Abstract: Various embodiments of the invention disclosed herein provide techniques for mitigating a distributed denial of service (DDoS) attack on a targeted computer system. A border gateway protocol (BGP) controller receives, via a first router, a BGP message that includes an indicator indicating that a computer system associated with the first router is under a DDoS attack. In response to receiving the BGP message, the BGP controller, in performs one or more operations to mitigate the DDoS attack. As a result, the time between detection of a DDoS attack and mitigating the attack is reduced relative to prior approaches. After receiving the BGP message indicating a DDoS attack is in progress, the DDoS attack mitigation platform automatically takes steps to mitigate the DDoS attack without further manual intervention. Consequently, the targeted computer system recovers more quickly and begins to respond to legitimate network requests sooner relative to prior approaches.

Abstract: Methods and systems for detecting and responding to Denial of Service (“DoS”) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system.

Abstract: A method for mitigating a denial of service attack includes determining, for a client, a number of requests being transmitted to a server and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

Abstract: Embodiments relate to systems, devices, and computing-implemented methods for providing DoS mitigation using a list of persistent clients generated using network flow data. Daily flow counts can be incremented once per date for unique flow combinations in the network flow data that are associated with at least one network interaction that occurred on that date. A candidate list of persistent clients can be created based on the daily flow counts, and the candidate list of persistent clients can be filtered and ranked, and the list of persistent clients can be selected based on the rankings.

Abstract: In one embodiment, a rule optimization application optimizes a rule set that a firewall applies to protect web applications from on-line attacks. The rule optimization application identifies a completed filtering operation that is associated with applying a rule to a request to access a web application received from a client. The rule optimization application then estimates a quality score for the rule based on the completed filtering operation and a reputation value for the client that indicates a likelihood that the client is legitimate. Subsequently, the rule optimization application determines that the quality score does not satisfy a predetermined quality criterion and disables the rule in the rule set to generate a updated, optimized rule set for the web application. Advantageously, the quality criterion may configure the rule optimization application to automatically update the rule set to reduce the number of legitimate requests that are blocked by the rule set.

Abstract: A method for mitigating a denial of service attack includes determining, for a client, a number of requests being transmitted to a server and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

Abstract: Various embodiments of the invention disclosed herein provide techniques for mitigating a distributed denial of service (DDoS) attack on a targeted computer system. A border gateway protocol (BGP) controller receives, via a first router, a BGP message that includes an indicator indicating that a computer system associated with the first router is under a DDoS attack. In response to receiving the BGP message, the BGP controller, in performs one or more operations to mitigate the DDoS attack. As a result, the time between detection of a DDoS attack and mitigating the attack is reduced relative to prior approaches. After receiving the BGP message indicating a DDoS attack is in progress, the DDoS attack mitigation platform automatically takes steps to mitigate the DDoS attack without further manual intervention. Consequently, the targeted computer system recovers more quickly and begins to respond to legitimate network requests sooner relative to prior approaches.

Abstract: A method for mitigating a denial of service attack includes determining, for a client, a number of requests being transmitted to a server and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

Abstract: Methods and systems for mitigating denial-of-service attacks include a proxy server that monitors a set of application servers configured to receive and service requests from clients. The proxy server intercepts the requests, and in response, provides the clients with customized client-side scripts embedded in markup language. The client-side scripts may include random strings to generate follow-through random uniform resource identifier redirection requests expected by the proxy server. The client-side scripts, upon execution, may challenge the clients by demanding user interaction within a specified period of time, requesting a delay before responding, and/or attempting to set a challenge cookie multiple times.

Abstract: Methods and systems for mitigating denial-of-service attacks include a proxy server that monitors a set of application servers configured to receive and service requests from clients. The proxy server intercepts the requests, and in response, provides the clients with customized client-side scripts embedded in markup language. The client-side scripts may include random strings to generate follow-through random uniform resource identifier redirection requests expected by the proxy server. The client-side scripts, upon execution, may challenge the clients by demanding user interaction within a specified period of time, requesting a delay before responding, and/or attempting to set a challenge cookie multiple times.

