Hostname validation and policy evasion prevention

US 10,505,985 B1
Filed: 04/12/2017
Issued: 12/10/2019
Est. Priority Date: 04/13/2016
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive, from a client device, a request to establish a session with a first server, wherein the first server is associated with a first hostname, and wherein the request includes information identifying a second hostname purported to correspond to the first server;

perform a Domain Name System (DNS) lookup using the second hostname, and determine that the second hostname was spoofed by the client device based on a response to the DNS lookup, wherein the response indicates that the first server is not associated with the second hostname; and

in response to the determining that the request received from the client device includes the spoofed second hostname, determine that the client device has injected or overridden at least one of an HTTP Host header and a Server Name Indicator in the request in an attempt to circumvent a policy enforceable against communications between the client device and the first server, and determine an action to take with respect to the client device; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request to access a network resource is received from a client device. The request includes a purported hostname of the network resource. A Domain Name System (DNS) lookup of the purported hostname is performed. A result of the lookup is used in making a determination that the request received from the client device is invalid. In response to the determination being made that the request received from the client device is invalid, an action to take with respect to the client device is determined.

48 Citations

View as Search Results

24 Claims

1. A system, comprising:
- a processor configured to;
  
  receive, from a client device, a request to establish a session with a first server, wherein the first server is associated with a first hostname, and wherein the request includes information identifying a second hostname purported to correspond to the first server;
  
  perform a Domain Name System (DNS) lookup using the second hostname, and determine that the second hostname was spoofed by the client device based on a response to the DNS lookup, wherein the response indicates that the first server is not associated with the second hostname; and
  
  in response to the determining that the request received from the client device includes the spoofed second hostname, determine that the client device has injected or overridden at least one of an HTTP Host header and a Server Name Indicator in the request in an attempt to circumvent a policy enforceable against communications between the client device and the first server, and determine an action to take with respect to the client device; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 wherein the second hostname is included by the client device in the HTTP Host header in a client GET request.
  - 3. The system of claim 1 wherein the second hostname is included by the client device in the Server Name Indicator in a TLS client hello.
  - 4. The system of claim 1 wherein the performing the DNS lookup includes querying a cache.
  - 5. The system of claim 1 wherein the determining that the second hostname was spoofed by the client device includes comparing a result of the DNS lookup to a destination IP address of a session between the client device and the first server.
  - 6. The system of claim 1 wherein the DNS lookup is performed out of band from the client device establishing the session with the first server.
  - 7. The system of claim 1 wherein, in response to the determining that the request received from the client device includes the spoofed second hostname, the client device is prevented from accessing the first server.
  - 8. The system of claim 7 wherein the client device is prevented from accessing the first server by resetting an established session between the client device and the first server.
  - 9. The system of claim 1 wherein, in response to the determining that the request received from the client device includes the spoofed second hostname, an alert is generated.
  - 10. The system of claim 1 wherein, in response to the determining that the request received from the client device includes the spoofed second hostname, a log entry is generated.
  - 11. The system of claim 1 wherein the processor is further configured to cache a result of the DNS lookup.
  - 12. The system of claim 1 wherein the first hostname and the second hostname have respective first and second categorizations, and wherein the processor is configured to block access by the client device to resources associated with the first categorization and allow access by the client device to resources associated with the second categorization.

13. A method, comprising:
- receiving, from a client device, a request to establish a session with a first server, wherein the first server is associated with a first hostname, and wherein the request includes information identifying a second hostname purported to correspond to the first server;
  
  performing a Domain Name System (DNS) lookup using the second hostname, and determining that the second hostname was spoofed by the client device based on a response to the DNS lookup, wherein the response indicates that the first server is not associated with the second hostname; and
  
  in response to the determining that the request received from the client device includes the spoofed second hostname, determining that the client device has injected or overridden at least one of an HTTP Host header and a Server Name Indicator in the request in an attempt to circumvent a policy enforceable against communications between the client device and the first server, and determining an action to take with respect to the client device.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13 wherein the second hostname is included by the client device in the HTTP Host header in a client GET request.
  - 15. The method of claim 13 wherein the second hostname is included by the client device in the Server Name Indicator in a TLS client hello.
  - 16. The method of claim 13 wherein the performing the DNS lookup includes querying a cache.
  - 17. The method of claim 13 wherein the determining that the second hostname was spoofed by the client device includes comparing a result of the DNS lookup to a destination IP address of a session between the client device and the first server.
  - 18. The method of claim 13 wherein the DNS lookup is performed out of band from the client device establishing the session with the first server.
  - 19. The method of claim 13 wherein, in response to the determining that the request received from the client device includes the spoofed second hostname, the client device is prevented from accessing the first server.
  - 20. The method of claim 19 wherein the client device is prevented from accessing the first server by resetting an established session between the client device and the first server.
  - 21. The method of claim 13 wherein, in response to the determining that the request received from the client device includes the spoofed second hostname, an alert is generated.
  - 22. The method of claim 13 wherein, in response to the determining that the request received from the client device includes the spoofed second hostname, a log entry is generated.
  - 23. The method of claim 13 wherein the first hostname and the second hostname have respective first and second categorizations, and further comprises blocking access by the client device to resources associated with the first categorization and allowing access by the client device to resources associated with the second categorization.

24. A computer program product embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
- receiving, from a client device, a request to establish a session with a first server, wherein the first server is associated with a first hostname, and wherein the request includes information identifying a second hostname purported to correspond to the first server;
  
  performing a Domain Name System (DNS) lookup using the second hostname, and determining that the second hostname was spoofed by the client device based on a response to the DNS lookup, wherein the response indicates that the first server is not associated with the second hostname; and
  
  in response to the determining that the request received from the client device includes the spoofed second hostname, determining that the client device has injected or overridden at least one of an HTTP Host header and a Server Name Indicator in the request in an attempt to circumvent a policy enforceable against communications between the client device and the first server, and determining an action to take with respect to the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Walter, Martin, Bransi, Charles, Deng, Suiqiang
Primary Examiner(s)
Nguyen, Trong H

Application Number

US15/486,204
Time in Patent Office

972 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24539   using cached or materialise...

H04L 61/4511   using domain name system [DNS]

H04L 61/58   Caching of addresses or names

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/1466   Active attacks involving in...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 67/141   Setup of application sessio...

H04L 67/568   Storing data temporarily at...

H04L 69/22   Parsing or analysis of headers

Hostname validation and policy evasion prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Hostname validation and policy evasion prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others