SCAN PROTECTION WITH RATE LIMITING
Techniques described herein improve network security and traffic management. In an embodiment, a request associated with an identifier (ID) is received. It is determined whether the ID exists in a first membership database (MDB). If the ID exists in the first MDB, the request is serviced subject to a rate limit. If the ID does not exist in the first MDB, it is determined whether the ID exists in a second MDB. If the ID exists in the second MDB, the request is serviced. If the ID does not exist in the second MDB, the request is serviced subject to another rate limit. A response is received. The first and second MDBs can be updated based on the type of received response. In an embodiment, the response is classified as indicative of degraded or typical network performance, and the first and second MDBs are updated accordingly.
This application claims priority to U.S. Provisional Patent Application No. 62/212,885 entitled SCAN PROTECTION WITH RATE LIMITING filed Sep. 1, 2015 which is incorporated herein by reference for all purposes.
BACKGROUND OF THE INVENTIONManaging traffic over a network involves making content available for access. Conventional techniques for managing network traffic use an application delivery controller (ADC), which is a network device that manages traffic. The ADC provides various functionalities such as load balancing data and resources hosted on multiple servers. For example, the ADC services client requests using servers, which provide content to the client in accordance with the request. Servers and content can join and leave the network, and, in some instances, the number of servers and set of available content can be large (e.g., on the order of hundreds of servers and billions of content). Mismanagement of client requests causes backend servers to be overwhelmed or overused. Conventional ADCs are typically computationally intensive (using large amounts of memory and power) and do not effectively manage client requests, including those requests that may be malicious. For example, a client may attempt to access content not ready for client consumption by “scanning,” which involves systematically modifying a URI until a corresponding page is found. Therefore, there exists a need in the art for effective network traffic management.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
Techniques of the present disclosure manage network traffic including receiving a request associated with an identifier (ID), the ID identifying a source; determining whether the ID exists in a first membership data (MDB); in the event that the ID exists in the first MDB, servicing the request subject to a first rate limit; in the event that the ID does not exist in the first MDB, determining whether the ID exists in a second MDB; in the event that the ID that does not exist in the first MDB does not exist in the second MDB, servicing the request subject to a second rate limit; in the event that the ID that does not exist in the first MDB exists in the second MDB, servicing the request; subsequent to the request being serviced, receiving a response; determining that the response corresponds to a first type of response; and in response to the determination that the response corresponds to the first type of response, updating the first MDB based at least in part on the ID; in response to the determination that the response corresponds to the second type of response, updating the second MDB based at least in part on the ID.
Processor 102 is coupled bi-directionally with memory 110, which can include, for example, one or more random access memories (RAM) and/or one or more read-only memories (ROM). As is well known in the art, memory 110 can be used as a general storage area, a temporary (e.g., scratch pad) memory, and/or a cache memory. Memory 110 can also be used to store input data and processed data, as well as to store programming instructions and data, in the form of data objects and text objects, in addition to other data and instructions for processes operating on processor 102. Also as is well known in the art, memory 110 typically includes basic operating instructions, program code, data, and objects used by the processor 102 to perform its functions (e.g., programmed instructions). For example, memory 110 can include any suitable computer readable storage media described below, depending on whether, for example, data access needs to be bi-directional or uni-directional. For example, processor 102 can also directly and very rapidly retrieve and store frequently needed data in a cache memory included in memory 110.
A removable mass storage device 112 provides additional data storage capacity for the computer system 100, and is optionally coupled either bi-directionally (read/write) or uni-directionally (read only) to processor 102. A fixed mass storage 120 can also, for example, provide additional data storage capacity. For example, storage devices 112 and/or 120 can include computer readable media such as magnetic tape, flash memory, PC-CARDS, portable mass storage devices such as hard drives (e.g., magnetic, optical, or solid state drives), holographic storage devices, and other storage devices. Mass storages 112 and/or 120 generally store additional programming instructions, data, and the like that typically are not in active use by the processor 102. It will be appreciated that the information retained within mass storages 112 and 120 can be incorporated, if needed, in standard fashion as part of memory 110 (e.g., RAM) as virtual memory.
