US20160234230A1 - System and method for preventing dos attacks utilizing invalid transaction statistics - Google Patents

System and method for preventing dos attacks utilizing invalid transaction statistics Download PDF

Info

Publication number
US20160234230A1
US20160234230A1 US14/875,045 US201514875045A US2016234230A1 US 20160234230 A1 US20160234230 A1 US 20160234230A1 US 201514875045 A US201514875045 A US 201514875045A US 2016234230 A1 US2016234230 A1 US 2016234230A1
Authority
US
United States
Prior art keywords
value
network traffic
management device
traffic management
average
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/875,045
Inventor
Dmitry Rovniaguin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
F5 Inc
Original Assignee
F5 Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F5 Networks Inc filed Critical F5 Networks Inc
Priority to US14/875,045 priority Critical patent/US20160234230A1/en
Publication of US20160234230A1 publication Critical patent/US20160234230A1/en
Assigned to F5 NETWORKS, INC. reassignment F5 NETWORKS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ROVNIAGUIN, Dmitry
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/42
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/142Denial of service attacks against network infrastructure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Definitions

  • the technology generally relates to network communication security, and more particularly, to a system and method for preventing DOS attacks utilizing invalid transaction statistics.
  • a denial-of-service attack (DoS attack) and distributed denial-of-service attack (DDoS attack) are attempts to make a computer server unavailable to its intended users.
  • a denial of service attack is generally a concerted, malevolent effort to prevent an Internet site or service from functioning.
  • DoS and DDoS attacks typically target sites or services hosted on high-profile Web servers such as banks, credit card payment gateways and root servers.
  • One common method of attack involves saturating the target machine with external communication connection requests such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
  • DoS attacks are implemented by forcing the targeted server computer to reset or consume its resources to the point of interrupting communications between the intended users and servers.
  • Network firewalls may be used to intercept traffic to a networked server and attempt to filter out malicious packets. Unfortunately, many current firewalls typically cannot distinguish between legitimate requests that are originated by legitimate users and transactions that are originated by attackers.
  • a method for a network traffic management device to protect a network from network based attacks comprises receiving, at a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers.
  • the method comprises monitoring a number of server responses including an invalid transaction message for a particular client device or a particular requested resource.
  • the method comprises comparing a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value.
  • the method comprises marking the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value.
  • the method comprises preventing the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
  • a computer-readable readable medium having stored thereon computer-executable instructions for a network traffic management device to protect a network from network based attacks.
  • the computer-executable instructions when executed, cause the network traffic management device to receive a plurality of requests from a plurality of client devices for one or more resources from one or more servers.
  • the network traffic management device will monitor a number of server responses including an invalid transaction message for a particular client device or a particular requested resource.
  • the network traffic management device will compare a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value.
  • the network traffic management device will mark the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value.
  • the network traffic management device will prevent the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
  • a network traffic management device comprises a network interface capable of receiving and transmitting network data packets over a network.
  • the network traffic management device comprises a memory having stored thereon code embodying processor executable programmable instructions.
  • the network traffic management device includes a processor configured to execute the stored programming instructions in the memory.
  • the instructions cause the processor to receive a plurality of requests from a plurality of client devices for one or more resources from one or more servers.
  • the instructions cause the processor to monitor a number of server responses including an invalid transaction message for a particular client device or a particular requested resource.
  • the instructions cause the processor to compare a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value.
  • the instructions cause the processor to mark the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value.
  • the instructions cause the processor to prevent the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
  • the network traffic management device enters into prevention mode upon detecting the network attack.
  • the network traffic management device is further configured to monitor current transactions per second for connections handled by the network traffic management device; and compare the current average transactions per second value over short set period of time with an average transactions per second value over a long set period of time, wherein the network traffic management device enters the prevention mode when the short average transactions per second value exceed a long average transactions per second value by preset ratio or short average transactions per second value exceed preset threshold value.
  • the set period of time is approximately 1 minute or 1 hour.
  • the network traffic management device is further configured to monitor current latency values for connections handled by the network traffic management device; and compare the current average latency values over a short set period of time with an average latency value over a long set period of time, wherein the network traffic management device enters the prevention mode when the short average latency value exceeds a long average latency by specified ratio or exceed preset threshold value.
  • the set period of time is approximately 1 minute or 1 hour.
  • FIG. 1 is a diagram of an example system environment that includes a network traffic manager configured to identify and diffuse network attacks in accordance with an aspect of the present disclosure
  • FIG. 2 is a block diagram of the network traffic manager shown in FIG. 1 in accordance with an aspect of the present disclosure
  • FIG. 3A is a flow diagram of a process implemented by the security module for handling client requests in accordance with an aspect of the present disclosure
  • FIG. 3B is a flow diagram of a process implemented by the security module for handling server responses in accordance with an aspect of the present disclosure
  • FIG. 3C is a flow diagram of a process implemented by the security module for determining whether to enter prevention mode in accordance with an aspect of the present disclosure.
  • FIG. 3D is a flow diagram of a process implemented by the security module for determining whether to exit the prevention mode in accordance with an aspect of the present disclosure.
  • FIG. 1 is a diagram of an example system environment that includes a network traffic management device configured to identify and diffuse network attacks in accordance with an aspect of the present disclosure.
  • an example system environment 100 employs one or more network traffic management devices 110 that is capable of identifying and thwarting or diffusing these types of network attacks in an effective manner.
  • the example system environment 100 also includes one or more Web application servers 102 , and one or more client devices 106 , although the environment 100 could include other numbers and types of devices in other arrangements.
  • the traffic management device 110 is coupled to the web application servers 102 via local area network (LAN) 104 and client devices 106 via network 108 .
  • LAN local area network
  • client devices 106 via network 108 .
  • requests sent over the network 108 from client devices 106 towards Web application servers 102 are received by network traffic management device 110 .
  • responses sent from the servers 102 to the client devices 106 are received by the network traffic management device 110 .
  • Client devices 106 comprise computing devices capable of connecting to other computing devices, such as network traffic management device 110 and Web application servers 102 , over wired and/or wireless networks, such as network 108 , to send and receive data, such as for Web-based requests, receiving responses to requests and/or for performing other tasks in accordance with the processes described below.
  • Non-limiting and non-exhausting examples of such devices include personal computers (e.g., desktops, laptops), mobile and/or smart phones, tablets, smart TVs and media players and the like.
  • client devices 106 run Web browsers that may provide an interface for operators, such as human users, to interact with for making requests for resources to different web server-based applications or Web pages served by servers 102 via the network 108 .
  • One or more Web-based applications may run on the web application server 102 that provide the requested data back to one or more exterior network devices, such as client devices 106 .
  • Network 108 comprises a publicly accessible network, such as the Internet, although the network 108 may comprise other types of private and public networks that include other devices. Communications, such as requests from clients 106 and responses from servers 102 , take place over the network 108 according to standard network protocols, such as the HTTP and TCP/IP protocols, although other protocols are contemplated. Further, it should be appreciated that network 108 may include local area networks (LANs), wide area networks (WANs), direct connections and any combination thereof, and other types and numbers of network types.
  • LANs local area networks
  • WANs wide area networks
  • direct connections and any combination thereof and other types and numbers of network types.
  • routers, switches, hubs, gateways, bridges, and other intermediate network devices may act as links within and between LANs and other networks to enable messages and other data to be sent from and to network devices.
  • communication links within and between LANs and other networks typically include twisted wire pair (e.g., Ethernet), coaxial cable, analog telephone lines, full or fractional dedicated digital lines including T1, T2, T3, and T4, Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links and other communications links known to those skilled in the relevant arts.
  • ISDNs Integrated Services Digital Networks
  • DSLs Digital Subscriber Lines
  • LAN 104 comprises a private local area network that includes the network traffic management device 110 coupled to the one or more servers 102 , although the LAN 104 may comprise other types of private and public networks with other devices.
  • Web application server 102 (referred to herein as “server”) comprises one or more server computing machines capable of operating one or more Web-based applications that may be accessed by one or more client devices 106 via the network traffic management device 110 .
  • the server 102 may provide other data representing requested resources, including but not limited to Web page(s), image(s) of physical objects, and any other web or non-web objects. It should be noted that while only two Web application servers 102 are shown in the environment 100 depicted in FIG. 1 , other numbers and types of servers may be coupled to the network traffic management device 110 . It is also contemplated that one or more of the Web application servers 102 may be a cluster of servers managed by the network traffic management device 110 .
  • the Web-based applications may be handled in an on-demand fashion, such as in a cloud computing architecture.
  • the one or more Web application servers 102 may be hardware and/or software, and/or may represent a system with multiple servers that may include internal or external networks.
  • the Web application servers 102 may be any version of Microsoft® IIS servers or Apache® servers, although other types of servers may be used.
  • additional servers may be coupled to the network 108 and many different types of applications may be available on servers coupled to the network 108 .
  • the network traffic management device 110 manages network communications, which may include one or more client requests and server responses, over the network 108 between the client devices 106 and the servers 102 .
  • the network traffic management device 110 may perform several network traffic related functions involving the communications, such as load balancing, access control, and validating HTTP requests.
  • the network traffic management device 110 includes a security module ( FIG. 2 ) which detects and prevents a DOS attack based on invalid transaction statistics as described further below.
  • an example network traffic management device 110 includes a device processor 200 , device I/O interfaces 202 , network interface 204 and device memory 206 , which are coupled together by bus 208 , although the device 110 could include other types and numbers of components.
  • Device processor 200 comprises one or more microprocessors configured to execute computer/machine readable and executable instructions stored in device memory 206 to implement the functions that the security module 210 performs, as discussed in FIGS. 3A-3D .
  • the processor 200 may comprise other types and/or combinations of processors, such as digital signal processors, micro-controllers, application specific integrated circuits (“ASICs”), programmable logic devices (“PLDs”), field programmable logic devices (“FPLDs”), field programmable gate arrays (“FPGAs”), and the like.
  • ASICs application specific integrated circuits
  • PLDs programmable logic devices
  • FPLDs field programmable logic devices
  • FPGAs field programmable gate arrays
  • Device I/O interfaces 202 comprise one or more user input and output device interface mechanisms, such as a computer keyboard, mouse, display device, and the corresponding physical ports and underlying supporting hardware and software to enable the network traffic management device 110 to communicate with the outside environment.
  • the network traffic management device 110 may communicate with the outside environment for certain types of operations (e.g., configuration) via a network management port, for example.
  • Network interface 204 comprises one or more mechanisms that enable network traffic management device 110 to engage in TCP/IP communications over LAN 104 and network 108 , although the network interface 204 may be constructed for use with other communication protocols and types of networks.
  • Network interface 204 is sometimes referred to as a transceiver, transceiving device, or network interface card (NIC), which transmits and receives network data packets over a network connection.
  • NIC network interface card
  • the network traffic management device 110 includes more than one device processor 200 (or a processor 200 has more than one core)
  • each processor 200 (and/or core) may use the same single network interface 204 or a plurality of network interfaces 204 .
  • the network interface 204 may include one or more physical ports, such as Ethernet ports, to couple the network traffic management device 110 with other network devices, such as Web application servers 102 .
  • the interface 204 may include certain physical ports dedicated to receiving and/or transmitting certain types of network data, such as device management related data for configuring the network traffic management device 110 .
  • the bus 208 enables the various components of the network traffic management device 110 , such as the processor 200 , device I/O interfaces 202 , network interface 204 , device memory 206 and other hardware components, to communicate with one another.
  • Bus 208 may comprise one or more internal device component communication buses, links, bridges and supporting components, such as bus controllers and/or arbiters.
  • example buses include HyperTransport, PCI, PCI Express, InfiniBand, USB, Firewire, Serial ATA (SATA), SCSI, IDE and AGP buses and the like.
  • Device memory 206 comprises computer readable media, namely computer readable or processor readable storage media, which are examples of machine-readable storage media.
  • Computer readable storage/machine-readable storage media may include volatile, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information, such as computer readable/machine-executable instructions, data structures, program modules, or other data.
  • the computer readable media may be obtained and/or executed by one or more processors 200 to perform actions such as implementing an operating system for controlling the general operation of network traffic management device 110 . Other actions include implementing security module 210 to perform one or more portions of the processes illustrated in FIGS. 3A-3D .
  • Examples of computer readable storage media include RAM, BIOS, ROM, EEPROM, flash/firmware memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information, including data and/or computer/machine-executable instructions, and which can be accessed by a computing or specially programmed device, such as network traffic management device 110 .
  • the network traffic management device 110 implements the functions handled by the security module 210 and performs at least a portion of the processes in FIGS. 3A-3D .
