Algorithmic packet-based defense against distributed denial of service
Abstract
A middlebox includes at least one processor and a memory storing one or more executable instructions that, when executed by the least one processor, cause the at least one processor to receive, from a server, a middlebox key that includes an indication of a lifetime of the middlebox key, receive, from a client device, one or more data packets including encrypted header data and a client device identifier, and determine whether to permit a transmission of the one or more data packets to the server or prevent a transmission of the one or more data packets to the server based on the middlebox key, the encrypted header data, and the client device identifier.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A middlebox comprising:
at least one processor; and a memory storing one or more executable instructions that, when executed by the least one processor, cause the at least one processor to:
receive, from a server, a middlebox key that includes an indication of a lifetime of the middlebox key,
receive, from a client device, one or more data packets including encrypted header data and a client device identifier, and
determine whether to permit a transmission of the one or more data packets to the server or prevent a transmission of the one or more data packets to the server based on the middlebox key, the encrypted header data, and the client device identifier.
2 . The middlebox of claim 1 , wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to prevent the transmission of the one or more data packets to the server after:
determining that the encrypted header data was encrypted using the middlebox key; and determining that the encrypted header data, after decryption, does not match the client device identifier.
3 . The middlebox of claim 1 , wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to prevent the transmission the one or more data packets to the server after:
determining that the encrypted header data was not encrypted using the middlebox key; and determining that the one or more data packets are indicative of a distributed denial of service (DDOS) attack.
4 . The middlebox of claim 1 , wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to permit the transmission the one or more data packets to the server after:
determining that the encrypted header data was encrypted using the middlebox key; and determining that the encrypted header data, after decryption, does match the client device identifier.
5 . The middlebox of claim 1 , wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to permit the transmission of the one or more data packets to the server after:
determining that the encrypted header data was not encrypted using the middlebox key; and determining that the one or more data packets are not indicative of a distributed denial of service (DDOS) attack.
6 . The middlebox of claim 1 , wherein the middlebox key is a first middlebox key, wherein the indication is a first indication of the lifetime of the first middlebox key, and wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to:
receive, from the server, a second middlebox key that includes a second indication of a lifetime of the second middlebox key before the lifetime of the first indication reaches an expiration time; determine whether to permit a transmission of the one or more data packets to the server or to prevent a transmission of the one or more data packets to the server based on the second middlebox key, the encrypted header data, and the client device identifier; and in response to determining whether to permit a transmission of the one or more data packets to the server or to prevent a transmission of the one or more data packets to the server:
permit the transmission of the one or more data packets to the server during the lifetime of the second indication, or
prevent the transmission of the one or more data packets to the server during the lifetime of the second indication.
7 . The middlebox of claim 1 , wherein the server and the middlebox communicate using at least one of a User Datagram Protocol (UDP)-based byte stream protocol or a Quick UDP Internet Connection (QUIC).
8 . A method implemented by at least one processor of a middlebox, the method comprising:
receiving, by the at least one processor and from a server, a middlebox key that includes an indication of a lifetime of the middlebox key; receiving, by the at least one processor and from a client device, one or more data packets including encrypted header data and a client device identifier; and determining, by the at least one processor, whether to permit a transmission of the one or more data packets to the server or prevent a transmission of the one or more data packets to the server based on the middlebox key, the encrypted header data, and the client device identifier.
9 . The method of claim 8 , wherein the method further comprises preventing, by the at least one processor, the transmission of the one or more data packets to the server after:
determining, by the at least one processor, that the encrypted header data was encrypted using the middlebox key; and determining, by the at least one processor, that the encrypted header data, after decryption, does not match the client device identifier.
10 . The method of claim 8 , wherein method further comprises preventing, by the at least one processor, the transmission the one or more data packets to the server after:
determining, by the at least one processor, that the encrypted header data was not encrypted using the middlebox key; and determining, by the at least one processor, that the one or more data packets are indicative of a distributed denial of service (DDOS) attack.
11 . The method of claim 8 , wherein the method further comprises permitting, by the at least one processor, the transmission the one or more data packets to the server after:
determining, by the at least one processor, that the encrypted header data was encrypted using the middlebox key; and determining, by the at least one processor, that the encrypted header data, after decryption, does match the client device identifier.
12 . The method of claim 8 , wherein the method further comprises permitting, by the at least one processor, the transmission of the one or more data packets to the server after:
determining, by the at least one processor, that the encrypted header data was not encrypted using the middlebox key; and determining, by the at least one processor, that the one or more data packets are not indicative of a distributed denial of service (DDOS) attack.
13 . The method of claim 8 , wherein the middlebox key is a first middlebox key, wherein the indication is a first indication of the lifetime of the first middlebox key, and wherein the method further comprises:
receiving, by the at least one processor and from the server, a second middlebox key that includes a second indication of a lifetime of the second middlebox key before the lifetime of the first indication reaches an expiration time; determining, by the at least one processor, whether to permit a transmission of the one or more data packets to the server or to prevent a transmission of the one or more data packets to the server based on the second middlebox key, the encrypted header data, and the client device identifier; and in response to determining whether permit a transmission of the one or more data packets to the server or to prevent a transmission of the one or more data packets to the server:
permitting, by the at least one processor, the transmission of the one or more data packets to the server during the lifetime of the second indication, or
preventing, by the at least one processor, the transmission of the one or more data packets to the server during the lifetime of the second indication.
14 . The method of claim 8 , wherein the encrypted header data includes a forensic key, and wherein the method further comprises retrieving, by the at least one processor, the forensic key from the encrypted header data after determining to prevent the transmission of the one or more data packets to the server.
15 . The method of claim 8 , wherein the server and the middlebox communicate using at least one of a User Datagram Protocol (UDP)-based byte stream protocol or a Quick UDP Internet Connection (QUIC).
16 . A server comprising:
at least one processor; a memory storing one or more executable instructions that, when executed by the least one processor, cause the at least one processor to:
generate an encryption key and a middlebox key, wherein the middlebox key includes an indication of a lifetime of the middlebox key,
transmit the middlebox key including the indication to a middlebox,
transmit the encryption key, the middlebox key, and the indication to a client device, and
receive one or more data packets from the client device when the one or more data packets include encrypted header data that is encrypted using the middlebox key.
17 . The server of claim 16 , wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to:
generate a forensic key; and transmit the forensic key to the client device.
18 . The server of claim 17 , wherein the forensic key is used to determine an identity of the client device when at least one data packet of the one or more data packets received from the client device is indicative of a DDOS attack.
19 . The server of claim 16 , wherein the middlebox key is a first middlebox key, wherein the indication is a first indication, and wherein the one or more executable instructions, when executed by the at least one processor, further cause the at least one processor to transmit, to the middlebox, a second middlebox key including a second indication of a lifetime of the second middlebox key when the lifetime of the first indication nears an expiration time.
20 . The server of claim 16 , wherein the server and the middlebox communicate using at least one of a User Datagram Protocol (UDP)-based byte stream protocol or a Quick UDP Internet Connection (QUIC).Join the waitlist — get patent alerts
Track US2021352101A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.