公开(公告)号：US10560422B2

公开(公告)日：2020-02-11

申请号：US15193806

申请日：2016-06-27

Applicant: VERISIGN, INC.

Inventor： Ramakant Pandrangi ,  Denis Phillips

IPC: G06F15/173 ,  H04L29/12 ,  H04L12/26 ,  H04L12/801 ,  H04L29/06

Abstract: Systems and methods for enhanced monitoring and adaptive management of inter-network Domain Name System (“DNS”) traffic include an information capture device in a monitored network. The information capture device receives a redirected connection request originated by a client machine in the monitored network in response to a modified DNS answer from a recursive name server outside of the monitored network, captures detailed information associated with the redirected connection request that is inaccessible to the recursive name server, and sends the captured information to a data storage accessible to the recursive name server for storage as augmented DNS data associated with the client machine and/or the redirected connection request. The information capture device further provides, in response to the redirected connection request, an adaptive answer generated based on the augmented DNS data to the client machine.

公开(公告)号：US09935771B2

公开(公告)日：2018-04-03

申请号：US14860885

申请日：2015-09-22

Applicant: VERISIGN, INC.

Inventor： Ramakant Pandrangi ,  Eric Osterweil ,  Paul Livesay

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L9/321 ,  H04L9/3263 ,  H04L61/1511 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20

Abstract: The disclosure is directed to securely bootstrapping devices in a network environment. Methods and systems include hardware and/or operations for receiving, based on an identifier provisioned at a relying entity, instances of a security credential of an information system, wherein the instances are associated with respective certifying entities. The operations also include verifying the authenticity of the instances of the security credential using information of the certifying entities provisioned at the relying entity. The operations further includes determining matches between the instances of the security credential. Additionally, the operations include determining based on the matches that a first instance of the security credential satisfies a policy provisioned at the relying entity. Further, the operations include verifying the authenticity of information requested from the information system using the first instance of the security credential. In various implementations, the information system may be the domain name system.

公开(公告)号：US10250618B2

公开(公告)日：2019-04-02

申请号：US15092165

申请日：2016-04-06

Applicant: VERISIGN, INC.

Inventor： Suresh Bhogavilli ,  Roberto Guimaraes ,  Ramakant Pandrangi ,  Frank Scalzo

IPC: H04L29/06 ,  H04L9/08 ,  H04L29/08

Abstract: Methods and systems for detecting and responding to Denial of Service (“DoS”) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system. Once a client has been validated, clients may communicate directly with application servers in a secure manner by transparently passing through intermediary proxy servers.

公开(公告)号：US20160254955A1

公开(公告)日：2016-09-01

申请号：US15054894

申请日：2016-02-26

Applicant: VERISIGN, INC.

Inventor： Yannis Labrou ,  Frank Scalzo ,  Ramakant Pandrangi

IPC: H04L12/24 ,  H04L29/12 ,  H04L12/26

CPC classification number: H04L41/0816 ,  H04L43/0852 ,  H04L61/1511 ,  H04L61/6004

Abstract: Systems, methods, and computer-readable mediums are provided that access a set of data related to a plurality of domain name system (DNS) requests for a plurality of subnets in a network. A subset of the set of data that is a representative sample of the set of data is selected. Latency of the subset of the data is estimated and latency is estimated for the totality of the data. A portion of the network is modified based on the estimated latency of the totality of the data.

Abstract translation: 提供了系统，方法和计算机可读介质，其访问与网络中的多个子网的多个域名系统（DNS）请求相关的一组数据。 选择作为该组数据的代表性样本的数据集的子集。 估计数据子集的延迟，并估计数据的总数。 基于所估计的数据总和的等待时间来修改网络的一部分。

公开(公告)号：US20140282847A1

公开(公告)日：2014-09-18

申请号：US14092528

申请日：2013-11-27

Applicant: VERISIGN, INC.

Inventor： David Blacka ,  Ramakant Pandrangi

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L61/1511 ,  H04L63/0823 ,  H04L63/12

Abstract: Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.

Abstract translation: 实现涉及将启用DNSSEC的区域预先签署到记录集中的系统和方法。 域名系统（DNS）可以接收和/或强制管理员希望的一组DNS策略，或者DNS运营商本身来管理使用Web域的安全扩展（DNSSEC）的域名解析。 DNS可以基于一组策略生成针对域的用户问题的一组答案。 根据策略规则不同或不同的答案可以存储为变体答案，并且可以用变体ID进行标记。 变体答案可以预先签名并存储在DNS中。 由于在收到DNS请求之前生成和存储了关键数据和其他信息，所以可以以更高的响应性和安全性返回所请求的变体答案。

公开(公告)号：US09961110B2

公开(公告)日：2018-05-01

申请号：US14092528

申请日：2013-11-27

Applicant: VERISIGN, INC.

Inventor： David Blacka ,  Ramakant Pandrangi

IPC: G06F17/00 ,  H04L29/06 ,  H04L29/12

CPC classification number: H04L63/20 ,  H04L61/1511 ,  H04L63/0823 ,  H04L63/12

Abstract: Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.

公开(公告)号：US20160380960A1

公开(公告)日：2016-12-29

申请号：US15193806

申请日：2016-06-27

Applicant: VERISIGN, INC.