  • the security module 210 is depicted as being within thee memory 206 . However, it should be appreciated the security module 210 may be alternatively located elsewhere within or exterior to the network traffic management device 110 . Generally, when instructions embodying the security module 210 are executed by the processor 200 , the network traffic management device 110 is able to perform the processes described in detail below.
  • the security module 210 of the network traffic management device 110 is configured to detect and prevent disbursed DOS attacks from occurring against one or more servers 102 .
  • the security module 210 detects and prevents such DOS attacks using such criteria or parameters like Transactions per second (TPS) and/or network related latency values for client devices 106 and/or requested resources (e.g. web objects).
  • TPS Transactions per second
  • the security module 210 monitors the number of invalid transactions which occur within a certain amount of time and compares that number (or ratio with valid transactions) with a threshold value. If threshold value is exceeded, the security module 210 marks the particular client device 106 and/or requested resource as being suspicious.
  • the security module 210 will automatically deny all requests which are marked as being suspicious. It should be noted that the processes performed by the security module 210 of the network traffic management device 110 can be implemented in conjunction with existing detection and prevention techniques already employed by the network traffic management device 110 .
  • the security module 210 may detect prevent network attacks, or at least suspected network attacks, by analyzing collected short average and/or long average TPS and Latency data regarding particular client devices 106 , client requests destined for one or more particular servers 102 , particular resources (e.g. requested web objects) and the like. In an aspect, the security module 210 will monitor, for each client device 106 , history of access statistics based on one or more response codes returned by server 102 .
  • the security module 210 monitors responses from servers 102 and, in particular, makes note of HTTP based server response codes in the server responses.
  • the security module 210 will flag server response codes that indicate an invalid policy based transaction, such as 400 series response codes (e.g. 403 , 404 ) or other series response codes which may indicate suspicious activity.
  • Clients (IP) will have their ‘miss’ ratio Responses with 4XX response code to all Responses (or Requests) of that client. If ‘miss’ ratio passes a predefine threshold, the client device 106 and/or requested resource is marked or identified as being suspicious.
  • the security module 210 will keep tracking of server responses that return valid response codes.
  • the network traffic management device 110 of the present disclosure monitors average historical analytic data including, but not limited to, average data for TPS and latency values, over time.
  • the security module 210 monitors short average historical data as well as long average historical data of TPS and latency values while it operates in the detection mode. For example, the security module 210 can monitor the average number of transactions which occur in a minute when monitoring the short average transaction data.
  • the security module 210 monitors short average latency data by monitoring the round trip time (RTT) or other time measurement data between the client device and server for a requested web object.
  • RTT round trip time
  • the security module 210 accordingly uses additional information obtained by further analyzing collected data to identify latencies associated with particular servers, server applications or other server resources, page traversal rates, client device fingerprints and access statistics that the security module 210 may analyze to identify anomalies indicative to the module 210 that there may be an attack.
  • the security module 210 also analyzes collected data to obtain information the security module 210 may use to identify particular servers and/or server applications and resources on particular servers, such as Web application server 102 , being targeted in network attacks, so the module 210 can handle the attack in the manner described in greater detail below.
  • the security module 210 may utilize overall TPS and latency values in determining whether a network attack has occurred (such as when the length of time during which the network traffic management device 110 has been operational is relatively short).
  • the short average data of the TPS and latency values are defined as being taken over a relatively small amount of time, such as one to a plurality of minutes.
  • the long average data of the TPS and latency values are defined as being taken over a relatively longer amount of time, such as one to a plurality of hours.
  • the security module 210 can monitor the number of transactions which occur in an hour when monitoring the long average transaction data.
  • the security module 210 compares the average TPS value over a time duration with a predefined TPS threshold value to determine whether a particular client device 106 is to be deemed suspicious. For example, the security module 210 may compare the TPS average (short or long) of a particular client device 106 with the predefined threshold value, whereby the security module 210 will designate that client device 106 as suspicious if it determines that the client device 106 has a ‘miss’ ratio that exceeds the predefined threshold value. With regard to latency, the security module 210 compares the average latency value over a time duration with a predefined latency threshold value to determine whether a DOS attack has initiated.
  • the security module 210 If the security module 210 detects a DOS attack, based on TPS and/or web object latency values, the security module 210 will change its operating status from the detection mode to the prevention mode. The security module 210 , once in prevention mode, will implement one or more appropriate prevention methods to prevent suspicious network activity from being sent from the network traffic management device 110 to the server 102 .
  • the security module 210 When the security module 210 is in prevention mode, the security module 210 prevents requests from client devices 106 marked suspicious from being passed to the server 102 for a set amount of time. Additionally in prevention mode, module 210 will only pass requests to web objects that resulted in a valid transaction prior the prevention period, blocking all other requests assuming they target violated or non-accessible resources. Once the prevention mode time expires, the security module 210 may again initiate the prevention mode or return back to detection mode.
  • the security module 210 While in prevention mode, the security module 210 monitors the short historical average TPS and latency data to determine whether the DOS attack is continuing or whether it has ended. In an example, if the short average TPS data indicates that the number of transactions per second has dramatically decreased after the network traffic management device module 210 begun operating in the prevention mode and prevented suspicious client requests from passing onto the server 102 , the security module 210 can conclude that the attack has ended. In this example, the security module 210 will no longer operate in prevention mode and will thus return to detection mode. In contrast, if the security module 210 determines from the short average data that the network attack has not been thwarted (or a new network attack has initiated), the security module 210 will remain in the prevention mode until it concludes that the attack has ended.
  • Such prevention methods include, but are not limited to, executing challenges based on client device IP and/or requested web objects, implementing rate limiting techniques to client device IP and/or web objects and the like.
  • one technique that can be employed by the security module 210 upon detecting a suspected network attack involves initially preventing the client requests from reaching the server 102 to allow the security module 210 to determine whether the requests are indeed a network attack or is legitimate requests.
  • the security module 210 sends a “modified” response back to the potential suspected client device 106 on behalf of the potential target, whereby the modified response does not embody the requested object or resource, but instead includes a challenge.
  • the challenge comprises information representing instructions (e.g., JavaScript code) to be executed by the suspected client device to execute the challenge, which may or may not yield an expected result.
  • the client device's answer to the challenge may generate an HTTP cookie for storing any result(s) obtained from answering the challenge, whereby the HTTP cookie is included in the client's answer to the challenge.
  • the challenge comprises Javascript code to be executed by the suspected client device, although other types of challenges could be employed and the code could be expressed in other programming, markup or script languages.
  • the attacker may not execute the challenge (e.g., JavaScript code) included in the modified response received back from the security module 210 , or the attacker may execute the challenge but not generate the correct result, and the security module 210 determines it is a confirmed attack and will prevent the target of the attack (e.g., server 102 ) from being subjected to the request and expending its resources in responding to it. If the potential attacker is indeed a legitimate requestor and not mounting an attack, it will execute the challenge (e.g., JavaScript code) included in the modified request, which will cause it to resend its initial request and include any results obtained by executing the challenge in the HTTP cookie.
  • the challenge e.g., JavaScript code
  • the security module 210 has access to a list of allowable challenge answers stored in one or more memories 206 .
  • the security module 210 upon receiving the client's answer, analyzes the HTTP cookie and determines whether the answer in the cookie matches the list of allowable answers stored in memory. If the security module 210 confirms whether one or more of the included challenge answers are correct, it will determine that the suspected client device is indeed a legitimate requestor. The security module 210 then forwards the request on to the server 102 .
  • the security module 210 when in prevention mode, will prevent client requests from identified or marked suspicious client devices 106 from passing on to the server 102 .
  • the security module 210 will prevent such client requests from passing on to the server 102 for a predefined time duration.
  • the time duration can be defined by a network administrator or other authority.
  • the security module 210 determines that the prevention was not effect and that the DOS attack is still present, ever after the time-limit has expired, the security module 210 will allow access only to those client devices 106 that respond with a valid response code that is present in a collected history of valid objects that is stored in the network traffic management device 110 . For all other client requests that do not provide a valid response code, the security module 210 sends a blocking message back to the requesting client device 106 .
  • miss criteria might be correlated with blocked requests by ASM enforcing policy, for example count valid transactions (request with response) and not valid transactions(blocked by policy or with 4XX response code).
  • FIG. 3A is a flow diagram of a process implemented by the security module for handling client requests in accordance with an aspect of the present disclosure.
  • the process 300 is described from a point when the network traffic management device 110 receives a request from a client device 106 to request a resource, such as a web object, from a server 102 (Block 302 ). It should be noted, for purposes of describing the processes only, that the network traffic management device 110 is at least operating in a detection mode at the commencement of the process 300 (for example, before or during the A block in FIG. 3A ).
  • the security module 210 of the network traffic management device 110 analyzes the request and identifies the client device 106 by client ID or other identifying matter as well as the particular resource that is being requested from the server 102 (Block 304 ). The network traffic management device 110 then determines whether the analysis evidences that the client device 106 and/or requested resource has been marked or identified as suspicious (Block 306 ). In an aspect, the security module 210 accesses one or more databases which contain information of all client devices and resources which have been previously marked or blacklisted as being suspicious.
  • Block 312 the security module 210 forwards the client request to the server 102 and stores the transaction data in memory 206 (Block 312 ).
  • the security module 210 thereafter receives the server response from the server 102 (Block 314 ), wherein the process proceeds to Block B.
  • Block 308 if the security module 210 determines from the marked data base that either or both of the client device 106 and requested resource is/are deemed as suspicious, the process continues to Block 308 .
  • the security module 210 if the security module 210 is currently operating in the prevention mode, the security module 210 blocks the request from being sent to the server 102 and also sends a block page to the requesting client device 106 (Block 310 ). In contrast, if the security module 210 is not operating in the prevention mode, the process proceeds to Block 312 , described above.
  • FIG. 3B is a flow diagram of a process implemented by the security module for handling server responses in accordance with an aspect of the present disclosure.
  • the security module 210 analyzes the received response from the server 102 , whereby the received response includes a response code indicating an invalid transaction (Block 318 ).
  • the security module 210 stores this information for the client device 106 and requested resource in a memory 206 (Block 320 ).
  • the security module 210 thereafter determines a ratio of error for the client device as well as the requested resource and compares the ratio of error with a predefined threshold value (Block 324 ). If the security module 210 determines that the ratio of error has not exceeded the predefined threshold, the security module 210 passes the server response to the client device 106 (Block 326 ).
  • the security module 210 determines that the ratio of error has exceeded the predefined threshold, the security module 210 marks the client device 106 and/or requested resource as suspicious and stores that information in the memory 206 (Block 328 ).
  • the security module 210 if the security module 210 is in the prevention mode (Block 330 ), the security module 210 does not send the forward server response to the client device 106 as either/both of the client device 106 and requested resource is considered by the security module 210 as being suspicious. Instead, the security module 210 sends a blocking message to the client device 106 (Block 332 ).
  • the security module 210 forwards the server response on to the requesting client device 106 , even though the activity is marked as suspicious (Block 326 ).
  • FIG. 3C is a flow diagram of a process implemented by the security module for determining whether to enter prevention mode in accordance with an aspect of the present disclosure.
  • the security module 210 stores and analyzes current TPS and latency data for the disbursed connections handled by the network traffic management device 110 (Block 334 ).
  • the security module 210 determines whether the current TPS values exceed the short and/or long TPS averages at any particular time (Block 336 ). If so, the security module 210 enters prevention mode (Block 338 ). If not, the security module 210 determines if the currently monitored latency values exceeds the short and/or long latency averages at any particular time (Block 340 ), in which the process proceeds to Block C. It should be noted that although steps 336 and 340 are shown in a certain order, the security module 210 can perform both of these steps simultaneously. However, if the security module 210 determines that the current latency values exceed the threshold average, the security module 210 enters prevention mode (Block 342 ). The process proceeds to Block C.
  • FIG. 3D is a flow diagram of a process implemented by the security module for determining whether to exit the prevention mode in accordance with an aspect of the present disclosure. As shown in FIG. 3D , the process continues from Block C in which the security module 210 remains in prevention mode and performs the prevention techniques described above (Block 344 ). The security module 210 monitors the current TPS and latency values and compares them with the corresponding TPS/latency short averages (Block 346 ).
  • the security module 210 determines that either or both of the current TPS and latency values are below the threshold average (Block 348 ). If the security module 210 determines that either or both of the current TPS and latency values are below the threshold average (Block 348 ), the security module 210 terminates the prevention mode (Block 350 ).
  • the security module 210 determines whether the predefined prevention time limit has expired (Block 352 ). If not, the security module 210 continues to remain in the prevention mode and the process proceeds back to Block 344 . If the time limit has expired, the security module terminates the prevention mode and starts another prevention mode, wherein the timer for measuring the prevention mode duration is reset (Block 354 ).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Environmental & Geological Engineering (AREA)

