacks
First Claim
1. A system comprising:
- a name resolution server including a physical processor configured with specific computer-executable instructions to;
receive, from a first computing device, a request to resolve an identifier of a set of content on a content delivery system;
determine a first combination of network addresses for the set of content based at least in part on an identifier of the first computing device, wherein the first combination of network addresses is selected from a set of network addresses at which the set of content is made available by the content delivery system;
transmit the first combination of network addresses to the first computing device;
receive a request to resolve the identifier of the set of content from a second computing device;
determine a second combination of network addresses for the set of content based at least in part on an identifier of the second computing device, wherein the second combination of network addresses is different from the first combination of network addresses;
transmit the second combination of network addresses to the second computing device;
a network attack source identification server including a physical processor configured with specific computer-executable instructions to;
detect a network attack on the content delivery system, the network attack directed to a plurality of network addresses;
determine that the plurality of network addresses to which the network attack is directed is included in the first combination of network addresses transmitted to the first computing device;
derive the identifier of the first computing device from at least the first combination of network addresses transmitted to the first computing device; and
identify the first computing device as associated with the network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described to enable identification of computing devices associated with network attacks, such as denial of service attacks. Data packets used to execute a network attack often include forged source address information, such that the address of an attacker is difficult or impossible to determine based on those data packets. However, attackers generally provide legitimate address information when resolving an identifier, such as a universal resource identifier (URI), of an attack target into corresponding destination addresses. The application enables individual client computing devices to be provided with different combinations of destination addresses, such that when an attack is detected on a given combination of destination address, the client computing device to which that combination of destination addresses was provided can be identified as a source of the attack.
1236 Citations
21 Claims
-
1. A system comprising:
-
a name resolution server including a physical processor configured with specific computer-executable instructions to; receive, from a first computing device, a request to resolve an identifier of a set of content on a content delivery system; determine a first combination of network addresses for the set of content based at least in part on an identifier of the first computing device, wherein the first combination of network addresses is selected from a set of network addresses at which the set of content is made available by the content delivery system; transmit the first combination of network addresses to the first computing device; receive a request to resolve the identifier of the set of content from a second computing device; determine a second combination of network addresses for the set of content based at least in part on an identifier of the second computing device, wherein the second combination of network addresses is different from the first combination of network addresses; transmit the second combination of network addresses to the second computing device; a network attack source identification server including a physical processor configured with specific computer-executable instructions to; detect a network attack on the content delivery system, the network attack directed to a plurality of network addresses; determine that the plurality of network addresses to which the network attack is directed is included in the first combination of network addresses transmitted to the first computing device; derive the identifier of the first computing device from at least the first combination of network addresses transmitted to the first computing device; and identify the first computing device as associated with the network attack. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method comprising:
-
receiving a request from a first computing device to resolve an identifier for a set of content on a content delivery system; determining a first combination of addressing information sets for the set of content based at least in part on an identifier of the first computing device, wherein the first combination of addressing information sets is distinct from a second combination of addressing information sets determined for a second computing device, and wherein the first combination addressing information sets is selected from a group of addressing information sets at which the set of content is made available by the content delivery system; transmitting the first combination of addressing information sets to the first computing device; detecting a network attack, on the content delivery system, directed to a plurality of addressing information sets; determining that the plurality of addressing information sets is included within the first combination of addressing information sets; deriving the identifier of the first computing device from at least the first combination of network addresses transmitted to the first computing device; and identifying the first computing device as associated with the network attack. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
a computing device in communication with a content delivery system enabling a plurality of client computing devices to access a set of content, the computing device configured with specific computer-executable instructions to; detect a network attack on the content delivery system, the network attack directed to a plurality of addressing information sets at which a set of content may be accessed on the content delivery system; determine a mapping between individual client computing devices, of the plurality of client computing devices, and combinations of addressing information sets distributed to the individual client computing devices in response to requests to access the set of content, the combinations of addressing information sets selected from a group of addressing information sets at which the set of content is made available by the content delivery system; compare the plurality of addressing information sets to the mapping to derive an identifier of a first client computing device from at least the mapping and the plurality of addressing information sets; and identify the first client computing device as associated with the network attack. - View Dependent Claims (17, 18, 19, 20, 21)
Specification