Active validation for ddos and ssl ddos attacks

Abstract

Methods and systems for detecting and responding to Denial of Service (“DoS”) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms; identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system. Once a client has been validated, clients may communicate directly with application servers in a secure manner by transparently passing through one or more intermediary proxy servers.

Description

TECHNICAL FIELD[0001]The present disclosure relates generally to methods and systems for detecting and responding to Denial of Service and other cyber attacks against servers and web servers.BACKGROUND[0002]A server is a computer or other electronic device that is configured to provide services or resources to other requesting devices. The server typically provides one or more communication links for receiving communications from other networked devices, known as “clients,” and executes one or more processes whose function it is to continually monitor those communication links for incoming messages from clients. In order to service a client request, the server typically must expend system resources, such as memory, processor cycles, or bandwidth. Although the server may elect not to service some clients or client requests, the server must nonetheless devote at least some system resources to receive a client communication and determine whether or not to service it.[0003]In some commu...

AI Technical Summary

Problems solved by technology

Although this characteristic of many communications protocols provides many benefits in terms of readily available network services, it may also leave servers vulnerable to cyber attacks.

Because web servers are configured by default to accept requests from all clients, and because the HTTP protocol provides little information about the requesting client that would enable the server to determine the nature of the client's intentions in making the request, the attacked web server may be slow or unable to respond to other, legitimate requests due to the burdens imposed on the server when servicing the flood of requests from the single malicious client.

In a DDoS attack, because the flood of requests may be spread over a large number of disparate clients, each with a different IP address, it may be difficult to detect which requests originate from legitimate clients and which requests originate from malicious clients, such as compromised “zombie” machines in a botnet.

Thus, a server may not be able to determine which requests it should ignore and which requests it should service, because all requests may appear substantially identical over the larger pool of IP addresses.

Conventional client challenge mechanisms, however, suffer from a number of drawbacks.

This drawback may be fatal for mitigating against another variation on the DDoS attack known as an SSL DDoS attack.

Images