Abstract

A method and network traffic management device to protect a network from network based attacks is disclosed. The method comprises receiving, at a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The method comprises monitoring a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The method comprises comparing a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The method comprises marking the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The method comprises preventing the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.

Description

  • This application is a continuation of U.S. patent application Ser. No. 14/030,685, filed Sep. 18, 2013, which claims the benefit of U.S. Provisional Patent Application Ser. No. 61/706,724, filed on Sep. 27, 2012, which are hereby incorporated by reference in their entireties
    • FIELD
  • The technology generally relates to network communication security, and more particularly, to a system and method for preventing DOS attacks utilizing invalid transaction statistics.
    • BACKGROUND
  • With the widespread use of Web based applications and the Internet in general, concerns have been raised with the availability of servers in view of malicious attacks from client devices requesting access to servers. Such attacks may include brute force attempts to access the server or so-called denial of service attacks. A denial-of-service attack (DoS attack) and distributed denial-of-service attack (DDoS attack) are attempts to make a computer server unavailable to its intended users. A denial of service attack is generally a concerted, malevolent effort to prevent an Internet site or service from functioning.
  • DoS and DDoS attacks typically target sites or services hosted on high-profile Web servers such as banks, credit card payment gateways and root servers. One common method of attack involves saturating the target machine with external communication connection requests such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by forcing the targeted server computer to reset or consume its resources to the point of interrupting communications between the intended users and servers.
  • Denial of service attacks and brute force attacks depend on client devices mimicking legitimate requests to tie up server resources. In order to prevent such attacks, network firewalls may be used to intercept traffic to a networked server and attempt to filter out malicious packets. Unfortunately, many current firewalls typically cannot distinguish between legitimate requests that are originated by legitimate users and transactions that are originated by attackers.
  • There are many DDOS and DOS attacks type know which target servers, wherein each type of attack has different parameters which requires different methods of detection and prevention to be employed by network security devices to allow them to be effective. Existing network security devices are not able to distinguish valid client requests from attacks when executing a prevention technique, such as rate limiting for example.
    • SUMMARY
  • In an aspect, a method for a network traffic management device to protect a network from network based attacks is disclosed. The method comprises receiving, at a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The method comprises monitoring a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The method comprises comparing a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The method comprises marking the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The method comprises preventing the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
  • In an aspect, a computer-readable readable medium having stored thereon computer-executable instructions for a network traffic management device to protect a network from network based attacks is disclosed. The computer-executable instructions, when executed, cause the network traffic management device to receive a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The network traffic management device will monitor a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The network traffic management device will compare a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The network traffic management device will mark the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The network traffic management device will prevent the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
  • In an aspect, a network traffic management device comprises a network interface capable of receiving and transmitting network data packets over a network. The network traffic management device comprises a memory having stored thereon code embodying processor executable programmable instructions. The network traffic management device includes a processor configured to execute the stored programming instructions in the memory. The instructions cause the processor to receive a plurality of requests from a plurality of client devices for one or more resources from one or more servers. The instructions cause the processor to monitor a number of server responses including an invalid transaction message for a particular client device or a particular requested resource. The instructions cause the processor to compare a ratio of invalid transactions to valid transactions for the particular client device or requested resource to a preestablished ratio threshold value. The instructions cause the processor to mark the particular client device or requested resource as suspicious when the ratio exceeds the ratio threshold value. The instructions cause the processor to prevent the suspicious particular client device or requested resource from being transmitted to the one or more servers when the network traffic management device detects a network attack.
  • In one or more of the above aspects, the network traffic management device enters into prevention mode upon detecting the network attack.
  • In one or more of the above aspects, the network traffic management device is further configured to monitor current transactions per second for connections handled by the network traffic management device; and compare the current average transactions per second value over short set period of time with an average transactions per second value over a long set period of time, wherein the network traffic management device enters the prevention mode when the short average transactions per second value exceed a long average transactions per second value by preset ratio or short average transactions per second value exceed preset threshold value. In one or more aspects, the set period of time is approximately 1 minute or 1 hour.
  • In one or more of the above aspects, the network traffic management device is further configured to monitor current latency values for connections handled by the network traffic management device; and compare the current average latency values over a short set period of time with an average latency value over a long set period of time, wherein the network traffic management device enters the prevention mode when the short average latency value exceeds a long average latency by specified ratio or exceed preset threshold value. In one or more aspects, the set period of time is approximately 1 minute or 1 hour.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram of an example system environment that includes a network traffic manager configured to identify and diffuse network attacks in accordance with an aspect of the present disclosure;
  • FIG. 2 is a block diagram of the network traffic manager shown in FIG. 1 in accordance with an aspect of the present disclosure;
  • FIG. 3A is a flow diagram of a process implemented by the security module for handling client requests in accordance with an aspect of the present disclosure;
  • FIG. 3B is a flow diagram of a process implemented by the security module for handling server responses in accordance with an aspect of the present disclosure;
  • FIG. 3C is a flow diagram of a process implemented by the security module for determining whether to enter prevention mode in accordance with an aspect of the present disclosure; and
  • FIG. 3D is a flow diagram of a process implemented by the security module for determining whether to exit the prevention mode in accordance with an aspect of the present disclosure.
    •
  • While these examples are susceptible in many different forms, there is shown in the drawings and will herein be described in detail several examples with the understanding that the present disclosure is to be considered as an exemplification and is not intended to limit the broad aspect to the embodiments illustrated.
    • DETAILED DESCRIPTION
  • FIG. 1 is a diagram of an example system environment that includes a network traffic management device configured to identify and diffuse network attacks in accordance with an aspect of the present disclosure. As shown in FIG. 1, an example system environment 100 employs one or more network traffic management devices 110 that is capable of identifying and thwarting or diffusing these types of network attacks in an effective manner. The example system environment 100 also includes one or more Web application servers 102, and one or more client devices 106, although the environment 100 could include other numbers and types of devices in other arrangements. The traffic management device 110 is coupled to the web application servers 102 via local area network (LAN) 104 and client devices 106 via network 108. Generally, requests sent over the network 108 from client devices 106 towards Web application servers 102 are received by network traffic management device 110. Similarly, responses sent from the servers 102 to the client devices 106 are received by the network traffic management device 110.
  • Client devices 106 comprise computing devices capable of connecting to other computing devices, such as network traffic management device 110 and Web application servers 102, over wired and/or wireless networks, such as network 108, to send and receive data, such as for Web-based requests, receiving responses to requests and/or for performing other tasks in accordance with the processes described below. Non-limiting and non-exhausting examples of such devices include personal computers (e.g., desktops, laptops), mobile and/or smart phones, tablets, smart TVs and media players and the like. In this example, client devices 106 run Web browsers that may provide an interface for operators, such as human users, to interact with for making requests for resources to different web server-based applications or Web pages served by servers 102 via the network 108. One or more Web-based applications may run on the web application server 102 that provide the requested data back to one or more exterior network devices, such as client devices 106.
  • Network 108 comprises a publicly accessible network, such as the Internet, although the network 108 may comprise other types of private and public networks that include other devices. Communications, such as requests from clients 106 and responses from servers 102, take place over the network 108 according to standard network protocols, such as the HTTP and TCP/IP protocols, although other protocols are contemplated. Further, it should be appreciated that network 108 may include local area networks (LANs), wide area networks (WANs), direct connections and any combination thereof, and other types and numbers of network types. On an interconnected set of LANs or other networks, including those based on differing architectures and protocols, routers, switches, hubs, gateways, bridges, and other intermediate network devices may act as links within and between LANs and other networks to enable messages and other data to be sent from and to network devices. Also, communication links within and between LANs and other networks typically include twisted wire pair (e.g., Ethernet), coaxial cable, analog telephone lines, full or fractional dedicated digital lines including T1, T2, T3, and T4, Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), wireless links including satellite links and other communications links known to those skilled in the relevant arts.
  • LAN 104 comprises a private local area network that includes the network traffic management device 110 coupled to the one or more servers 102, although the LAN 104 may comprise other types of private and public networks with other devices. Networks, including local area networks, besides being understood by those skilled in the relevant arts, have already been generally described above in connection with network 108, and thus will not be described further.