In addition to providing processor 102 access to storage subsystems, bus 114 can be used to provide access to other subsystems and devices as well. As shown, these can include a display 118, a network interface 116, an input/output (I/O) device interface 104, a pointing device 106, as well as other subsystems and devices. For example, pointing device 106 can include or operate in conjunction with a camera, a scanner, etc.; I/O device interface 104 can include a device interface for interacting with a touchscreen (e.g., a capacitive touch sensitive screen that supports gesture interpretation), a microphone, a sound card, a speaker, a keyboard, a pointing device (e.g., a mouse, a stylus, a human finger), a Global Positioning System (GPS) receiver, an accelerometer, and/or any other appropriate device interface for interacting with system 100. Multiple I/O device interfaces can be used in conjunction with computer system 100. The I/O device interface can include general and customized interfaces that allow the processor 102 to send and, more typically, receive data from other devices such as keyboards, pointing devices, microphones, touchscreens, transducer card readers, tape readers, voice or handwriting recognizers, biometrics readers, cameras, portable mass storage devices, and other computers.
The network interface 116 allows processor 102 to be coupled to another computer, computer network, or telecommunications network using a network connection as shown. For example, through the network interface 116, the processor 102 can receive information (e.g., data objects or program instructions) from another network, or output information to another network in the course of performing process/process steps. Information, often represented as a sequence of instructions to be executed on a processor, can be received from and outputted to another network. An interface card or similar device and appropriate software implemented by (e.g., executed/performed on) processor 102 can be used to connect the computer system 100 to an external network and transfer data according to standard protocols. For example, various process embodiments disclosed herein can be executed on processor 102, or can be performed across a network such as the Internet, intranet networks, or local area networks, in conjunction with a remote processor that shares a portion of the processing. Additional mass storage devices (not shown) can also be connected to processor 102 through network interface 116.
In addition, various embodiments disclosed herein further relate to computer storage products with a computer readable medium that includes program code for performing various computer-implemented operations. The computer readable medium includes any data storage device that can store data which can thereafter be read by a computer system. Examples of computer readable media include, but are not limited to: magnetic media such as disks and magnetic tape; optical media such as CD-ROM disks; magneto-optical media such as optical disks; and specially configured hardware devices such as application-specific integrated circuits (ASICs), programmable logic devices (PLDs), and ROM and RAM devices. Examples of program code include both machine code as produced, for example, by a compiler, or files containing higher level code (e.g., script) that can be executed using an interpreter.
The computer system shown in
The techniques described herein can be implemented by a processor such as an application delivery controller (ADC), a controller or other processor that receives client requests. The ADC can be implemented as software components executing on one or more processors, as hardware components such as programmable logic devices (e.g., microprocessors, field-programmable gate arrays (FPGAs), digital signal processors (DSPs), etc.), Application Specific Integrated Circuits (ASICs) designed to perform certain functions, or a combination thereof. In this example, the ADC is implemented as a network device that manages network traffic and allows clients to request web resources within an application delivery network.
The ADC 210 receives requests from the client(s) and directs requests to appropriate server(s). The ADC can be implemented according to the techniques described herein. The ADC handles requests made by a client such as a request for content. The ADC can forward the request to one or more servers 230. The server(s) 230 can receive a request processed by the ADC 210, determine requested content (also referred to as “a destination” of a request), and respond to the requests via the ADC 210.
Content includes various types or combinations of resources such as media items, files, dynamically generated responses, and the like. Content can be uniquely identified, e.g., by a uniform resource identifier (URI). In the example shown in
In operation, a client accesses the content 212, 214 by sending requests (e.g., Hypertext Transfer Protocol (HTTP) requests specifying the URIs corresponding to the HTML files) to the ADC 210. In response to receipt of the request, the ADC 210 routes the request to one or more of the servers 230. The server(s) then permit access to the appropriate content(s) 212, 214. In some instances, the ADC 210 can be configured to identify characteristics of a client request and block, admit, or rate limit the client request based on the identified characteristics. The characteristics of the client request include an identity of a requested resource, an identity of a client, a combination of the client and requested content, an impact of the client request on network performance, and the like.