Abstract: A method for mitigating a denial of service attack includes determining, for a client, a number of requests being transmitted to a server and determining, for the client, that the number of requests for a time period is greater than a top talker threshold. The method includes classifying the client as a top talker based on the number of requests being greater than the top talker threshold and identifying, for the client, additional requests being transmitted to the server. The method also includes determining whether a number of the additional requests matches one or more attack patterns and preventing one or more of the additional requests from being transmitted to the server if the number of additional requests that matches one or more attack patterns is greater than a first threshold.

Abstract: Methods and systems for mitigating denial-of-service attacks include a proxy server that monitors a set of application servers configured to receive and service requests from clients. The proxy server intercepts the requests, and in response, provides the clients with customized client-side scripts embedded in markup language. The client-side scripts may include random strings to generate follow-through random uniform resource identifier redirection requests expected by the proxy server. The client-side scripts, upon execution, may challenge the clients by demanding user interaction within a specified period of time, requesting a delay before responding, and/or attempting to set a challenge cookie multiple times.

Abstract: Methods and systems for detecting and responding to Denial of Service (“DoS”) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms; identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge

Abstract: Embodiments relate to systems, devices, and computing-implemented methods for providing DoS mitigation using a list of persistent clients generated using network flow data. Daily flow counts can be incremented once per date for unique flow combinations in the network flow data that are associated with at least one network interaction that occurred on that date. A candidate list of persistent clients can be created based on the daily flow counts, and the candidate list of persistent clients can be filtered and ranked, and the list of persistent clients can be selected based on the rankings.

Abstract: A mitigation service can monitor network traffic in one direction between a client computer and a server computer. The mitigation service can receive a request from a client computer to establish a network connection with a server computer. The mitigation service can reply to the client computer with an acknowledgment that is configured to cause the client computer to issue a request to reset the connection. The acknowledgement is configured not to affect the establishment of the network connection with the server computer. The mitigation service can compare the details of the reset request with the request to establish the network connection. If the details match, the mitigation service can forward the request to establish the network connection to the server computer.

Abstract: Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method may include receiving, by a server, a response message from an application server. A client identifier corresponding to a source client may be determined based on a request message received from the source client. The request message received from the source client corresponds to the response message received from the application server. The server may identify one or more counters corresponding to the source client. The one or more counters include a discrete bad request counter (DBRC), a consecutive bad request counter (CBRC), or both. The server may identify a response type of the response message and cause a value of at least one of the one or more counters to change based on the response message and the response type.

Abstract: Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method can include receiving, by a server, a response message from an application server. The method can further include determining a source internet protocol (IP) address associated with the source client based on a request message received from a source client. The request message received from the source client corresponds to the response message received from the application server. In addition, the method can include identifying, by the server, a plurality of counters associated with the source IP address, and identifying, by the server, a response type of the response message. Further, the method can include causing a value of at least one of the plurality of counters to change based on the response message and the response type.

Abstract: Embodiments relate to systems, devices, and computer-implemented methods for mitigating Distributed Denial of Service (“DDoS”) attacks. The method can include receiving, by a server, a response message from an application server. The method can further include determining a source internet protocol (IP) address associated with the source client based on a request message received from a source client. The request message received from the source client corresponds to the response message received from the application server. In addition, the method can include identifying, by the server, a plurality of counters associated with the source IP address, and identifying, by the server, a response type of the response message. Further, the method can include causing a value of at least one of the plurality of counters to change based on the response message and the response type.

Abstract: A mitigation service can monitor network traffic in one direction between a client computer and a server computer. The mitigation service can receive a request from a client computer to establish a network connection with a server computer. The mitigation service can reply to the client computer with an acknowledgment that is configured to cause the client computer to issue a request to reset the connection. The acknowledgement is configured not to affect the establishment of the network connection with the server computer. The mitigation service can compare the details of the reset request with the request to establish the network connection. If the details match, the mitigation service can forward the request to establish the network connection to the server computer.

Abstract: Methods and systems for mitigating denial-of-service attacks include a proxy server that monitors a set of application servers configured to receive and service requests from clients. The proxy server intercepts the requests, and in response, provides the clients with customized client-side scripts embedded in markup language. The client-side scripts may include random strings to generate follow-through random uniform resource identifier redirection requests expected by the proxy server. The client-side scripts, upon execution, may challenge the clients by demanding user interaction within a specified period of time, requesting a delay before responding, and/or attempting to set a challenge cookie multiple times.