  • Web application server 102 (referred to herein as “server”) comprises one or more server computing machines capable of operating one or more Web-based applications that may be accessed by one or more client devices 106 via the network traffic management device 110. The server 102 may provide other data representing requested resources, including but not limited to Web page(s), image(s) of physical objects, and any other web or non-web objects. It should be noted that while only two Web application servers 102 are shown in the environment 100 depicted in FIG. 1, other numbers and types of servers may be coupled to the network traffic management device 110. It is also contemplated that one or more of the Web application servers 102 may be a cluster of servers managed by the network traffic management device 110. It should also be noted that the Web-based applications may be handled in an on-demand fashion, such as in a cloud computing architecture. It is to be understood that the one or more Web application servers 102 may be hardware and/or software, and/or may represent a system with multiple servers that may include internal or external networks. In this example, the Web application servers 102 may be any version of Microsoft® IIS servers or Apache® servers, although other types of servers may be used. Further, additional servers may be coupled to the network 108 and many different types of applications may be available on servers coupled to the network 108.
  • Generally, the network traffic management device 110 manages network communications, which may include one or more client requests and server responses, over the network 108 between the client devices 106 and the servers 102. For instance, the network traffic management device 110 may perform several network traffic related functions involving the communications, such as load balancing, access control, and validating HTTP requests. The network traffic management device 110 includes a security module (FIG. 2) which detects and prevents a DOS attack based on invalid transaction statistics as described further below.
  • Referring now to FIG. 2, an example network traffic management device 110 includes a device processor 200, device I/O interfaces 202, network interface 204 and device memory 206, which are coupled together by bus 208, although the device 110 could include other types and numbers of components.
  • Device processor 200 comprises one or more microprocessors configured to execute computer/machine readable and executable instructions stored in device memory 206 to implement the functions that the security module 210 performs, as discussed in FIGS. 3A-3D. The processor 200 may comprise other types and/or combinations of processors, such as digital signal processors, micro-controllers, application specific integrated circuits (“ASICs”), programmable logic devices (“PLDs”), field programmable logic devices (“FPLDs”), field programmable gate arrays (“FPGAs”), and the like.
  • Device I/O interfaces 202 comprise one or more user input and output device interface mechanisms, such as a computer keyboard, mouse, display device, and the corresponding physical ports and underlying supporting hardware and software to enable the network traffic management device 110 to communicate with the outside environment. Alternatively or in addition, as will be described in connection with network interface 204 below, the network traffic management device 110 may communicate with the outside environment for certain types of operations (e.g., configuration) via a network management port, for example.
  • Network interface 204 comprises one or more mechanisms that enable network traffic management device 110 to engage in TCP/IP communications over LAN 104 and network 108, although the network interface 204 may be constructed for use with other communication protocols and types of networks. Network interface 204 is sometimes referred to as a transceiver, transceiving device, or network interface card (NIC), which transmits and receives network data packets over a network connection. In an aspect where the network traffic management device 110 includes more than one device processor 200 (or a processor 200 has more than one core), each processor 200 (and/or core) may use the same single network interface 204 or a plurality of network interfaces 204. Further, the network interface 204 may include one or more physical ports, such as Ethernet ports, to couple the network traffic management device 110 with other network devices, such as Web application servers 102. Moreover, the interface 204 may include certain physical ports dedicated to receiving and/or transmitting certain types of network data, such as device management related data for configuring the network traffic management device 110.
  • The bus 208 enables the various components of the network traffic management device 110, such as the processor 200, device I/O interfaces 202, network interface 204, device memory 206 and other hardware components, to communicate with one another. Bus 208 may comprise one or more internal device component communication buses, links, bridges and supporting components, such as bus controllers and/or arbiters. By way of example only, example buses include HyperTransport, PCI, PCI Express, InfiniBand, USB, Firewire, Serial ATA (SATA), SCSI, IDE and AGP buses and the like.
  • Device memory 206 comprises computer readable media, namely computer readable or processor readable storage media, which are examples of machine-readable storage media. Computer readable storage/machine-readable storage media may include volatile, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information, such as computer readable/machine-executable instructions, data structures, program modules, or other data. The computer readable media may be obtained and/or executed by one or more processors 200 to perform actions such as implementing an operating system for controlling the general operation of network traffic management device 110. Other actions include implementing security module 210 to perform one or more portions of the processes illustrated in FIGS. 3A-3D.
  • Examples of computer readable storage media include RAM, BIOS, ROM, EEPROM, flash/firmware memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information, including data and/or computer/machine-executable instructions, and which can be accessed by a computing or specially programmed device, such as network traffic management device 110. When the instructions stored in device memory 206 are run by the device processor 200, the network traffic management device 110 implements the functions handled by the security module 210 and performs at least a portion of the processes in FIGS. 3A-3D.
  • As shown in FIG. 2, the security module 210 is depicted as being within thee memory 206. However, it should be appreciated the security module 210 may be alternatively located elsewhere within or exterior to the network traffic management device 110. Generally, when instructions embodying the security module 210 are executed by the processor 200, the network traffic management device 110 is able to perform the processes described in detail below.
  • In general, the security module 210 of the network traffic management device 110 is configured to detect and prevent disbursed DOS attacks from occurring against one or more servers 102. In particular, the security module 210 detects and prevents such DOS attacks using such criteria or parameters like Transactions per second (TPS) and/or network related latency values for client devices 106 and/or requested resources (e.g. web objects). In accordance with the present disclosure, the security module 210 monitors the number of invalid transactions which occur within a certain amount of time and compares that number (or ratio with valid transactions) with a threshold value. If threshold value is exceeded, the security module 210 marks the particular client device 106 and/or requested resource as being suspicious. In the event that a DOS attack is detected, the security module 210 will automatically deny all requests which are marked as being suspicious. It should be noted that the processes performed by the security module 210 of the network traffic management device 110 can be implemented in conjunction with existing detection and prevention techniques already employed by the network traffic management device 110.
  • The security module 210 may detect prevent network attacks, or at least suspected network attacks, by analyzing collected short average and/or long average TPS and Latency data regarding particular client devices 106, client requests destined for one or more particular servers 102, particular resources (e.g. requested web objects) and the like. In an aspect, the security module 210 will monitor, for each client device 106, history of access statistics based on one or more response codes returned by server 102.
  • In an aspect, the security module 210 monitors responses from servers 102 and, in particular, makes note of HTTP based server response codes in the server responses. In particular, the security module 210 will flag server response codes that indicate an invalid policy based transaction, such as 400 series response codes (e.g. 403, 404) or other series response codes which may indicate suspicious activity. Clients (IP) will have their ‘miss’ ratio Responses with 4XX response code to all Responses (or Requests) of that client. If ‘miss’ ratio passes a predefine threshold, the client device 106 and/or requested resource is marked or identified as being suspicious. In addition the security module 210 will keep tracking of server responses that return valid response codes.
  • The network traffic management device 110 of the present disclosure monitors average historical analytic data including, but not limited to, average data for TPS and latency values, over time. In an aspect, the security module 210 monitors short average historical data as well as long average historical data of TPS and latency values while it operates in the detection mode. For example, the security module 210 can monitor the average number of transactions which occur in a minute when monitoring the short average transaction data.
  • In another example, the security module 210 monitors short average latency data by monitoring the round trip time (RTT) or other time measurement data between the client device and server for a requested web object. The security module 210 accordingly uses additional information obtained by further analyzing collected data to identify latencies associated with particular servers, server applications or other server resources, page traversal rates, client device fingerprints and access statistics that the security module 210 may analyze to identify anomalies indicative to the module 210 that there may be an attack. The security module 210 also analyzes collected data to obtain information the security module 210 may use to identify particular servers and/or server applications and resources on particular servers, such as Web application server 102, being targeted in network attacks, so the module 210 can handle the attack in the manner described in greater detail below.
  • In an aspect, the security module 210 may utilize overall TPS and latency values in determining whether a network attack has occurred (such as when the length of time during which the network traffic management device 110 has been operational is relatively short).
  • In an aspect, the short average data of the TPS and latency values are defined as being taken over a relatively small amount of time, such as one to a plurality of minutes. In comparison, the long average data of the TPS and latency values are defined as being taken over a relatively longer amount of time, such as one to a plurality of hours. For example, the security module 210 can monitor the number of transactions which occur in an hour when monitoring the long average transaction data.
  • The security module 210 compares the average TPS value over a time duration with a predefined TPS threshold value to determine whether a particular client device 106 is to be deemed suspicious. For example, the security module 210 may compare the TPS average (short or long) of a particular client device 106 with the predefined threshold value, whereby the security module 210 will designate that client device 106 as suspicious if it determines that the client device 106 has a ‘miss’ ratio that exceeds the predefined threshold value. With regard to latency, the security module 210 compares the average latency value over a time duration with a predefined latency threshold value to determine whether a DOS attack has initiated.
  • If the security module 210 detects a DOS attack, based on TPS and/or web object latency values, the security module 210 will change its operating status from the detection mode to the prevention mode. The security module 210, once in prevention mode, will implement one or more appropriate prevention methods to prevent suspicious network activity from being sent from the network traffic management device 110 to the server 102.
