发明名称 |
Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets |
摘要 |
The present invention provides a methodology to thwart attacks that utilize consecutive hypertext transport protocol packets with similar structures, arriving from a plurality of computer systems on a network, such as the Internet, destined for a single or more computer systems on a secondary network, at such a rate with sufficient complexity to produce an effect on the target computer system or systems such that legitimate clients are denied access to requested services, thus creating a “denial of service” situation. The methodology focuses on the dynamic and proactive reassessment of data packet payload content to maintain a running value of similarity or dissimilarity, thus permitting intermediary apparatuses that are performing this computation to create distinction between legitimate clients and illegitimate clients. |
申请公布号 |
US9043912(B2) |
申请公布日期 |
2015.05.26 |
申请号 |
US201414217320 |
申请日期 |
2014.03.17 |
申请人 |
|
发明人 |
Mahvi Mehdi |
分类号 |
H04L29/06 |
主分类号 |
H04L29/06 |
代理机构 |
San Diego IP Law Group LLP |
代理人 |
San Diego IP Law Group LLP |
主权项 |
1. A method to thwart hypertext transport protocol (HTTP) attacks, the method implemented on a processor and comprising the steps of:
receiving a plurality of HTTP packets, the plurality of HTTP packets comprising a first HTTP packet and a second HTTP packet, wherein the second HTTP packet was received prior to the first HTTP packet; creating a hash of the first HTTP packet using a hash function, wherein the first HTTP packet is a GET request or POST request; determining if the hash is in a list of previously known hashes, wherein each previously known hash in the list of previously known hashes is associated with a state, wherein the state is either blacklist or other; if the hash is a previously known hash and the state is blacklist, then blocking a request associated with the first HTTP packet, or if the hash is a previously known hash and the state is other, or the hash is not in the list of previously known hashes, then calculating a difference between a payload of the first HTTP packet and a payload of the second HTTP packet, and calculating a length of the payload of the first HTTP packet; incrementing a counter of total payload length by the calculated length of the payload of the first HTTP packet, and incrementing a counter of total difference by calculated difference; calculating a payload similarity percentage based on the total payload difference and total payload length; and when the calculated payload similarity percentage is outside a predetermined acceptable range of acceptable percentages, then setting the state to blacklist if the hash is a previously known hash, or storing the hash in the list of previously known hashes with its associated state set to blacklist. |
地址 |
|