Inventor： Ramakant Pandrangi ,  Denis Phillips

IPC: H04L29/12 ,  H04L12/801 ,  H04L12/26

Abstract: Systems and methods for enhanced monitoring and adaptive management of inter-network Domain Name System (“DNS”) traffic include an information capture device in a monitored network. The information capture device receives a redirected connection request originated by a client machine in the monitored network in response to a modified DNS answer from a recursive name server outside of the monitored network, captures detailed information associated with the redirected connection request that is inaccessible to the recursive name server, and sends the captured information to a data storage accessible to the recursive name server for storage as augmented DNS data associated with the client machine and/or the redirected connection request. The information capture device further provides, in response to the redirected connection request, an adaptive answer generated based on the augmented DNS data to the client machine.

Abstract translation: 网络域名系统（“DNS”）流量增强监控和自适应管理的系统和方法包括受监控网络中的信息捕获设备。 信息捕获设备响应来自被监视网络外部的递归名称服务器的修改的DNS应答，接收受监控网络中的客户端计算机发起的重定向连接请求，捕获与被重定向的连接请求相关联的详细信息，该请求不可访问 递归名称服务器，并将捕获的信息发送到递归名称服务器可访问的数据存储器，作为与客户端机器和/或重定向连接请求相关联的扩充DNS数据进行存储。 信息捕获设备还响应于重定向的连接请求，向客户机提供基于增强的DNS数据产生的自适应答案。

公开(公告)号：US10050831B2

公开(公告)日：2018-08-14

申请号：US15054894

申请日：2016-02-26

Applicant: VERISIGN, INC.

Inventor： Yannis Labrou ,  Frank Scalzo ,  Ramakant Pandrangi

IPC: H04L12/24 ,  H04L29/12 ,  H04L12/26

Abstract: Systems, methods, and computer-readable mediums are provided that access a set of data related to a plurality of domain name system (DNS) requests for a plurality of subnets in a network. A subset of the set of data that is a representative sample of the set of data is selected. Latency of the subset of the data is estimated and latency is estimated for the totality of the data. A portion of the network is modified based on the estimated latency of the totality of the data.

公开(公告)号：US20170085380A1

公开(公告)日：2017-03-23

申请号：US14860885

申请日：2015-09-22

Applicant: VERISIGN, INC.

Inventor： Ramakant Pandrangi ,  Eric Osterweil ,  Paul Livesay

IPC: H04L9/32 ,  H04L29/06

CPC classification number: H04L9/321 ,  H04L9/3263 ,  H04L61/1511 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20

Abstract: The disclosure is directed to securely bootstrapping devices in a network environment. Methods and systems include hardware and/or operations for receiving, based on an identifier provisioned at a relying entity, instances of a security credential of an information system, wherein the instances are associated with respective certifying entities. The operations also include verifying the authenticity of the instances of the security credential using information of the certifying entities provisioned at the relying entity. The operations further includes determining matches between the instances of the security credential. Additionally, the operations include determining based on the matches that a first instance of the security credential satisfies a policy provisioned at the relying entity. Further, the operations include verifying the authenticity of information requested from the information system using the first instance of the security credential. In various implementations, the information system may be the domain name system.

公开(公告)号：US20160226896A1

公开(公告)日：2016-08-04

申请号：US15092165

申请日：2016-04-06

Applicant: VERISIGN, INC.

Inventor： Suresh Bhogavilli ,  Roberto Guimaraes ,  Ramakant Pandrangi ,  Frank Scalzo

IPC: H04L29/06 ,  H04L9/08 ,  H04L29/08

CPC classification number: H04L63/1416 ,  H04L9/0825 ,  H04L63/0428 ,  H04L63/1458 ,  H04L67/02 ,  H04L2463/141 ,  H04L2463/144

Abstract: Methods and systems for detecting and responding to Denial of Service (“DoS”) attacks comprise: detecting a DoS attack or potential DoS attack against a first server system comprising one or more servers; receiving, at a second server system comprising one or more servers, network traffic directed to the first server system; subjecting requesting clients to one or more challenge mechanisms, the challenge mechanisms including one or more of challenging requesting clients to follow through HTTP redirect responses, challenging requesting clients to request Secure Sockets Layer (SSL) session resumption, or challenging requesting clients to store and transmit HTTP cookies; identifying one or more non-suspect clients, the one or more suspect clients corresponding to requesting clients that successfully complete the one or more challenge mechanisms; identifying one or more suspect clients, the one or more suspect clients corresponding to requesting clients that do not successfully complete the one or more challenge mechanisms; and forwarding, by the second server system, traffic corresponding to the one or more non-suspect clients to the first server system. Once a client has been validated, clients may communicate directly with application servers in a secure manner by transparently passing through one or more intermediary proxy servers.

Abstract translation: 用于检测和响应拒绝服务（“DoS”）攻击的方法和系统包括：检测对包括一个或多个服务器的第一服务器系统的DoS攻击或潜在DoS攻击; 在包括一个或多个服务器的第二服务器系统处接收指向所述第一服务器系统的网络流量; 对请求客户端进行一个或多个挑战机制，挑战机制包括一个或多个挑战性请求客户端遵循HTTP重定向响应，挑战请求客户端请求安全套接字层（SSL）会话恢复，或挑战请求客户端存储和发送 HTTP Cookie; 识别一个或多个非可疑客户端，所述一个或多个可疑客户端对应于成功完成所述一个或多个挑战机制的请求客户端; 识别一个或多个可疑客户端，所述一个或多个可疑客户端对应于未成功完成所述一个或多个挑战机制的请求客户端; 以及由所述第二服务器系统将对应于所述一个或多个非可疑客户端的流量转发到所述第一服务器系统。 一旦客户端被验证，客户端可以通过透明地通过一个或多个中间代理服务器以安全的方式直接与应用服务器通信。