  • When the security module 210 is in prevention mode, the security module 210 prevents requests from client devices 106 marked suspicious from being passed to the server 102 for a set amount of time. Additionally in prevention mode, module 210 will only pass requests to web objects that resulted in a valid transaction prior the prevention period, blocking all other requests assuming they target violated or non-accessible resources. Once the prevention mode time expires, the security module 210 may again initiate the prevention mode or return back to detection mode.
  • While in prevention mode, the security module 210 monitors the short historical average TPS and latency data to determine whether the DOS attack is continuing or whether it has ended. In an example, if the short average TPS data indicates that the number of transactions per second has dramatically decreased after the network traffic management device module 210 begun operating in the prevention mode and prevented suspicious client requests from passing onto the server 102, the security module 210 can conclude that the attack has ended. In this example, the security module 210 will no longer operate in prevention mode and will thus return to detection mode. In contrast, if the security module 210 determines from the short average data that the network attack has not been thwarted (or a new network attack has initiated), the security module 210 will remain in the prevention mode until it concludes that the attack has ended.
  • Such prevention methods include, but are not limited to, executing challenges based on client device IP and/or requested web objects, implementing rate limiting techniques to client device IP and/or web objects and the like. In an aspect, one technique that can be employed by the security module 210 upon detecting a suspected network attack involves initially preventing the client requests from reaching the server 102 to allow the security module 210 to determine whether the requests are indeed a network attack or is legitimate requests. In this aspect, the security module 210 sends a “modified” response back to the potential suspected client device 106 on behalf of the potential target, whereby the modified response does not embody the requested object or resource, but instead includes a challenge. In particular to this aspect, the challenge comprises information representing instructions (e.g., JavaScript code) to be executed by the suspected client device to execute the challenge, which may or may not yield an expected result. The client device's answer to the challenge may generate an HTTP cookie for storing any result(s) obtained from answering the challenge, whereby the HTTP cookie is included in the client's answer to the challenge. In an aspect, the challenge comprises Javascript code to be executed by the suspected client device, although other types of challenges could be employed and the code could be expressed in other programming, markup or script languages. If the potential attacker is indeed an actual attacker conducting an automated attack, then the attacker may not execute the challenge (e.g., JavaScript code) included in the modified response received back from the security module 210, or the attacker may execute the challenge but not generate the correct result, and the security module 210 determines it is a confirmed attack and will prevent the target of the attack (e.g., server 102) from being subjected to the request and expending its resources in responding to it. If the potential attacker is indeed a legitimate requestor and not mounting an attack, it will execute the challenge (e.g., JavaScript code) included in the modified request, which will cause it to resend its initial request and include any results obtained by executing the challenge in the HTTP cookie. In an aspect, the security module 210 has access to a list of allowable challenge answers stored in one or more memories 206. The security module 210, upon receiving the client's answer, analyzes the HTTP cookie and determines whether the answer in the cookie matches the list of allowable answers stored in memory. If the security module 210 confirms whether one or more of the included challenge answers are correct, it will determine that the suspected client device is indeed a legitimate requestor. The security module 210 then forwards the request on to the server 102.
  • In additional aspect, the security module 210, when in prevention mode, will prevent client requests from identified or marked suspicious client devices 106 from passing on to the server 102. In this aspect, the security module 210 will prevent such client requests from passing on to the server 102 for a predefined time duration. The time duration can be defined by a network administrator or other authority. In this aspect, if the security module 210 determines that the prevention was not effect and that the DOS attack is still present, ever after the time-limit has expired, the security module 210 will allow access only to those client devices 106 that respond with a valid response code that is present in a collected history of valid objects that is stored in the network traffic management device 110. For all other client requests that do not provide a valid response code, the security module 210 sends a blocking message back to the requesting client device 106.
  • In addition ‘miss’ criteria might be correlated with blocked requests by ASM enforcing policy, for example count valid transactions (request with response) and not valid transactions(blocked by policy or with 4XX response code).
  • FIG. 3A is a flow diagram of a process implemented by the security module for handling client requests in accordance with an aspect of the present disclosure.
  • As shown in FIG. 3A, the process 300 is described from a point when the network traffic management device 110 receives a request from a client device 106 to request a resource, such as a web object, from a server 102 (Block 302). It should be noted, for purposes of describing the processes only, that the network traffic management device 110 is at least operating in a detection mode at the commencement of the process 300 (for example, before or during the A block in FIG. 3A).
  • The security module 210 of the network traffic management device 110 analyzes the request and identifies the client device 106 by client ID or other identifying matter as well as the particular resource that is being requested from the server 102 (Block 304). The network traffic management device 110 then determines whether the analysis evidences that the client device 106 and/or requested resource has been marked or identified as suspicious (Block 306). In an aspect, the security module 210 accesses one or more databases which contain information of all client devices and resources which have been previously marked or blacklisted as being suspicious.
  • If the security module 210 determines that neither of the client device 106 nor requested resource is deemed as suspicious, the process continues to Block 312, wherein the security module 210 forwards the client request to the server 102 and stores the transaction data in memory 206 (Block 312). The security module 210 thereafter receives the server response from the server 102 (Block 314), wherein the process proceeds to Block B.
  • In contrast, if the security module 210 determines from the marked data base that either or both of the client device 106 and requested resource is/are deemed as suspicious, the process continues to Block 308. As shown in FIG. 3A, if the security module 210 is currently operating in the prevention mode, the security module 210 blocks the request from being sent to the server 102 and also sends a block page to the requesting client device 106 (Block 310). In contrast, if the security module 210 is not operating in the prevention mode, the process proceeds to Block 312, described above.
  • FIG. 3B is a flow diagram of a process implemented by the security module for handling server responses in accordance with an aspect of the present disclosure. As shown in FIG. 3B, the security module 210 analyzes the received response from the server 102, whereby the received response includes a response code indicating an invalid transaction (Block 318). The security module 210 stores this information for the client device 106 and requested resource in a memory 206 (Block 320).
  • The security module 210 thereafter determines a ratio of error for the client device as well as the requested resource and compares the ratio of error with a predefined threshold value (Block 324). If the security module 210 determines that the ratio of error has not exceeded the predefined threshold, the security module 210 passes the server response to the client device 106 (Block 326).
  • In contrast, if the security module 210 determines that the ratio of error has exceeded the predefined threshold, the security module 210 marks the client device 106 and/or requested resource as suspicious and stores that information in the memory 206 (Block 328).
  • As shown in FIG. 3B, if the security module 210 is in the prevention mode (Block 330), the security module 210 does not send the forward server response to the client device 106 as either/both of the client device 106 and requested resource is considered by the security module 210 as being suspicious. Instead, the security module 210 sends a blocking message to the client device 106 (Block 332).
  • Referring back to Block 330, if the security module 210 is not currently operating in the prevention mode, the security module 210 forwards the server response on to the requesting client device 106, even though the activity is marked as suspicious (Block 326).
  • FIG. 3C is a flow diagram of a process implemented by the security module for determining whether to enter prevention mode in accordance with an aspect of the present disclosure. As shown in FIG. 3C, the security module 210 stores and analyzes current TPS and latency data for the disbursed connections handled by the network traffic management device 110 (Block 334).
  • The security module 210 determines whether the current TPS values exceed the short and/or long TPS averages at any particular time (Block 336). If so, the security module 210 enters prevention mode (Block 338). If not, the security module 210 determines if the currently monitored latency values exceeds the short and/or long latency averages at any particular time (Block 340), in which the process proceeds to Block C. It should be noted that although steps 336 and 340 are shown in a certain order, the security module 210 can perform both of these steps simultaneously. However, if the security module 210 determines that the current latency values exceed the threshold average, the security module 210 enters prevention mode (Block 342). The process proceeds to Block C.
  • FIG. 3D is a flow diagram of a process implemented by the security module for determining whether to exit the prevention mode in accordance with an aspect of the present disclosure. As shown in FIG. 3D, the process continues from Block C in which the security module 210 remains in prevention mode and performs the prevention techniques described above (Block 344). The security module 210 monitors the current TPS and latency values and compares them with the corresponding TPS/latency short averages (Block 346).
  • As shown in FIG. 3D, if the security module 210 determines that either or both of the current TPS and latency values are below the threshold average (Block 348), the security module 210 terminates the prevention mode (Block 350).
  • In contrast, if the security module 210 determines that either or both of the current TPS and latency values are not below the threshold average (Block 348), the security module 210 determines whether the predefined prevention time limit has expired (Block 352). If not, the security module 210 continues to remain in the prevention mode and the process proceeds back to Block 344. If the time limit has expired, the security module terminates the prevention mode and starts another prevention mode, wherein the timer for measuring the prevention mode duration is reset (Block 354).
  • Having thus described the basic concepts, it will be rather apparent to those skilled in the art that the foregoing detailed disclosure is intended to be presented by way of example only, and is not limiting. Various alterations, improvements, and modifications will occur and are intended to those skilled in the art, though not expressly stated herein. These alterations, improvements, and modifications are intended to be suggested hereby, and are within the spirit and scope of the examples. Additionally, the recited order of processing elements or sequences, or the use of numbers, letters, or other designations therefore, is not intended to limit the claimed processes to any order except as may be specified in the claims. Accordingly, the disclosed technology is limited only by the following claims and equivalents thereto.

