Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
2000-06-26
2004-09-07
Smithers, Matthew (Department: 2137)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C709S223000, C370S229000
Reexamination Certificate
active
06789203
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates in general to client/server data communication systems and more particularly, the present invention is directed towards a method and apparatus that automatically provides protection against a potential DoS attack.
BACKGROUND OF THE INVENTION
Computer systems are well known in the art and have become a business staple and are also found in many homes. One feature available to the business world is that of using electronic mailing (e-mail) to send and receive messages and other information to and from one another in a business setting. Similarly, home computers, such as desk tops or laptops, and other information devices, such as personal digital assistants (PDAs), allow telecommuting such that a user can connect to the user's work server and down load and upload messages.
The e-mail system allows clients of a network system, which is maintained by a server system, to send messages or data from one user to another. In order to minimize disk space and requirements as well as to maximize functionality and consistency of the electronic mailing engine used in the network system, the engine is typically located on the server and is merely accessed by a client in order to send messages or retrieve messages to or from another user or client on the server system. In this way, the client system typically allows the user to perform such operations as composing, updating, and sending messages while the server in such a system provides, in part, a server based message repository as well as providing message transmission and reception functions for the user at the client level.
One such email system is described with reference to
FIG. 1
showing a messaging system
100
suitable for large, distributed networks such as the Internet or large scale intranet systems. The system
100
typically includes a central server
102
resident in a computer system
104
that can take the form of a mainframe system as well as a distributed type computing system. When the system
100
is a messaging system, such as an email system, the central server
102
, as the central email server, is coupled to an interface, such as a firewall
106
, that mediates the flow of information between the mail server
102
and its n clients represented as client
108
, client
110
, and client
112
. Typically, when the client
108
, for example, desires to establish a channel to the server
102
, the client
108
will generate a request to open a connection to the mail server
102
by any one of a variety of transports and protocols that are submitted directly by the requesting client
108
, via, for example, TCP/IP as an SMTP message from an Internet system. Such a connection request can be submitted by using a dial-up modem using the PhoneNet protocol, DECnet as a MAIL-11 message, DECnet as an SMTP message, UUCP, an X.400 transport, SNA, and so on. For instance, at sites with an Internet connection, Internet addresses are normally routed through an SMTP over TCP/IP channel, however, at sites with only a UUCP connection, Internet addresses would instead be routed through a UUCP channel.
Once the connection request has been accepted, a channel is open between the requesting client
108
and the server computer
102
allowing for the transfer of data. In some cases, however, the requesting client
108
can, either intentionally or unintentionally, disrupt the operations of the server
102
by generating a large number of connection requests within a relatively short length of time (i.e., connection request rate). A denial of service (DoS) attack has been defined as those situations where a high connection request rate has been intentionally initiated by, what would be in this case, an attacker having the intent to disrupt, or even, halt the operations of the server
102
by forcing the server
102
to allocate resources to the processing of the multitude of requests.
More specifically, a denial of service attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system.
A conventional approach to defending against such DoS attacks is based upon the concept of determining the identification of a potential attacker by monitoring a connection request rate for each requesting client. A requesting client whose connection request rate is higher than a pre-determined threshold is identified as an attacker and is blocked accordingly.
Unfortunately, however, even though using the conventional DoS defense stratagem has the potential to thwart the DoS attack, there are several problems with this approach. One such problem is the fact that the attacker has now been notified that the attack has been discovered and all that is now required to resume the attack is for the attacker to change locations. This process of identifying, blocking, and changing location can be repeated ad infinitum requiring a substantial amount of server processing resources anyway. Another problem with this approach is that in some cases a legitimate requesting client can have a short term burst of connection requests without being an attack. By cutting off these legitimate “burst” clients, substantial economic costs can be incurred, not the least of which, is loss of revenue due to lost sales, etc.
Therefore, it would be desirable to have an improved method and apparatus for preventing a DoS attack.
SUMMARY OF THE INVENTION
To achieve the foregoing, and in accordance with the purpose of the present invention, method, apparatus, and computer readable medium for preventing a DoS attack without notifying the DoS attacker are disclosed. In one embodiment, in a client/server environment, a method for preventing a denial of service (DoS) attack by a requesting client on a server computer is described. A connection request at a time t
n
in a throttling interval m is received and if the time t
n
is not at a beginning of the throttling interval m then an interval m connection request count is incremented. If the interval m connection request count is determined to be greater than a rejection threshold associated with the requesting client then the connection request is rejected. If, however, it is determined that the interval m connection request count is not greater than the rejection threshold then the server computer waits an interval m wait time before accepting the request.
In another embodiment of the invention an apparatus for defending against a DoS attack is described. The apparatus includes a connection request receiver unit for receiving a connection request at a time t
n
in a throttling interval m from the requesting client, an incrementing unit coupled to the connection request receiver unit for incrementing an interval m connection request count when the time t
n
is not at a beginning of the throttling interval m. The apparatus also includes a processor unit coupled to the interval m connection request count buffer arrainged to determine if the interval m connection request count is greater than a rejection threshold associated with the requesting client and a request throttler unit coupled to the processor unit arrainged to reject the connection request when it is determined that the interval m connection request count is greater than the rejection threshold, and wait an interval m wait time when it is determined that the interval m connection request count is not greater than the rejection threshold before the request is accepted by the server computer.
In another embodiment of the invention, computer readable media including computer program code for preventing a denial of service (DoS) attack by a requesting client on a server compute
Beyer Weaver & Thomas LLP
Nguyen Minh
Smithers Matthew
Sun Microsystems Inc.
LandOfFree
Method and apparatus for preventing a denial of service... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for preventing a denial of service..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for preventing a denial of service... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3264801