Protecting against denial of service attacks using guard tables

摘要

Guard tables including absence information are used in a security system to protect a network service from a denial of service attack. A login key corresponding to a login request is hashed and the output of the hash is a bit position in a guard table. The bit value at the bit position in the guard table can be checked to determine if login information corresponding to the key is present. Further processing of the login request can be based on the indicated presence or absence of the information.

主权项

1. A computer implemented method comprising:
receiving a login request at a first processing node, the login request is for network resources located on a server external from the first processing node, the first processing node comprises an intermediate device between a user associated with the login request and the network resources that is part of a distributed network security system from the user and the external network resources, wherein the login request comprises addressing information for the external network resources, wherein the first processing node is external from the user associated with the login request and is configured to perform login processing ensuring proper user credentials, virus scanning and traffic monitoring; deriving a login key from the login request; hashing the login key with a hash function, wherein the output of the hash function is a candidate bit position; determining a value at the candidate bit position in a guard table in a first stage of an information look up procedure by the first processing node; in a second stage of the information look up procedure, querying user credential data to authenticate the login request for the network resources only if the value at the candidate bit position in the guard table indicates that the login request corresponds to information included in the user credential data thereby reducing failure queries to the network resources, wherein the second stage is performed by the server with the network resources; receiving new user credential information for a new user by the first processing node; deriving a new credential key from the new user credential information by the first processing node; hashing the new credential key with the hashing function by the first processing node, wherein the output of the hashing function is a new credential bit position; setting a bit at the new credential bit position in the guard table to generate an updated guard table by the first processing node; sending the updated guard table to a central authority server by the first processing node; receiving the updated guard table by the central authority server; sending the updated guard table to a second processing node by the central authority server; and storing the updated guard table by the second processing node.