Communications networks and systems may be vulnerable to distributed denial of service attacks where one or more user element bombards the network with huge quantities of bogus service requests in an attempt to either cause a system within the network to overload and crash, or to completely overwhelm the system such that valid service requests cannot be processed while the system is busy processing all of the bogus service requests.
Networks may monitor the quantity of service requests arriving from each Internet protocol (IP) address and block IP addresses as needed to mitigate the damage from all of the service requests. However, in distributed attacks, the bogus service requests are typically arriving from many different user elements, some of which may be participating only because they have been compromised and may be used in a so-called man-in-the-middle attack.
Overview
Embodiments disclosed herein provide systems and methods for improving resistance to distributed denial of service attacks within a communications system. In an embodiment, a method provides for handling service attacks in an application server, including detecting a service attack from a user element, receiving a service request from the user element that includes an Internet protocol address, and in response, sending a first name request to the user element for a service name associated with the user element. The method also includes receiving a response to the first name request that includes a service name from the user element, and sending a second name request to a first domain name server for the service name associated with the Internet protocol address of the user element. The method further includes receiving a second response from the first domain name server that includes a stored service name associated with the user element, and comparing the service name to the stored service name to determine whether or not to allow the service request.
In another embodiment, a communications network is provided. This communications network includes a first domain name server configured to receive a request for a service name including an Internet protocol address from a requesting element. In response to the request, the first domain name server is configured to determine the service name based on the Internet protocol address, and to send the service name to the requesting element.
The communications network also includes an application server configured to detect a service attack from a user element, and to receive a service request from the user element that includes an Internet protocol address. In response to the service request, the application server is configured to send a first name request to the user element for a service name associated with the user element, and to receive a first response to the first name request that includes a service name from the user element.
The application server is also configured to send a second name request to a first domain name server for the service name associated with the Internet protocol address of the user element, to receive a second response from the first domain name server that includes a stored service name associated with the user element, and to compare the service name to the stored service name to determine whether or not to allow the service request.
In another embodiment, an apparatus comprising a non-transitory computer-readable storage medium configured to store program instructions, and program instructions stored on the non-transitory computer-readable storage medium is provided. When executed the program instructions direct a processor to detect a service attack from a user element, and to receive a service request from the user element that includes an Internet protocol address.
In response to the service request, the program instructions direct the processor to send a first name request to the user element for a service name associated with the user element, and to receive a first response to the first name request that includes a service name from the user element. The program instructions further direct the processor to send a second name request to a first domain name server for the service name associated with the Internet protocol address of the user element, to receive a second response from the first domain name server that includes a stored service name associated with the user element, and to compare the service name to the stored service name to determine whether or not to allow the service request.