The identity of requested content can affect how the client request is handled. For example, some content is not ready for client consumption. The content is not yet ready to be made publicly accessible for a variety of reasons. For example, a web page contains sensitive content (e.g., a financial statement that is not yet ready to be released.) The content can be intentionally or unintentionally made accessible, but not yet linked from a main website. For example, content under development is not linked to a main landing page but could be accessed if a corresponding URI is provided as part of a client request. In
The identity of a client can affect how the client request is handled. For example, clients that are not trustworthy, engage in malicious behavior, etc. can be blocked or rate limited at a pre-defined rate. Clients that are trustworthy, unknown, etc. can also be admitted or rate limited at a pre-defined rate.
A combination of the identity of a client and the identity of requested content can affect how the client request is handled. For example, a client may attempt to access content not ready for client consumption by “scanning.” A client that practices scanning is referred to as a “scanner.” A client “scans” for a page by modifying a URI. The client can systematically modify the URI (e.g., by coming up with combinations of URL strings) until a page is found. The page can a be a page desired by the client. In the example shown in
The impact of the client request on network performance can affect how the client request is handled. The techniques described herein find application in any situation in which network performance is impacted by client requests for content. When network characteristics are identified, rate limiting can be applied as described herein to improve network performance.
Conventional techniques typically determine whether to block, admit, or rate limit based on a “black list” and/or a “white list” maintained in memory. The “black list” includes identifiers of connections/clients that should be blocked from accessing the content. The “white list” includes identifiers of connections/clients that should be permitted to have their requests serviced. Clients that do not belong to the black list and the white list can be considered to be in a “grey list” that is not explicitly maintained.
These conventional techniques are computationally expensive and do not efficiently prevent scanning. This is because the effectiveness of preventing scanners from accessing content depends on accurate and timely maintenance of the black list and/or white list. However, clients and/or content can change quickly in a networking environment. An ADC also has limited memory and is hence unable to accommodate large lists. Moreover, denying a client request based on client ID can be ineffective when a client spoofs an IP address to attempt scanning. When a client spoofs an IP address, the client changes its IP address so that it appears to the ADC as a different client. The client is then able to bypass a system that relies on a black list and/or white list of client IDs to route requests.
Techniques of the present disclosure improve network traffic management by preventing scanning. Characteristics of client requests are determined and used to service the client requests. In some embodiments, client requests are rate limited based on a determined type of client request. The techniques described herein can limit or prevent network degradation caused by malicious client behavior such as scanning and improve the security of networks by preventing access of content not intended for consumption by particular clients. In one aspect, a client connection is “slowed down” by rate limiting, which effectively reduces the number of guesses made by a client attempting to access a content (e.g., URI). In another aspect, spoofing can be reduced or prevented by rate limiting based on requested content such that regardless of client identity, requests for particular content can be rate limited, as further described herein, e.g., in relation to
In 302, a request is received. The request is associated with an identifier (ID) of a source. As used herein, a source refers to an originator of a request such as a user, a device, and the like. The ID can be associated with the source of the request and include information that uniquely identifies the source, including an identifier of the requesting client (“client identifier”), an identifier of the requested content (“content identifier”), a combination thereof, or any other appropriate identification information. The client identifier can be an IP address of the client, the content identifier can be a URI of the requested content, etc. An identifier combining client and content can be one-to-one (particular client accessing particular content), one-to-many (particular client accessing any content), many-to-many (any client accessing any content), or many-to-one (any client accessing particular content). In an embodiment, an ID can be determined from the request. In an embodiment, the ID is a derivative of: a client identifier, a requested content identifier, or a combination thereof. For example, the ID can be derived from or be based on the client identifier, a requested content identifier, or a combination thereof. A client using a proxy can be identified by extracting the client identifier from the proxy-provided identification. The ID can be parsed or extracted from the request (e.g., from a header or payload of a transmitted packet).
