Perfect forward secrecy distributed denial of service attack detection

US 9,848,013 B1
Filed: 02/05/2015
Issued: 12/19/2017
Est. Priority Date: 02/05/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a Denial of Service (DoS) attack when initiating a secure session, the method comprising:

receiving, by a processor, a request from a client to initiate the secure session between the client and a server;

determining, by the processor, whether the client is on a whitelist;

based on a determination that the client is absent from the whitelist, sending, by the processor, a pre-generated key to the client, the pre-generated key being generated prior to receiving the request and being generated without a communication from the client using a method for securely exchanging cryptographic keys over a public channel the pre-generated key being disassociated from one or more secure sessions between the client and the server; and

based on further actions associated with the client, wherein further actions include the client failure to finish a handshake procedure within a predetermined time frame, and the further actions performed by the client after the pre-generated key is sent to the client and prior to initiating the secure session, andbased on a determination that the established secure session is invalid;

identifying the request from the client as taking part in a denial of service attack; and

based on the identification, denying initiation of the secure session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are methods and systems for detecting a DoS attack when initiating a secure session. A method for detecting a DoS attack may commence with receiving, from a client, a request to initiate a secure session between the client and a server. The method may continue with sending a pre-generated key to the client. The method may further include establishing that the request from the client is suspected of the DoS attack. The establishment may be performed based on further actions associated with the client.

Citations

17 Claims

1. A method for detecting a Denial of Service (DoS) attack when initiating a secure session, the method comprising:
- receiving, by a processor, a request from a client to initiate the secure session between the client and a server;
  
  determining, by the processor, whether the client is on a whitelist;
  
  based on a determination that the client is absent from the whitelist, sending, by the processor, a pre-generated key to the client, the pre-generated key being generated prior to receiving the request and being generated without a communication from the client using a method for securely exchanging cryptographic keys over a public channel the pre-generated key being disassociated from one or more secure sessions between the client and the server; and
  
  based on further actions associated with the client, wherein further actions include the client failure to finish a handshake procedure within a predetermined time frame, and the further actions performed by the client after the pre-generated key is sent to the client and prior to initiating the secure session, andbased on a determination that the established secure session is invalid;
  
  identifying the request from the client as taking part in a denial of service attack; and
  
  based on the identification, denying initiation of the secure session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the further actions by the client include opening and closing connections by the client.
  - 3. The method of claim 1, wherein the further actions associated with the client includes determining that the client is providing data without calculating a pre-master key.
  - 4. The method of claim 1, wherein the further actions associated with the client include using, by the client, a pre-loaded private key.
  - 5. The method of claim 1, wherein the secure session includes a Perfect Forward Secrecy (PFS) cypher.
  - 6. The method of claim 1, further comprising, based on the further actions associated with the client, monitoring the client.
  - 7. The method of claim 1, further comprising, based on the further actions associated with the client, analyzing the client.
  - 8. The method of claim 1, wherein the method for securely exchanging cryptographic keys over a public channel includes one or more of the following:
    - an ephemeral Diffie-Hellman (DHE) Key Exchange and an ephemeral Elliptic Curve Diffie-Hellman (ECDHE) Key Exchange.

9. A system for detecting a DoS attack when initiating a secure session, the system comprising:
- a hardware processor configured to;
  
  receive a request from a client to initiate the secure session between the client and a server;
  
  determining, by the processor, whether the client is on a whitelist;
  
  based on a determination that the client is absent from the whitelist, send a pre-generated key to the client, the pre-generated key being generated prior to receiving the request and being generated without a communication from the client using a method for securely exchanging cryptographic keys over a public channel the pre-generated key being disassociated from one or more secure sessions between the client and the server; and
  
  based on further actions associated with the client, wherein further actions include the client failure to finish a handshake procedure within a predetermined time frame, the further actions performed by the client after the pre-generated key is sent to the client and prior to initiating the secure session and,based on a determination that the established secure session is invalid;
  
  identifying the request from the client as taking part in a denial of service attack; and
  
  based on the identification, denying initiation of the secure session; and
  
  a database in communication with the hardware processor, the database comprising computer-readable instructions for execution by the hardware processor.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the further actions by the client include opening and closing connections by the client.
  - 11. The system of claim 9, wherein the further actions associated with the client include determining that the client is providing data without calculating a pre-master key.
  - 12. The system of claim 9, wherein the further actions associated with the client include using, by the client, a pre-loaded private key.
  - 13. The system of claim 9, wherein the secure session includes a PFS cypher.
  - 14. The system of claim 9, wherein the hardware processor is further configured to monitor the client based on the further actions associated with the client.
  - 15. The system of claim 9, wherein the hardware processor is further configured to analyze the client based on the further actions associated with the client.
  - 16. The system of claim 9, wherein the method for securely exchanging cryptographic keys over a public channel includes one or more of the following:
    - a DHE Key Exchange and an ECDHE Key Exchange.

17. A non-transitory processor-readable medium having embodied thereon a program being executable by at least one processor to perform a method for detecting a DoS attack when initiating a secure session, the method comprising:
- receiving a request from a client to initiate the secure session between the client and a server;
  
  determining, by the processor, whether the client is on a whitelist;
  
  based on a determination that the client is absent from the whitelist, sending a pre-generated key to the client, the pre-generated key being generated prior to receiving the request and being generated without a communication from the client using a method for securely exchanging cryptographic keys over a public channel the pre-generated key being disassociated from one or more secure sessions between the client and the server; and
  
  based on further actions associated with the client, wherein further actions include the client failure to finish a handshake procedure within a predetermined time frame, and the further actions performed by the client after the pre-generated key is sent to the client and prior to initiating the secure session, andbased on a determination that the established secure session is invalid;
  
  identifying the request from the client as taking part in a denial of service attack; and
  
  based on the identification, denying initiation of the secure session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Yang, Yang, Golshan, Ali
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Jackson, Jenise

Application Number

US14/615,345
Time in Patent Office

1,048 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/141   Setup of application sessio...

H04L 67/535   Tracking the activity of th...

Perfect forward secrecy distributed denial of service attack detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Perfect forward secrecy distributed denial of service attack detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links