Efficient unified certificate revocation lists
US-9641343-B1 · May 2, 2017 · US
Short term certificate management during distributed denial of service attacks
US10104119B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10104119-B2 |
| Application number | US-201615151709-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 11, 2016 |
| Priority date | May 11, 2016 |
| Publication date | Oct 16, 2018 |
| Grant date | Oct 16, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.
First claim
Opening claim text (preview).
We claim: 1. A method of providing a short term certificate during a distributed denial of service attack on a network, the method comprising: identifying, by a processor, a distributed denial of service attack on a network; executing, by the processor, a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate; receiving the short term certificate generated by a certificate server; updating a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate; generating, by the processor, an instruction to redirect traffic from the network during the distributed denial of service attack to a protection service using the short term certificate and associated private key, wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and wherein filtered traffic is provided from the protection service to the network. 2. The method of claim 1 , wherein the distributed denial of service attack is identified by an on premise security device coupled with the network. 3. The method of claim 1 , wherein the distributed denial of service attack is identified by a security device in a service provider network. 4. The method of claim 1 , further comprising: advertising a gateway protocol message including an address for the protection service. 5. The method of claim 4 , further comprising: advertising a gateway protocol message including an address for the network after the distributed denial of service attack. 6. The method of claim 1 , further comprising: sending a request to revoke the short term certificate to the certificate server. 7. The method of claim 1 , wherein the script to request the short term certificate includes an expiration time period for the short term certificate. 8. The method of claim 1 , further comprising: establishing a secure channel between the protection service and the network. 9. An apparatus for providing a short term certificate during a distributed denial of service attack on a network, the apparatus comprising: a processor; and a memory comprising one or more instructions executable by the processor to perform: identify a distributed denial of service attack on a network; execute the processor, a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate; receive the short term certificate generated by a certificate server; update a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate; generate an instruction to a protection service to service traffic from the network during the distributed denial of service attack using the short term certificate and private key, wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and wherein filtered traffic is provided from the protection service to the network. 10. The apparatus of claim 9 , wherein the distributed denial of service attack is identified by an on premise security device coupled with the network or by a security device in a service provider network. 11. A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations for providing a short term certificate during a distributed denial of service attack on a network, the operations including: identifying a distributed denial of service attack on a network; executing a script to request a short term certificate in response to, and at the time of, identifying the distributed denial of service attack, wherein the network is associated with a first certificate and wherein the short term certificate has a predetermined duration that is less than a duration of the first certificate; receiving the short term certificate generated by a certificate server; updating a transport layer security record under domain name service (DNS) based authentication of named entities (DANE) according to the short term certificate; generating an instruction to redirect traffic from the network during the distributed denial of service attack to a protection service using the short term certificate and associated private key, wherein malicious traffic involved in the distributed denial of service attack is filtered by the protection service in response to the short term certificate; and wherein filtered traffic is provided from the protection service to the network. 12. The computer readable storage media of claim 11 , wherein the instructions for identifying include instructions for identifying, by an on premise security device coupled with the network, the distributed denial of service attack. 13. The computer readable storage media of claim 11 , wherein the instructions for identifying include instructions for identifying, by a security device in a service provider network, the distributed denial of service attack. 14. The computer readable storage media of claim 11 , further comprising instructions for: advertising a gateway protocol message including an address for the protection service. 15. The computer readable storage media of claim 11 , further comprising instructions for: advertising a gateway protocol message including an address for the network after the distributed denial of service attack. 16. The computer readable storage media of claim 11 , further comprising instructions for: sending a request to revoke the short term certificate to the certificate server. 17. The computer readable storage media of claim 11 , wherein the script to request the short term certificate includes an expiration time period for the short term certificate. 18. The computer readable storage media of claim 11 , further comprising instructions for: establishing a secure channel between the protection service and the network.
Assignees
Inventors
Classifications
Traffic logging, e.g. anomaly detection · CPC title
Electricity · mapped topic
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
in the application layer [OSI layer 7] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10104119B2 cover?
- In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term cert…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1458. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Oct 16 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).