In 304, it is determined whether the ID exists in a first membership database (MDB). The first MDB can be implemented by a data structure such as a table capable of tracking whether an element is a member of (e.g., stored in) the data structure, as further described herein. An example implementation of a first MDB is explained in greater detail in connection with
If the ID exists in the first MDB, control passes to 306 in which the received request is serviced subject to a first rate limit. The rate limit can be pre-defined. For example, the rate limit can be defined in terms of a number of attempted accesses per period. A counter can track a number of previous requests, and upon meeting or exceeding a threshold, rate limiting can be performed. As another example, the rate limit can be defined in terms of a number of bytes transmitted per period. A counter can track a number of bytes previously transmitted, and upon meeting or exceeding a threshold, the rate limiting operation is performed. The rate limiting operation can include at least one of: dropping a request such that the request is not serviced, logging information about the request, servicing the request if a pre-defined threshold has not been met, etc. In this example, control then passes to 316, in which a response regarding the request is received from a server, as further described herein.
In 304, if the ID does not exist in the first MDB, control passes to 308 in which it is determined whether the ID exists in a second MDB. The second MDB can be implemented by a data structure such as a table capable of tracking whether an element is a member of (e.g., stored in) the data structure, as further described herein. The second MDB can track a second type of information, for example a type of: client, request, response, combination thereof, etc. A second type of client is a client having characteristic(s) matching a profile. The profile can be pre-defined (e.g., by an administrator) and include parameters describing client characteristics. The profile associated with the second type of client can be different from a profile associated with the first type of client. For example, a client is a second type of client if the requests made by the client impact network performance similar to an average client. The impact of the second type of client can be compared with an impact of an average client or a threshold to determine whether a client should be classified as a second type of client. The behavior of the second type of client does not cause network performance to degrade or create a security vulnerability in a network system. Unlike the first type of client, the second type of client does not or rarely (e.g., below a threshold): requests content not intended for the client or content that has previously been determined to be of a first type (e.g., broken web page), makes requests at an atypical frequency (e.g., above a threshold), performs disallowed functions, scans, and the like. In an embodiment, the type of client tracked by the second MDB is different from the type of client tracked by the first MDB. In an embodiment, the ID exists in the second MDB if a second type of request has been previously made by a source associated with the ID. The tracking and storage of IDs in the second MDB is described further herein, e.g., with respect to
If the ID exists in the second MDB, control passes to 312 in which the request is serviced. For example, requested content can be provided to a requesting client, a token permitting access to request content can be provided to the requesting client, and the like. If the ID does not exist in the second MDB, control passes to 314 in which the request is serviced subject to a second rate limit. The rate limit can be pre-defined. For example, the rate limit can be defined in terms of a number of attempted accesses per period. A counter can track a number of previous requests, and upon meeting or exceeding a threshold, rate limiting can be performed. As another example, the rate limit can be defined in terms of a number of bytes transmitted per period. A counter can track a number of bytes previously transmitted, and upon meeting or exceeding a threshold, a rate limiting operation is performed. The rate limiting operation can include at least one of: dropping a request such that the request is not serviced, logging information about the request, servicing the request if a pre-defined threshold has not been met, etc.
The second rate limit can be different from the first rate limit used in 306. In an embodiment, the second rate limit is higher than the first rate limit. This has the effect of being less restrictive on access for a requesting client who has not yet been classified into the first MDB or the second MDB (e.g., a characteristic of the requesting client is “unknown”). This reduces the risk of degrading network performance (in case the client turns out to be malicious) because some rate limiting is performed while still providing acceptable service (in case the client turns out to be good).
In the example shown, after 306 or 314, the process 300 can continue to 316. In an alternative embodiment (not shown), the process 300 can simply terminate after 306, 312, or 314 without proceeding to 316. In 316, a response regarding the request is received from a remote server, e.g., a server servicing content corresponding to client requests. The first and second MDBs can be updated based on the received response as follows.
If the response is a first type of response (318), the first MDB is updated (322). The update can include performing a hash function on the corresponding ID and changing an entry of a bucket associated with the ID. For example, a received ID is hashed and a corresponding bucket entry updated to track receipt of the first type of response. The hashing and updating of the entry can be performed according to techniques further described herein, e.g., with respect to
If the response is a second type of response (324), the second MDB is updated (326). The update can include changing an entry of a bucket associated with the ID. For example, the entry can be changed by incrementing or decrementing a counter. In this example, the counter tracks a number of times a second type of response has been received. The second type of response can be a response associated with typical (not degraded) network performance, as further described herein.
In some embodiments, a response to a particular client request can change over time. For example, a response is of a second type and a subsequent response is of a first type. This can occur when a web page is taken down between the first time and the second time (e.g., due to web page maintenance).
According to the techniques described herein, a scanner is prevented or rate limited from accessing content according to the techniques further described herein such that the scanner takes longer to guess a correct URI, allowing content providers more time to secure the content. The techniques described herein allow for a scalable and agile solution with very low overhead for managing network traffic and client access to content. Scanning detection and prevention improves network security by effectively and quickly identifying “malicious” clients and/or sensitive content and controlling access accordingly.
The first MDB 402 can store a first type of data. The first MDB 402 can be implemented according to the techniques described herein, e.g., in relation to MDB 500 in
The second MDB 404 can store data of a second type. The second type of data can be different from the first type of data stored in the first MDB 402. The second MDB 404 can be implemented according to the techniques described herein, e.g., in relation to MDB 500 in
The rate limiting filter 406 (also referred to as “rate limiter”) processes requests. In the example shown in
The rate limiting filter 408 (also referred to as “rate limiter”) processes requests. In the example shown in
In operation, the first MDB 402 receives a request. The first MDB 402 then determines whether the received request exists in the first MDB 402. For example, the determination can be made by looking up parameters obtained from the request in the first MDB. If the request exists in the first MDB 402, the request or a query associated with the request is passed along 410 to the rate limiter 406. The rate limiter 406 then services the request (or query) subject to a rate limit. For example, the rate limiter 406 can drop, log, or service the request, as further described herein. The request can be serviced by fetching content 470 that corresponds to the request (or query).
On the other hand, if the request does not exist in the first MDB 402, the request or a query associated with the request is passed along 420 to the second MDB 404. If the request exists in the second MDB 404, the request (or query) is passed along 430 such that the request is serviced by fetching content 470 that corresponds to the request (or query). If the request does not exist in the second MDB 404, the request (or query) is passed along 440 to the rate limiter 408. The rate limiter 408 then services the request (or query) subject to a rate limit. For example, the rate limiter 408 can drop, log, or service the request, as further described herein. The request can be serviced by fetching content 470 that corresponds to the request (or query).
For example, requests that negatively impact network performance are associated with the first MDB 402 and requests that do not negatively impact network performance are associated with the second MDB 404. This means that when a request is determined to negatively impact network performance, associated information (e.g., client ID, content ID, etc.) is stored in the first MDB 402 and when a request is determined to not negatively impact network performance, associated information (e.g., client ID, content ID, etc.) is stored in the second MDB 404. “Unknown” requests are not stored in either the first MDB 402 or the second MDB 404. A request can be “unknown” if a likelihood of the request negatively impacting network performance has not yet been determined. For example, if the number of times the request has elicited a particular type of response does not meet a threshold, then the request is unknown.
In this example, rate limiter 406 has a relatively low threshold (e.g., 10 times/second), allowing few requests to be serviced because the requests passing through 410 are likely to negatively impact network performance. Rate limiter 408 has a relatively high threshold (e.g., 50 times/second), allowing more requests to be serviced because whether requests passing through 440 negatively impact network performance is unknown. In other words, the rate limiter 408 can be less restrictive than the rate limiter 406 because “unknown” requests are not as likely as requests associated with the first MDB 402 to negatively impact network performance.
Although not shown, a rate limiter coupled between the second MDB 404 and content 470 on path 430 would have a relatively high threshold (e.g., 1000 times/second), allowing more requests to be serviced because the requests passing through 430 do not negatively impact network performance.
In an embodiment, processing requests in this manner slows down an unknown user. When the unknown user makes more requests, the user is determined to be good or bad. Based on the determination, the user can be treated appropriately. By slowing down an unknown user, in case the user is bad, more damage can be prevented than compared with conventional techniques.
In an embodiment, the MDB can be populated in a training mode. In the training mode, a proposed action is logged instead of or in addition to being performed. This allows for the system to be adjusted or optimized. For example, the logs can be compared with a desired logging pattern to determine whether the system is sufficiently optimized. For example, the logging pattern corresponds to a desired response to a request such as a frequency of dropping requests, dropping a request in response to a particular type of request, and the like. In a training mode, a particular rate limiting criteria can cause many (above a threshold) to be logged, which might be too restrictive. The rate limiting criteria can then be adjusted so that requests are dropped at an appropriate rate. In an alternative embodiment, in the training mode, some proposed actions are logged, some proposed actions are performed, and some proposed actions are logged and performed.
The MDB 452 can store a first type of data. The MDB 452 can be implemented according to the techniques described herein, e.g. in relation to MDB 500 in
The MDB 454 can store data of a second type of data. The second type of data can be different from the first type of data stored in the MDB 452. The MDB 454 can be implemented according to the techniques described herein, e.g., in relation to MDB 500 in FIG. 5A. The second type of data can include information about characteristics of the request such as client characteristics, requested content, a response to the requested content, and the like. In an embodiment, an identifier is stored in the MDB 454 if the requests made by the client impact network performance similarly with an average client. A client is classified as a first type of client if the behavior of the second type of client does not cause network performance to degrade or create a security vulnerability in a network system. Unlike the first type of client, the second type of client does not or rarely (e.g., below a threshold): requests content not intended for the client or content that has previously been determined to be of a first type (e.g., broken web page), makes requests at a typical frequency (e.g., below a threshold), performs disallowed functions, scans, and the like, as further described herein, e.g., with respect to 308 of
In operation, content 470 is provided to client(s) 460 as follows. It is determined whether a response is a first type of response. If the response is a first type of response, the response is passed via 472 to the first MDB 452. Request ID of the first type of response is stored in the first MDB 452. The response can be stored in the MDB 452 according to the techniques described herein, e.g., in relation to
For example, a first type of response is a response that matches a profile. For instance, the requested content can be of a particular type such as a broken web page, requiring authentication information the client did not provide, etc. As another example, the requested content can be provided at a frequency meeting a threshold. If the requested content has been previously requested and/or provided more than is expected for that type of content, the response can be classified as the first type. The second type of response is a response that matches a profile, which can be different from a profile for the first type of response. For instance, the requested content can be of a particular type such as a well-behaved (not broken) web page. As another example, requested content has been previously requested and/or provided as expected for that type of content.
Process 300 will now be described using the example of
If the client ID corresponding to the received request does not exist in the first MDB 402, the request can be processed along path 420 as follows. It is determined whether a client ID corresponding to the received request exists in the second MDB 404 (308 of
Received responses to the request can be used to update the MDBs as follows. Turning to
In the example shown in
The example shown in
Suppose that a second client request with ID1 is made. To determine whether a client request with ID1 has been previously made, it is determined whether bucket(s) corresponding to the hash functions of ID1 in the MDB are non-zero. If the buckets are non-zero, then the client has previously made a request. When the second client request with ID1 is made, hash functions h1(ID1)=bucket B, h2(ID1)=bucket E, and h3(ID1)=bucket F are performed. Turning to
In the example shown in
The example shown in
Suppose that a second client request with ID1 is made. To determine whether a client request with ID1 has been previously made, it is determined whether bucket(s) corresponding to the hash functions of ID1 in the respective hash tables in the MDB are non-zero. If the buckets are non-zero, then the client has previously made a request. When the second client request with ID1 is made, hash functions h1(ID1)=bucket B, h2(ID1)=bucket E, and h3(ID1)=bucket F are performed. Turning to
In some embodiments, over time, the MDB becomes filled as requests are received. When two different requests are hashed to the same bucket(s), a hash collision occurs. Hash collisions become more likely as more requests are received and the MDB becomes more filled. Hash collisions in the MDB can reduce the accuracy of tracking whether a request has been received before because a collision gives a false positive. To improve accuracy, entries in the MDB can be aged and/or the MDB can be resized.
In some embodiments, hash collisions are reduced by aging the MDB. Aging can be implemented by changing one or more entries in a variety of ways. The one or more entries can be changed by reducing the entry by a factor. For entries including a counter, the counter can be reset or re-initialized. The aging can be performed periodically or at a pre-defined time according to system configuration. The timing can be managed by a timer such that a counter is decreased by a pre-defined amount. For example, after a period (e.g., 10 minutes) of inactivity for an ID, a counter is reset to zero. As another example, each entry in the MDB can be halved every 30 seconds. The timing of aging and/or the amount by which to change entries can be performed based on desired behavior such as how much history to track. More frequent refreshing corresponds to tracking more recent history compared with less frequent refreshing. This allows the system to dynamically track characteristics of clients. Aging the table improves MDBs efficiently over relatively long periods of time even when tracking numerous IDs (e.g., on the order of billions).
In some embodiments, hash collisions are reduced by resizing the MDB. Resizing can be based on how many of a particular type of entry is in the MDB. For example, the particular type of entry can be those entries having a value of 0 (also referred to as “empty” entries). Empty entries mean that an ID has not been previously requested. If the number of empty entries meets a threshold, the MDB can be downsized. For example, a number of buckets in the MDB can be removed so that the MDB is capable of storing fewer entries. If the number of zero entries does not meet a threshold, the MDB can be upsized. For example, a number of buckets in the MDB can be added so that the MDB is capable of storing more entries. The selection of the threshold and resizing can be performed in accordance with predefined (e.g., user-specified) parameters. For example, for a traffic mix comprised of a few thousand different clients of which only a few are of the first type, the first MDB can be sized to have a few hundred buckets. For example, if there are relatively many zeros in the MDB, the table is too large and space can be saved while reasonably avoiding hash collisions by downsizing the MDB.
In an alternative embodiment, resizing can be performed according to user specifications. In yet another embodiment, resizing can be based on a virtual service weight (“VS weight”). The VS weight can describe the servicing of requests, where a content is serviced by a virtual server. For example, a VS weight=1 can correspond to sizing the MDB to 1000 buckets and a VS weight=2 can correspond to sizing the MDB to 2000 buckets. A user can set a VS weight based on anticipated needs. Resizing can be performed periodically, e.g., hourly. For example, checking for zero entries can be performed periodically and resizing performed, if appropriate. Memory can also be saved by sizing an MDB appropriately.
In IP address spoofing, a client's IP address is changed so that it appears to the ADC as a different user. The client is then able to bypass a system that relies on a black list and/or white list to route requests, which may slow the connection. Techniques of the present disclosure prevent spoofing by determining characteristics of requested content such that even if a client is spoofing, the client is rate limited.
Each of the client module 602 and the content module 604 can be implemented by one or more systems such as the systems 400 and 450 shown in
In one aspect, the described techniques are scalable and dynamic, saving memory by dispensing with the need to maintain explicit black and white lists of clients. Instead, determination about a client and/or content can be made based on a response from the server about whether the request triggered an undesirable response (e.g., causing network degradation). The described techniques are flexible because a status of content (e.g., a previously broken web page is fixed) need not be communicated to an ADC each time there is a change. The status of the content is automatically detected and noted in the corresponding MDB. The techniques described herein effectively and efficiently prevent information from being leaked, for example, when a client attempts to access sensitive information by scanning. The techniques described herein improve the functioning of a computer by identifying clients and/or content that degrades network performance and blocking or rate limiting a corresponding connection.
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
Claims
1-20. (canceled)
21. A method for processing content requests, the method comprising:
- receiving content requests from a plurality of sources;
- based on identities of the sources, forwarding the requests to content servers at different rates for at least two different sources, said content servers responding to the content requests from the sources;
- based on responses from the content servers, adjusting at least one rate for processing requests from at least one source.
22. The method of claim 21, wherein
- each source is associated with one identifier,
- said forwarding comprises forwarding the requests based on the identifiers associated with the requests.
23. The method of claim 22, wherein said forwarding the requests based on the identifiers comprises:
- using each request's source identifier to associate the request with one type of request from a plurality of different types of requests, each type of request associated with a different rate for processing requests of that type;
- using each request's associated type to identify a rate for forwarding the request to a content server that responds to the request.
24. The method of claim 23, wherein said adjusting comprises changing the association of a particular identifier from one type to another in order to change the rate for processing requests from the particular source associated with the particular identifier.
25. The method of claim 23, wherein using each request's identifier to associate the request with a request type comprises determining whether the identifier exists in one of a plurality of data storages associated with different request types.
26. The method of claim 25, wherein the different data storages comprise at least a first data store storing identifiers known to be associated with sources sending requests that have detrimental effect on performance of the content servers, and a second data store storing identifiers known to be associated with sources sending requests that do not have detrimental effect on performance of the content servers.
27. The method of claim 26, wherein
- the first data store is associated with a first request type, and the second data store is associated with a second request type,
- forwarding the requests further comprises forwarding the requests that are associated with a third type that is different than the first and second types to the content servers at a rate faster than a first rate used to forward requests of the first type but slower than a second rate used to forward requests of the second type.
28. The method of claim 26, wherein the third type is a request type defined for requests from unknown sources.
29. A method for processing content requests to content servers, the method comprising:
- classifying content requests as first, second, third types of requests, said first type being requests known to have adverse impact on content servers, said second type being requests known not to have adverse impact on content servers, and said third type, and third type being unknown; and
- forwarding requests of the first type at a first rate to the content servers, requests of the second type at a second rate to the content servers, and requests of the third type at a third rate to the content servers, the first rate being slower than the second and third rates, and the third rate is slower than the second rate.
30. The method of claim 29, wherein the first, second and third types correspond to first, second and third types of request sources, and said classifying comprises classifying content requests as requests coming from first, second and third types of sources, with the first source type comprising sources known to send requests that have adverse impact on content servers, the second source type comprising sources known to send requests that do not have adverse impact on content servers, and the third source type comprises unknown sources.
31. A non-transitory machine readable medium storing a program for processing content requests, the program executable by at least one processing unit, the program comprising sets of instructions for:
- receiving content requests from a plurality of sources;
- based on identities of the sources, forwarding the requests to content servers at different rates for at least two different sources, said content servers responding to the content requests from the sources;
- based on responses from the content servers, adjusting at least one rate for processing requests from at least one source.
32. The non-transitory machine readable medium of claim 31, wherein
- each source is associated with one identifier,
- the set of instructions for forwarding comprises a set of instructions for forwarding the requests based on the identifiers associated with the requests.
33. The non-transitory machine readable medium of claim 32, wherein the set of instructions for forwarding the requests based on the identifiers further comprises sets of instructions for:
- using each request's source identifier to associate the request with one type of request from a plurality of different types of requests, each type of request associated with a different rate for processing requests of that type;
- using each request's associated type to identify a rate for forwarding the request to a content server that responds to the request.
34. The non-transitory machine readable medium of claim 33, wherein the set of instructions for adjusting comprises a set of instructions for changing the association of a particular identifier from one type to another in order to change the rate for processing requests from the particular source associated with the particular identifier.
35. The non-transitory machine readable medium of claim 33, wherein the set of instructions for using each request's identifier to associate the request with a request type comprises a set of instructions for determining whether the identifier exists in one of a plurality of data storages associated with different request types.
36. The non-transitory machine readable medium of claim 35, wherein the different data storages comprise at least a first data store storing identifiers known to be associated with sources sending requests that have detrimental effect on performance of the content servers, and a second data store storing identifiers known to be associated with sources sending requests that do not have detrimental effect on performance of the content servers.
37. The non-transitory machine readable medium of claim 36, wherein
- the first data store is associated with a first request type, and the second data store is associated with a second request type,
- the set of instructions for forwarding the requests further comprises a set of instructions for forwarding the requests that are associated with a third type that is different than the first and second types to the content servers at a rate faster than a first rate used to forward requests of the first type but slower than a second rate used to forward requests of the second type.
38. The non-transitory machine readable medium of claim 36, wherein the third type is a request type defined for requests from unknown sources.
Type: Application
Filed: May 3, 2021
Publication Date: Sep 2, 2021
Inventor: Raju Kumar (Sunnyvale, CA)
Application Number: 17/306,912