Perfect forward secrecy distributed denial of service attack defense

US 9,838,423 B2
Filed: 01/27/2017
Issued: 12/05/2017
Est. Priority Date: 12/30/2014
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating a denial of service attack, the method comprising:

receiving, by a processor, from a client, a request to initiate a secure session between the client and a server;

determining, by the processor, whether the client is on a whitelist;

based on a determination that client is absent from the whitelist, sending, by the processor, a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session;

determining, by the processor, whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity;

based on a determination that the secure session is valid when suspicious activity is absent, forcing, by the processor, a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key;

generating, by the processor, a new key using a method for securely exchanging cryptographic keys over a public channel; and

sending, by the processor, the new key to the client; and

based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and

based on the identification, denying to initiate the secure session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods and systems for mitigating a DoS attack. A method for mitigating a DoS attack may commence with receiving, from a client, a request to initiate a secure session between the client and a server. The method may continue with determining whether the client is on a whitelist. Based on a determination that client is absent from the whitelist, a pre-generated key may be sent to the client. The method may include determining validity of the established secure session. The determination may be performed based on further actions associated with the client. Based on the determination that the secure session is valid, a renegotiation of the secure session may be forced. The method may further include generating a new key using a method for securely exchanging cryptographic keys over a public channel. The new key is then sent to the client.

Citations

18 Claims

1. A method for mitigating a denial of service attack, the method comprising:
- receiving, by a processor, from a client, a request to initiate a secure session between the client and a server;
  
  determining, by the processor, whether the client is on a whitelist;
  
  based on a determination that client is absent from the whitelist, sending, by the processor, a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session;
  
  determining, by the processor, whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity;
  
  based on a determination that the secure session is valid when suspicious activity is absent, forcing, by the processor, a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key;
  
  generating, by the processor, a new key using a method for securely exchanging cryptographic keys over a public channel; and
  
  sending, by the processor, the new key to the client; and
  
  based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and
  
  based on the identification, denying to initiate the secure session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the receiving of the request initiates a handshake phase, the handshake phase being performed before initiating the secure session.
  - 3. The method of claim 1, wherein the secure session includes a Perfect Forward Secrecy (PFS) cipher.
  - 4. The method of claim 1, further comprising adding the client to the whitelist.
  - 5. The method of claim 1, wherein the method for securely exchanging cryptographic keys over a public channel includes one or more of the following:
    - an ephemeral Diffie-Hellman (DHE) Key Exchange and an ephemeral Elliptic Curve Diffie-Hellman (ECDHE) Key Exchange.
  - 6. The method of claim 1, wherein the further actions of suspicious activity associated with the client include at least one of the following:
    - closing a connection by the client after receiving the pre-generated key from the server, absence of further data from the client after receiving the pre-generated key, a failure to finish a handshake phase within a predetermined time frame, and providing, by the client, data without calculating the pre-master key, the calculation including encrypting the pre-master key with the pre-generated key.
  - 7. The method of claim 1, further comprising, in response to a determination that the client is on the whitelist, determining that the established secure session is valid.
  - 8. The method of claim 1, further comprising, based on the monitoring further actions associated with the client, determining that the established secure session is invalid when at least one suspicious activity is detected.
  - 9. The method of claim 1, further comprising adding the client to a blacklist.

10. A system for mitigating a denial of service attack, the system comprising:
- a hardware processor configured to;
  
  receive, from a client, a request to initiate a secure session between the client and a server;
  
  determine whether the client is on a whitelist;
  
  based on a determination that client is absent from the whitelist, send a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session;
  
  determine whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity;
  
  based on a determination that the secure session is valid when suspicious activity is absent, force a renegotiation of the secure session, wherein a determination that the suspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key;
  
  generate a new key using a method for securely exchanging cryptographic keys over a public channel; and
  
  send the new key to the client, andbased on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and
  
  based on the identification, denying to initiate the secure session; and
  
  a database in communication with the processor, the database comprising computer-readable instructions for execution by the processor.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the secure session includes a PFS cipher.
  - 12. The system of claim 10, wherein the processor is further configured to add the client to the whitelist.
  - 13. The system of claim 10, wherein the method for securely exchanging cryptographic keys over a public channel includes at least one of the following:
    - DHE Key Exchange and ECDHE Key Exchange.
  - 14. The system of claim 10, wherein the further actions of suspicious activity associated with the client include at least one of the following:
    - closing the connection by the client after receiving the pre-generated key from the server, absence of further data from the client after receiving the pre-generated key, a failure to complete the handshake phase within a predetermined time frame, and providing, by the client, data without calculating the pre-master key, the calculation including encrypting the pre-master key with the pre-generated key.
  - 15. The system of claim 10, wherein the processor is further configured to, based on a determination that the client is on the whitelist, determine that the established secure session is valid.
  - 16. The system of claim 10, wherein the processor is further configured to, based on the monitoring further actions associated with the client, determine that the established secure session is invalid when at least one suspicious activity is detected.
  - 17. The system of claim 10, wherein the processor is further configured to add the client to a blacklist.

18. A non-transitory processor-readable medium having embodied thereon a program being executable by at least one processor to perform a method for mitigating a denial of service attack, the method comprising:
- receiving, from a client, a request to initiate a secure session between the client and a server;
  
  determining whether the client is on a whitelist;
  
  based on a determination that client is absent from the whitelist, sending a pre-generated key to the client to establish the secure session, the pre-generated key being stored in a database associated with the server before receiving the request to initiate a secure session;
  
  determining whether the secure session is valid by monitoring further actions associated with the client for at least one suspicious activity;
  
  based on a determination that the secure session is valid when suspicious activity is absent, forcing a renegotiation of the secure session, wherein a determination that thesuspicious activity is absent is based at least on receiving, from the client, a pre-master key encrypted by the client using the pre-generated key;
  
  generating a new key using a method for securely exchanging cryptographic keys over a public channel; and
  
  sending the new key to the client; and
  
  based on the determination that the secure session is invalid, identifying the client as taking part in a denial of service attack; and
  
  based on the identification, denying to initiate the secure session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Yang, Yang, Golshan, Ali
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US15/418,628
Publication Number

US 20170142153A1
Time in Patent Office

312 Days
Field of Search

713171
US Class Current
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/0272   Virtual private networks

H04L 63/061   for key exchange, e.g. in p...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/166   at the transport layer

H04L 9/002   Countermeasures against att...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0861   Generation of secret inform...

Perfect forward secrecy distributed denial of service attack defense

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Perfect forward secrecy distributed denial of service attack defense

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links