Perfect forward secrecy distributed denial of service attack defense
First Claim
1. A method for mitigating a denial of service attack, the method comprising:
- receiving, by a processor, from a client, a request to initiate a secure session between the client and a server;
determining, by the processor, whether the client is on a whitelist;
based on a determination that client is absent from the whitelist, sending, by the processor, a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session;
determining, by the processor, whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity;
based on a determination that the secure session is valid when suspicious activity is absent, forcing, by the processor, a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key;
generating, by the processor, a new key using a method for securely exchanging cryptographic keys over a public channel; and
sending, by the processor, the new key to the client; and
based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and
based on the identification, denying to initiate the secure session.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are methods and systems for mitigating a DoS attack. A method for mitigating a DoS attack may commence with receiving, from a client, a request to initiate a secure session between the client and a server. The method may continue with determining whether the client is on a whitelist. Based on a determination that client is absent from the whitelist, a pre-generated key may be sent to the client. The method may include determining validity of the established secure session. The determination may be performed based on further actions associated with the client. Based on the determination that the secure session is valid, a renegotiation of the secure session may be forced. The method may further include generating a new key using a method for securely exchanging cryptographic keys over a public channel. The new key is then sent to the client.
-
Citations
18 Claims
-
1. A method for mitigating a denial of service attack, the method comprising:
-
receiving, by a processor, from a client, a request to initiate a secure session between the client and a server; determining, by the processor, whether the client is on a whitelist; based on a determination that client is absent from the whitelist, sending, by the processor, a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session; determining, by the processor, whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity; based on a determination that the secure session is valid when suspicious activity is absent, forcing, by the processor, a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key; generating, by the processor, a new key using a method for securely exchanging cryptographic keys over a public channel; and sending, by the processor, the new key to the client; and based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and based on the identification, denying to initiate the secure session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for mitigating a denial of service attack, the system comprising:
-
a hardware processor configured to; receive, from a client, a request to initiate a secure session between the client and a server; determine whether the client is on a whitelist; based on a determination that client is absent from the whitelist, send a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session; determine whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity; based on a determination that the secure session is valid when suspicious activity is absent, force a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key; generate a new key using a method for securely exchanging cryptographic keys over a public channel; and send the new key to the client, and based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and based on the identification, denying to initiate the secure session; and a database in communication with the processor, the database comprising computer-readable instructions for execution by the processor. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory processor-readable medium having embodied thereon a program being executable by at least one processor to perform a method for mitigating a denial of service attack, the method comprising:
-
receiving, from a client, a request to initiate a secure session between the client and a server; determining whether the client is on a whitelist; based on a determination that client is absent from the whitelist, sending a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session; determining whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity; based on a determination that the secure session is valid when suspicious activity is absent, forcing a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key; generating a new key using a method for securely exchanging cryptographic keys over a public channel; and sending the new key to the client; and based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and based on the identification, denying to initiate the secure session.
-
Specification