Claims (15)

What is claimed is:
1. A method for protecting a network from network based attacks, the method comprising:
receiving, by a network traffic management device, a plurality of requests from a plurality of client devices for one or more resources from one or more servers;
monitoring, by the network traffic management device, response codes in a number of server responses for at least one of the client devices or at least one of the requested resources;
comparing, by the network traffic management device, a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
marking, by the network traffic management device, the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value and without restricting any network traffic when not in a prevention mode; and
preventing, by the network traffic management device, the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
2. The method of claim 1, further comprising entering, by the network traffic management device, into the prevention mode upon detecting a network attack.
3. The method of claim 2, further comprising:
monitoring, by the network traffic management device, an average transactions per second value or an average latency value over a short set period of time; and
determining, by the network traffic management device, that the network attack has ended based on the monitoring; and
returning, by the network traffic management device, to a detection mode when the determining indicates that the network attack has ended.
4. The method of claim 1, further comprising:
monitoring, by the network traffic management device, current transactions per second for one or more established connections with one or more of the client devices and generating a current average transactions per second value based on the monitoring;
comparing, by the network traffic management device, the current average transactions per second value to an average transactions per second value over a short set period of time or an average transactions per second value over a long set period of time; and
entering, by the network traffic management device, the prevention mode when the current average transactions per second value exceeds the average transactions per second value for the short set period of time of the average transactions per second value for the long set period of time.
5. The method of claim 1, further comprising:
monitoring, by the network traffic management device, current latency values for one or more established connections with one of more of the client devices and generating a current average latency value based on the monitoring;
comparing, by the network traffic management device, the current average latency value to an average latency value over a short set period of time or an average latency value over a long set period of time; and
entering, by the network traffic management device, the prevention mode when the current average latency value exceeds the average latency value for the short set period of time or the average latency value for the long set period of time.
6. A non-transitory computer-readable medium having stored thereon executable instructions for protecting a network from network based attacks, which when executed by at least one processor, cause the processor to perform steps comprising:
receiving a plurality of requests from a plurality of client devices for one or more resources from one or more servers;
monitoring response codes in a number of server responses for at least one of the client devices or at least one of the requested resources;
comparing a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
marking the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value without restricting any network traffic when not in a prevention mode; and
preventing the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
7. The non-transitory computer-readable medium of claim 6, further having stored thereon executable instructions which when executed by the processor further cause the processor to perform at least one additional step comprising entering into the prevention mode upon detecting a network attack.
8. The non-transitory computer-readable medium of claim 7, further having stored thereon executable instructions which when executed by the processor further cause the processor to perform at least one additional step comprising:
monitoring an average transactions per second value or an average latency value over a short set period of time; and
determining that the network attack has ended based on the monitoring; and
returning to a detection mode when the determining indicates that the network attack has ended.
9. The non-transitory computer-readable medium of claim 6, further having stored thereon executable instructions which when executed by the processor further cause the processor to perform at least one additional step comprising:
monitoring current transactions per second for one or more established connections with one or more of the client devices and generating a current average transactions per second value based on the monitoring;
comparing the current average transactions per second value to an average transactions per second value over a short set period of time or an average transactions per second value over a long set period of time; and
entering the prevention mode when the current average transactions per second value exceeds the average transactions per second value for the short set period of time of the average transactions per second value for the long set period of time.
10. The non-transitory computer-readable medium of claim 6, further having stored thereon executable instructions which when executed by the processor further cause the processor to perform at least one additional step comprising:
monitoring current latency values for one or more established connections with one of more of the client devices and generating a current average latency value based on the monitoring;
comparing the current average latency value to an average latency value over a short set period of time or an average latency value over a long set period of time; and
entering the prevention mode when the current average latency value exceeds the average latency value for the short set period of time or the average latency value for the long set period of time.
11. A network traffic management device comprising at least one processor and a memory coupled to the processor which is configured to be capable of executing programmed instructions comprising and stored in the memory to:
receive a plurality of requests from a plurality of client devices for one or more resources from one or more servers;
monitor response codes in a number of server responses for at least one of the client devices or at least one of the requested resources;
compare a ratio of invalid ones of the server responses to valid ones of the server responses for the client device or requested resource to a preestablished ratio threshold value, wherein the invalid ones of the server responses each comprise an invalid one of the response codes;
mark the client device or requested resource as suspicious when the ratio exceeds the ratio threshold value without restricting any network traffic when not in a prevention mode; and
prevent the suspicious client device from transmitting at least one additional request to one or more of the servers, or the suspicious requested resource from being transmitted to one or more of the client devices, when in the prevention mode.
12. The network traffic management device of claim 11, wherein the processor coupled to the memory is further configured to be capable of executing at least one additional programmed instruction to enter into the prevention mode upon detecting a network attack.
13. The network traffic management device of claim 12, wherein the processor coupled to the memory is further configured to be capable of executing at least one additional programmed instruction to:
monitor an average transactions per second value or an average latency value over a short set period of time; and
determine that the network attack has ended based on the monitoring; and
return to a detection mode when the determining indicates that the network attack has ended.
14. The network traffic management device of claim 11, wherein the processor coupled to the memory is further configured to be capable of executing at least one additional programmed instruction to:
monitor current transactions per second for one or more established connections with one or more of the client devices and generating a current average transactions per second value based on the monitoring;
compare the current average transactions per second value to an average transactions per second value over a short set period of time or an average transactions per second value over a long set period of time; and
enter the prevention mode when the current average transactions per second value exceeds the average transactions per second value for the short set period of time of the average transactions per second value for the long set period of time.
15. The network traffic management device of claim 11, wherein the processor coupled to the memory is further configured to be capable of executing at least one additional programmed instruction to:
monitor current latency values for one or more established connections with one of more of the client devices and generating a current average latency value based on the monitoring;
compare the current average latency value to an average latency value over a short set period of time or an average latency value over a long set period of time; and
enter the prevention mode when the current average latency value exceeds the average latency value for the short set period of time or the average latency value for the long set period of time.
US14/875,045 2012-09-27 2015-10-05 System and method for preventing dos attacks utilizing invalid transaction statistics Abandoned US20160234230A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/875,045 US20160234230A1 (en) 2012-09-27 2015-10-05 System and method for preventing dos attacks utilizing invalid transaction statistics

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201261706724P 2012-09-27 2012-09-27
US14/030,685 US9282116B1 (en) 2012-09-27 2013-09-18 System and method for preventing DOS attacks utilizing invalid transaction statistics
US14/875,045 US20160234230A1 (en) 2012-09-27 2015-10-05 System and method for preventing dos attacks utilizing invalid transaction statistics

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US14/030,685 Continuation US9282116B1 (en) 2012-09-27 2013-09-18 System and method for preventing DOS attacks utilizing invalid transaction statistics

Publications (1)

Publication Number Publication Date
US20160234230A1 true US20160234230A1 (en) 2016-08-11

Family

ID=55410573

Family Applications (2)

Application Number Title Priority Date Filing Date
US14/030,685 Active US9282116B1 (en) 2012-09-27 2013-09-18 System and method for preventing DOS attacks utilizing invalid transaction statistics
US14/875,045 Abandoned US20160234230A1 (en) 2012-09-27 2015-10-05 System and method for preventing dos attacks utilizing invalid transaction statistics

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US14/030,685 Active US9282116B1 (en) 2012-09-27 2013-09-18 System and method for preventing DOS attacks utilizing invalid transaction statistics

Country Status (1)

Country Link
US (2) US9282116B1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9762610B1 (en) * 2015-10-30 2017-09-12 Palo Alto Networks, Inc. Latency-based policy activation
US20180183829A1 (en) * 2016-12-28 2018-06-28 Verisign, Inc. Systems, devices, and methods for improved rdap traffic analysis and mitigation
CN111226426A (en) * 2017-10-18 2020-06-02 国际商业机器公司 Identification of attack flows in a multi-layer network topology
CN112667425A (en) * 2020-12-30 2021-04-16 锐捷网络股份有限公司 Method and device for processing port oscillation
US20210377294A1 (en) * 2020-05-28 2021-12-02 Citrix Systems, Inc. Constraining resource allocation rate for stateful multi-tenant http proxies and denial-of-service attack prevention
US20220019669A1 (en) * 2018-12-28 2022-01-20 Hitachi Astemo, Ltd. Information processing device

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615818B (en) * 2015-03-24 2021-12-03 华为技术有限公司 SDN-based DDOS attack protection method, device and system
US9954840B2 (en) * 2015-05-08 2018-04-24 Cloudflare, Inc. Generating a negative answer to a domain name system query that indicates resource records as existing for the domain name regardless of whether those resource records actually exist for the domain name
US10893059B1 (en) 2016-03-31 2021-01-12 Fireeye, Inc. Verification and enhancement using detection systems located at the network periphery and endpoint devices
US10826933B1 (en) 2016-03-31 2020-11-03 Fireeye, Inc. Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints
EP3264718B1 (en) * 2016-06-29 2021-03-03 Argus Cyber Security Ltd System and method for detection and prevention of attacks on in-vehicle networks
US10462179B2 (en) * 2016-11-03 2019-10-29 Arbor Networks, Inc. System and method for scaled management of threat data
US10362055B2 (en) * 2017-08-10 2019-07-23 Blue Jeans Network, Inc. System and methods for active brute force attack protection
US10524131B1 (en) 2019-02-04 2019-12-31 Red Hat, Inc. Thwarting range extension attacks
CN111107075A (en) * 2019-12-13 2020-05-05 中国工商银行股份有限公司 Request response method and device, electronic equipment and computer-readable storage medium
US11677778B2 (en) * 2020-10-19 2023-06-13 Oracle International Corporation Protecting data in non-volatile storages provided to clouds against malicious attacks
CN115277713A (en) * 2022-07-27 2022-11-01 京东科技信息技术有限公司 Load balancing method and device
CN116539127A (en) * 2023-06-09 2023-08-04 北京极达测控设备技术有限公司 Natural gas flow meter verification method, device, equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050187934A1 (en) * 2004-02-24 2005-08-25 Covelight Systems, Inc. Methods, systems and computer program products for geography and time monitoring of a server application user
US20080320093A1 (en) * 2007-06-20 2008-12-25 Goolara, Llc Controlling the sending of electronic mail

Family Cites Families (60)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958053A (en) * 1997-01-30 1999-09-28 At&T Corp. Communications protocol with improved security
US6119234A (en) 1997-06-27 2000-09-12 Sun Microsystems, Inc. Method and apparatus for client-host communication over a computer network
US7418504B2 (en) 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US7028182B1 (en) 1999-02-19 2006-04-11 Nexsys Electronics, Inc. Secure network system and method for transfer of medical information
US6839850B1 (en) 1999-03-04 2005-01-04 Prc, Inc. Method and system for detecting intrusion into and misuse of a data processing system
US7398317B2 (en) * 2000-09-07 2008-07-08 Mazu Networks, Inc. Thwarting connection-based denial of service attacks
US20030074434A1 (en) * 2001-10-11 2003-04-17 Jason James L. Determination of message source in network communications
NZ516346A (en) * 2001-12-21 2004-09-24 Esphion Ltd A device for evaluating traffic on a computer network to detect traffic abnormalities such as a denial of service attack
US20030221000A1 (en) * 2002-05-16 2003-11-27 Ludmila Cherkasova System and method for measuring web service performance using captured network packets
US7299491B2 (en) 2003-04-30 2007-11-20 Microsoft Corporation Authenticated domain name resolution
US20050028010A1 (en) * 2003-07-29 2005-02-03 International Business Machines Corporation System and method for addressing denial of service virus attacks
US7680955B2 (en) 2004-12-01 2010-03-16 George Mason Intellectual Properties, Inc. SCIT-DNS: critical infrastructure protection through secure DNS server dynamic updates
GB2423448B (en) 2005-02-18 2007-01-10 Ericsson Telefon Ab L M Host identity protocol method and apparatus
US7620733B1 (en) 2005-03-30 2009-11-17 Cisco Technology, Inc. DNS anti-spoofing using UDP
JP4545647B2 (en) * 2005-06-17 2010-09-15 富士通株式会社 Attack detection / protection system
CN101336535B (en) 2005-12-27 2011-10-12 法国电信公司 Server and method for managing DNSSEC requests
US8024804B2 (en) * 2006-03-08 2011-09-20 Imperva, Inc. Correlation engine for detecting network attacks and detection method
US7441429B1 (en) * 2006-09-28 2008-10-28 Narus, Inc. SIP-based VoIP traffic behavior profiling
US8281383B2 (en) 2006-12-11 2012-10-02 Cisco Technology, Inc. Secured IPv6 traffic preemption
US20080205415A1 (en) 2007-02-28 2008-08-28 Morales Henry N Jerez Access, Connectivity and Interoperability for Devices and Services
US8266427B2 (en) 2007-06-08 2012-09-11 Cisco Technology, Inc. Secure mobile IPv6 registration
CN101150502A (en) 2007-10-22 2008-03-26 中兴通讯股份有限公司 A NAT-PT device and its load share method
CN101267313B (en) * 2008-04-23 2010-10-27 成都市华为赛门铁克科技有限公司 Flooding attack detection method and detection device
US8429715B2 (en) 2008-08-08 2013-04-23 Microsoft Corporation Secure resource name resolution using a cache
US8005098B2 (en) 2008-09-05 2011-08-23 Cisco Technology, Inc. Load balancing across multiple network address translation (NAT) instances and/or processors
US9172713B2 (en) 2008-09-24 2015-10-27 Neustar, Inc. Secure domain name system
US8526306B2 (en) * 2008-12-05 2013-09-03 Cloudshield Technologies, Inc. Identification of patterns in stateful transactions
US8156249B2 (en) 2009-02-20 2012-04-10 Microsoft Corporation Using server type to obtain network address
JP5387061B2 (en) 2009-03-05 2014-01-15 沖電気工業株式会社 Information conversion apparatus, information conversion method, information conversion program, and relay apparatus
US8073952B2 (en) 2009-04-22 2011-12-06 Microsoft Corporation Proactive load balancing
KR101338282B1 (en) * 2009-04-24 2014-01-02 레벨 3 커뮤니케이션즈 엘엘씨 Media resource storage and management
WO2010139194A1 (en) 2009-06-03 2010-12-09 中国移动通信集团公司 Method and device of host with ipv4 application for performing communication
EP2443803B1 (en) 2009-06-15 2013-03-27 Nokia Siemens Networks OY Gateway certificate creation and validation
US8509244B2 (en) 2009-08-14 2013-08-13 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatus for providing host node awareness for multiple NAT64 environments
EP2465247B1 (en) 2009-08-14 2019-08-14 Akamai Technologies, Inc. Method for correlating nameserver ipv6 and ipv4 addresses
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks
US9264321B2 (en) * 2009-12-23 2016-02-16 Juniper Networks, Inc. Methods and apparatus for tracking data flow based on flow state values
US8509185B2 (en) 2010-02-26 2013-08-13 Telefonaktiebolaget Lm Ericsson Enabling IPV6 mobility with NAT64
US9369437B2 (en) * 2010-04-01 2016-06-14 Cloudflare, Inc. Internet-based proxy service to modify internet responses
US10079917B2 (en) 2010-04-26 2018-09-18 Nokia Technologies Oy Method and apparatus for synthesized address detection
US8665873B2 (en) 2010-05-27 2014-03-04 Futurewei Technologies, Inc. Network address translator 64 for dual stack mobile internet protocol version six
US8504722B2 (en) 2010-06-14 2013-08-06 Telefonaktiebolaget Lm Ericsson Enhancing DS-lite with private IPV4 reachability
US9210735B2 (en) 2010-07-02 2015-12-08 Futurewei Technologies, Inc. Network address translation six to four for proxy mobile internet protocol version six
CN102347993B (en) 2010-07-28 2014-03-26 中国移动通信集团公司 Network communication method and equipment
US20120047571A1 (en) 2010-08-17 2012-02-23 Richard Jeremy Duncan Systems and methods for detecting preselected query type within a dns query
US9037712B2 (en) 2010-09-08 2015-05-19 Citrix Systems, Inc. Systems and methods for self-loading balancing access gateways
CN102404416B (en) 2010-09-16 2016-06-15 中兴通讯股份有限公司 A kind of method obtaining DNS and tunnel gateway equipment
US20120071131A1 (en) * 2010-09-21 2012-03-22 Radware, Ltd. Method and system for profiling data communication activity of users of mobile devices
US8289968B1 (en) 2010-10-27 2012-10-16 Juniper Networks, Inc. Distributed network address translation in computer networks
US9106699B2 (en) 2010-11-04 2015-08-11 F5 Networks, Inc. Methods for handling requests between different resource record types and systems thereof
US8984627B2 (en) * 2010-12-30 2015-03-17 Verizon Patent And Licensing Inc. Network security management
US20120259998A1 (en) 2011-04-11 2012-10-11 Matthew Kaufman System and method for translating network addresses
US8458210B2 (en) 2011-05-06 2013-06-04 Verizon Patent And Licensing Inc. Database load balancing through dynamic database routing
US20130007870A1 (en) 2011-06-28 2013-01-03 The Go Daddy Group, Inc. Systems for bi-directional network traffic malware detection and removal
US9680791B2 (en) 2011-07-29 2017-06-13 Fortinet, Inc. Facilitating content accessibility via different communication formats
US9811622B2 (en) 2011-10-19 2017-11-07 Verizon Patent And Licensing Inc. Optimized network node selection
US20130151725A1 (en) 2011-12-13 2013-06-13 B Method and System for Handling a Domain Name Service Request
US9231908B2 (en) 2012-02-08 2016-01-05 Microsoft Technology Licensing, Llc Ensuring symmetric routing to private network
US9130982B2 (en) * 2012-06-14 2015-09-08 Vencore Labs, Inc. System and method for real-time reporting of anomalous internet protocol attacks
TWM453285U (en) * 2012-06-19 2013-05-11 Nuvoton Technology Corp Connector and control chip

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050187934A1 (en) * 2004-02-24 2005-08-25 Covelight Systems, Inc. Methods, systems and computer program products for geography and time monitoring of a server application user
US20080320093A1 (en) * 2007-06-20 2008-12-25 Goolara, Llc Controlling the sending of electronic mail

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9762610B1 (en) * 2015-10-30 2017-09-12 Palo Alto Networks, Inc. Latency-based policy activation
US10135864B2 (en) 2015-10-30 2018-11-20 Palo Alto Networks, Inc. Latency-based policy activation
US20180183829A1 (en) * 2016-12-28 2018-06-28 Verisign, Inc. Systems, devices, and methods for improved rdap traffic analysis and mitigation
US10599725B2 (en) * 2016-12-28 2020-03-24 Verisign, Inc. Systems, devices, and methods for improved RDAP traffic analysis and mitigation
CN111226426A (en) * 2017-10-18 2020-06-02 国际商业机器公司 Identification of attack flows in a multi-layer network topology
US20220019669A1 (en) * 2018-12-28 2022-01-20 Hitachi Astemo, Ltd. Information processing device
US20210377294A1 (en) * 2020-05-28 2021-12-02 Citrix Systems, Inc. Constraining resource allocation rate for stateful multi-tenant http proxies and denial-of-service attack prevention
CN112667425A (en) * 2020-12-30 2021-04-16 锐捷网络股份有限公司 Method and device for processing port oscillation

Also Published As

Publication number Publication date
US9282116B1 (en) 2016-03-08

Similar Documents

Publication Publication Date Title
US9282116B1 (en) System and method for preventing DOS attacks utilizing invalid transaction statistics
US9420049B1 (en) Client side human user indicator
US11539739B2 (en) Detection and mitigation of flood type DDoS attacks against cloud-hosted applications
CN107211016B (en) Session security partitioning and application profiler
US9325725B2 (en) Automated deployment of protection agents to devices connected to a distributed computer network
CN108353079B (en) Detection of cyber threats against cloud-based applications
US20210194903A1 (en) Baselining techniques for detecting anomalous https traffic behavior
EP3544250B1 (en) Method and device for detecting dos/ddos attack, server, and storage medium
US8302180B1 (en) System and method for detection of network attacks
US10270792B1 (en) Methods for detecting malicious smart bots to improve network security and devices thereof
US20130212658A1 (en) System for automated prevention of fraud
CN110071941B (en) Network attack detection method, equipment, storage medium and computer equipment
US11108815B1 (en) Methods and system for returning requests with javascript for clients before passing a request to a server
CN107645478B (en) Network attack defense system, method and device
US20160359904A1 (en) Method and system for detection of headless browser bots
US20160344765A1 (en) Unobtrusive and Dynamic DDoS Mitigation
US20220294814A1 (en) Method and system for detecting and mitigating https flood attacks
WO2013070769A2 (en) Prevention of cross site request forgery attacks by conditional use cookies
US11140178B1 (en) Methods and system for client side analysis of responses for server purposes
US20220407858A1 (en) Methods and systems for ip-based network intrusion detection and prevention
CN108234516B (en) Method and device for detecting network flooding attack
Shah et al. A method to secure IoT devices against botnet attacks
US11777972B2 (en) Network security techniques comparing observed distributions to baseline distributions
US20150128247A1 (en) Centralized device reputation center
CN115883170A (en) Network flow data monitoring and analyzing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: F5 NETWORKS, INC., WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ROVNIAGUIN, DMITRY;REEL/FRAME:040984/0134

Effective date: 20130916

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION