USOO7353.538B2
`
`(12) United States Patent
`Sample
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,353,538 B2
`Apr. 1, 2008
`
`(54) SERVER RESOURCE MANAGEMENT,
`ANALYSIS, AND INTRUSION NEGATION
`
`(75) Inventor: Char Sample, Ellicott City, MD (US)
`
`(*) Notice:
`
`(73) Assignee: Federal Network Systems LLC,
`Arlington, VA (US)
`-
`0
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 4 days.
`(21) Appl. No.: 10/290,961
`(22) Filed:
`Nov. 8, 2002
`
`3/2001 Nguyen et al.
`6,202,070 B1
`4/2001 Krishnan et al. ........... 370/468
`6,222,856 B1
`6.356,863 B1* 3/2002 Sayle .......................... 703/27
`6,389,129 B1
`5/2002 Cowan
`6,466.980 B1 * 10/2002 Lumelsky et al. .......... TO9,226
`6,557,035 B1 * 4/2003 McKnight ................... TO9,224
`6,564,243 B1
`5/2003 Yedidia et al.
`6,622,226 B1
`9/2003 Dussud ....................... 711/159
`6,654,745 B2 11/2003 Feldman
`6,681,232 B1* 1/2004 Sistanizadeh et al. .... 707/104.1
`6,760,747 B2
`7/2004 Allard et al.
`6,782,398 B
`& 2004 Bahl
`6,804,778 B1
`10/2004 Levi et al.
`
`(65)
`
`Prior Publication Data
`
`(Continued)
`
`(51) Int. Cl.
`(2006.01)
`G06F II/00
`(2006.01)
`G06F 2/14
`(2006.01)
`G06F 2/16
`(2006.01)
`G06F 5/8
`(2006.01)
`GOSB 2.3/OO
`(2006.01)
`HO4K I/OO
`(2006.01)
`HO4L 9/OO
`(52) U.S. Cl. .............................. 726/23: 726/1; 726/26;
`726/25: 713/164.713/165: 713/166713/167
`709/226: 718/105
`(58) Field of Classification Search ................ 709/219,
`709/224, 229, 233,235, 226; 713/151, 201,
`713/165, 166, 167: 714/47; 726/23, 24,
`726/25, 1: 718/105: 716/164
`See application file for complete search history.
`References Cited
`U.S. PATENT DOCUMENTS
`
`(56)
`
`5,774,668 A * 6/1998 Choquier et al. ........... 709,223
`5,852,717 A 12/1998 Bhide et al.
`5,864,683 A
`1/1999 Boebert et al.
`5.991,795 A 11/1999 Howard
`6,106,575 A * 8/2000 Hardwick ................... 717,119
`
`RU
`
`2189072
`
`9, 2002
`
`OTHER PUBLICATIONS
`Carleton University. “Managing your Unix Disk Quota'. http://
`mathstat.carleton.caf-help? cuota?quota.html. Aug. 22, 2002.
`
`(Continued)
`Primary Examiner Kambiz Zand
`Assistant Examiner Michael J Simitoski
`
`(57)
`
`ABSTRACT
`
`A console host and intrusion negation system (CHAINS)
`includes a host component 202 and a console component
`203. The host component 202 monitors resources at a
`server 501-503. Resources that are becoming overloaded
`can be throttled back. Reports relating to resource usage may
`be transmitted to the console component. At the console
`component, resource reports from multiple host components
`may be viewed and managed.
`
`25 Claims, 6 Drawing Sheets
`
`
`
`
`
`Console
`Component
`
`Server
`
`202
`
`Component
`
`Cloudflare - Exhibit 1087, page 1
`
`

`

`US 7,353,538 B2
`Page 2
`
`6,832,256
`7,039,673
`7,124,403
`2001/0044840
`2002, 0046264
`2002/0065911
`2002/0066034
`2002/0101819
`2002/0103916
`2002/0108060
`2002/0129088
`2002/0133603
`2002. O157020
`2002fO161868
`2002fO161891
`2002fO161913
`2002fO166046
`2002fO184363
`2002fO194340
`2002fO194490
`2003/0O23873
`2003/0028642
`2003/0028803
`2003/0051142
`2003/0056116
`2003/O115244
`2003. O154284
`2003/O154399
`
`U.S. PATENT DOCUMENTS
`Toga
`Abbott et al.
`Price et al. ................. 717/127
`Carleton ..................... 709,223
`Dillon et al.
`Von Klopp et al.
`Schlossberg et al.
`... 370,229
`Goldstone .........
`Chen et al. ................. 709,229
`Takamoto et al.
`Zhou et al.
`Mitomo et al.
`Royer
`Paul et al. .................. TO9,221
`Higuchi et al. ...
`... TO9,226
`Gonzalez et al. ........... 709/233
`Bidarahalli et al. ..
`... 713.2
`Viavant et al. ...... ... 709,224
`Ebstyne et al. ...
`... 709,226
`Halperin et al. ............ T13/200
`Ben-Itzhak
`Agarwal et al. ............ TO9,226
`Bunker et al.
`Hidalgo et al.
`Bunker et al.
`... 709/105
`Molloy et al. ....
`Bernardin et al. .......... TO9,226
`Zuk et al.
`
`12, 2004
`5, 2006
`10, 2006
`11, 2001
`4, 2002
`5, 2002
`5, 2002
`8, 2002
`8, 2002
`8, 2002
`9, 2002
`9, 2002
`10, 2002
`10, 2002
`10, 2002
`10, 2002
`11, 2002
`12, 2002
`12, 2002
`12, 2002
`1, 2003
`2, 2003
`2, 2003
`3, 2003
`3, 2003
`6, 2003
`8, 2003
`8, 2003
`
`2003/015894.0 A1* 8/2003 Leigh ......................... TO9,226
`2004.0003290 A1
`1/2004 Malcolm
`2004/0044771 A1
`3/2004 Allred et al. ............... 709,227
`Chakraborty et al.
`2004.0054791 A1
`3, 2004
`2004/0088,571 A1
`5, 2004
`Jerrim et al.
`
`OTHER PUBLICATIONS
`
`Estan, Cristian et al. “New Directions in Traffic Measurement and
`Accounting, 2001 ACM IMW'01, pp. 75-80.*
`Giuffrida, Mark et al. “Novell Netware Evaluation'. http://www.
`ifs.umich.edu/~ifs/RD/NetWare/netware-eval.html, Mar. 1994.
`Kargil, Franket al. “Protecting Web Servers from Distributed Denial
`of Service Attacks”, Mar. 2001 WWW10, pp. 514-524.*
`Packeteer. “PacketShaper 4000 Getting Started Version 4.0', Mar.
`1999.*
`Stephenson, Peter “Investigating Computer Crime”, 2000 CRC
`Press LLC, http://www.infoSecuritynetbase.com, Appendix A and
`Chapter 4.*
`Person, Ron et al. "Chapter 22, Working with Disks and Disk
`Drives”, 1997, <http://safariexamples.informit.com/07897 13993/
`books/win95/ch22.htm>.
`Cook, Dave. “Understanding Windows 2000 Disk Quotas', Oct.
`2001 PC Network Advisor.
`TCU. “Windows 2000 Transitions', Summer 2001.*
`Symantec. “Norton AntiVirus Corporate Edition Implementation
`Guide”, 2000 Symantec Corporation, pp. i-iii. 17-21, 23-26, 181
`214.
`* cited by examiner
`
`
`
`Cloudflare - Exhibit 1087, page 2
`
`

`

`U.S. Patent
`
`Apr. 1, 2008
`
`Sheet 1 of 6
`
`US 7,353,538 B2
`
`
`VIOLJONES
`001
`Jasn-pugSOL
`
`
`||||
`
`|I||
`
`WEOL
`
`'gE01
`
`JaNIaS
`
`Ww
`
`Looe
`
`alo
`
`Jasn-pug
`
`|Janes
`
`|“Bi
`
`Cloudflare - Exhibit 1087, page 3
`
`Cloudflare - Exhibit 1087, page 3
`
`
`

`

`U.S. Patent
`
`Apr. 1, 2008
`
`Sheet 2 of 6
`
`US 7,353,538 B2
`
`Sng
`
`0 || ?
`
`JOSS30OJ)
`
`ZZ
`
`
`
`08
`
`90 ||
`
`Cloudflare - Exhibit 1087, page 4
`
`

`

`U.S. Patent
`
`Apr. 1, 2008
`
`Sheet 3 of 6
`
`US 7,353,538 B2
`
`
`
`OZZ
`
`JOSS0001)
`
`
`
`
`
`quêuod?JOO ?SOH SNIVHO
`
`Cloudflare - Exhibit 1087, page 5
`
`

`

`U.S. Patent
`
`Apr. 1, 2008
`
`Sheet 4 of 6
`
`US 7,353,538 B2
`
`“pus
`
`
`
`0}Payeyuusues]
`
`VIV
`
`ajosuoo
`
`60
`v
`
`‘JUSsUOdLUCO
`
`Jelpowedaye|
`
`‘uonoe
`
`80P
`
`JOSSE9014
`
`oBesn
`
`&P|OYSSIU}<
`
`CLP
`
`
`
`JElpewasaye]
`
`‘uolae
`
`ON
`
`[eIDoWad
`
`‘uoljoe
`
`LLP
`
`abesojss|
`
`
`
`<oBesnsoiaep
`
`éPIOYSetU}
`
`SOV
`
`SOA
`
`AsOWSuuS|
`
`ON
`
`cor
`
`SO,
`
`COV
`
`Ayaoe
`
`ye[eAa|
`
`UONEOIUNWUWOO
`
`<soeLayul
`
`Eploysasyy
`
`CLP
`
`JoJeSIUlLUpeLely
`
`"syINsaJJo
`
`oye|
`
`jeipowad
`
`‘suonoe
`
`ON
`
`Cloudflare - Exhibit 1087, page 6
`
`Cloudflare - Exhibit 1087, page 6
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Apr. 1, 2008
`
`Sheet S of 6
`
`US 7,353,538 B2
`
`? - ) ? ? ? ? ? ? ?ws •
`
`G -61-|
`
`
`
`
`
`
`
`Cloudflare - Exhibit 1087, page 7
`
`

`

`U.S. Patent
`
`Apr. 1, 2008
`
`Sheet 6 of 6
`
`US 7,353,538 B2
`
`
`
`Cloudflare - Exhibit 1087, page 8
`
`

`

`1.
`SERVER RESOURCE MANAGEMENT,
`ANALYSIS, AND INTRUSION NEGATION
`
`US 7,353,538 B2
`
`RELATED APPLICATIONS
`
`This application is related to the concurrently-filed appli
`cation Ser. No. 10/290,834, titled “Systems and Methods For
`Preventing Intrusion at a Web Host.”
`
`BACKGROUND OF THE INVENTION
`
`10
`
`15
`
`25
`
`30
`
`A. Field of the Invention
`The present invention relates generally to computer net
`works, and more particularly, to resource management of
`server computers in a public network, such as the Internet.
`B. Description of Related Art
`Network computer servers, such as computers that trans
`mit HTML (HyperText Markup Language) documents to
`client computing devices on the Internet, may interact and
`receive data requests from many different end-users. It is
`frequently important that these computer servers maintain
`high levels of uptime. For example, if a server for an
`e-commerce site fails to respond to user requests, the site
`may lose sales.
`There are many reasons why a server, or a group of
`servers, may fail. For example, the server may experience
`software or hardware errors that cause the server to fail.
`Additionally, the server may experience resource-related
`problems, such as too many users trying to simultaneously
`communicate with the server. Such resource-related prob
`lems can be “natural resource problems in which too many
`bona fide users are trying to access the system simulta
`neously or malicious problems such as denial of service
`(DoS) or distributed denial of service (DDoS) attacks. In a
`DoS or DDoS attack, a compromised system or a multitude
`of compromised systems flood a server with incoming
`messages in an attempt to overwhelm the available server
`resources. Legitimate users of the server may then be denied
`service by the server due to the overload of its resources.
`Accordingly, server System availability is an important
`40
`concern for network servers, such as Internet servers. Con
`ventional hardware solutions, such as clustering and
`failover, offer Some assurances in this area by offering more
`resources to the users. However, these solutions can fail
`when faced with automated DoS and DDoS attacks that
`simply keep taking resources.
`Accordingly, there is a need in the art to improve resource
`management in the face of attacks on system resources.
`
`35
`
`45
`
`SUMMARY OF THE INVENTION
`
`Systems and methods consistent with the principles of this
`invention implement a console host intrusion negation sys
`tem (CHAINS) that monitors selected resources on one or
`more computer servers and throttles back resource usage
`when a server resource is overburdened.
`A method consistent with an aspect of the invention
`includes monitoring resources associated with a network
`server and comparing activity levels of the resources to
`predetermined threshold activity levels. The method further
`includes reducing usage of one of the resources when the
`activity level associated with the resource increases above
`the predetermined threshold activity level.
`A second aspect consistent with the invention is directed
`to a computer server that includes a processor, a communi
`cation interface, and a memory containing instructions. The
`instructions, when executed by the processor, cause the
`
`50
`
`55
`
`60
`
`65
`
`2
`processor to monitor a usage level of the processor, the
`communication interface, and the memory. The instructions
`additionally compare the usage level of the communication
`interface to a first threshold and throttle back a number of
`active network connections when the usage level of the
`communication interface is greater than the first threshold;
`compare the usage level of the memory to a second threshold
`and shut down inactive processes when the usage level of the
`memory is above the second threshold; and compare the
`usage level of the processor to a third threshold and shut
`down inactive processes when the usage level of the pro
`cessor is above the third threshold.
`Yet another aspect of the present invention is directed to
`a system that includes a number of first computing devices
`and a second computing device. The first computing devices
`include a host Software component configured to monitor
`resources of the first computing device and throttle back
`resource usage when resources of the first computing
`devices are being used above predetermined threshold lev
`els. The second computing device includes a console soft
`ware component configured to display alerts when the
`resources of the first computing devices are being used
`above the predetermined threshold levels.
`Yet another aspect consistent with the present invention is
`directed to a method that includes displaying information
`relating to resources of remote computers, receiving infor
`mation defining threshold levels for the resources at the
`remote computers, and transmitting the information defining
`the threshold levels for the resources to the remote comput
`ers. The remote computers throttle back resource usage
`when a resource usage level exceeds the threshold levels.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The accompanying drawings, which are incorporated in
`and constitute a part of this specification, illustrate the
`invention and, together with the description, explain the
`invention. In the drawings,
`FIG. 1 is a diagram illustrating an exemplary system in
`which concepts consistent with the invention may be imple
`mented;
`FIG. 2 is a diagram of an exemplary computing device
`that may correspond to one of the servers in FIG. 1;
`FIG. 3 is a diagram conceptually illustrating the interac
`tion of a host component with elements of the server shown
`in FIG. 2;
`FIG. 4 is a flow chart illustrating operation of a host
`component consistent with an aspect of the invention;
`FIG. 5 is a diagram illustrating an implementation of a
`console component consistent with aspects of the invention;
`and
`FIG. 6 is a diagram illustrating an exemplary graphical
`user interface (GUI) that may be displayed by the console
`component.
`
`DETAILED DESCRIPTION
`
`The following detailed description of the invention refers
`to the accompanying drawings. The same reference numbers
`may be used in different drawings to identify the same or
`similar elements. Also, the following detailed description
`does not limit the invention. Instead, the scope of the
`invention is defined by the appended claims and equivalents
`of the claim features.
`As described below, a console host and intrusion negation
`system (CHAINS) monitors selected resources on one or
`more computer servers. Chains may include one or more
`
`Cloudflare - Exhibit 1087, page 9
`
`

`

`3
`host software components and a console Software compo
`nent. The host component resides on a server computer and
`monitors resource usage at the server. If a particular resource
`is used at a level above a preset threshold, the host compo
`nent may take remedial action. The remedial action may
`include, for example, throttling back the resource or noti
`fying a user via the console component.
`System Overview
`FIG. 1 is a diagram illustrating an exemplary system 100
`in which concepts consistent with the present invention may
`be implemented. System 100 may include a number of
`end-user computing devices 101A and 101B, a network 102,
`and server computers 103A-103D (collectively referred to as
`servers 103). End-user computing devices 101 may include
`personal computers or the like through which users connect
`to network 102. Network 102 may include any type of
`network, such as a local area network (LAN), a wide area
`network (WAN), a virtual private network (VPN), an intra
`net, the Internet, or a combination of networks. End-user
`computing devices 101 and servers 103 may connect to
`network 102 via wired, wireless, and/or optical connections.
`Servers 103 may respond to requests for information from
`end-user computing devices 101. For example, servers 103
`may be HTML servers that interact with end-user computing
`devices 101 through hyper-text transfer protocol (HTTP)
`sessions to transmit HTML web pages to users. Server 103
`may include a cluster of servers, such as the three servers
`103A-103C contained in cluster 105. The servers
`103A=103C in cluster 105 may include a load-balancing
`mechanism through which the servers may jointly handle
`requests from end-user computing devices 101 in Such a
`manner as to balance the distribution of work among the
`servers in cluster 105.
`FIG. 2 is a diagram of an exemplary computing device
`that may correspond to one of servers 103. Server 103 may
`include bus 210, processor 220, main memory 230, read
`only memory (ROM) 240, storage device 250, input device
`260, output device 270, and communication interface 280.
`40
`Bus 210 permits communication among the components of
`Server 103.
`Processor 220 may include any type of conventional
`processor or microprocessor that interprets and executes
`instructions. Main memory 230 may include a random
`access memory (RAM) or another type of dynamic storage
`device that stores information and instructions for execution
`by processor 220. ROM 240 may include a conventional
`ROM device or another type of static storage device that
`stores static information and instructions for use by proces
`sor 220. Storage device 250 may include a magnetic and/or
`optical recording medium and its corresponding drive.
`Input device 260 may include one or more conventional
`mechanisms that permit an operator to input information to
`computing device 103. Such as a keyboard, a mouse, a pen,
`a number pad, a microphone and/or biometric mechanisms,
`etc. Output device 270 may include one or more conven
`tional mechanisms that output information to the operator,
`including a display, a printer, speakers, etc. Communication
`interface 280 may include any transceiver-like mechanism
`that enables computing device 103 to communicate with
`other devices and/or systems. For example, communication
`interface 280 may include mechanisms for communicating
`with another device or system via a network, such as
`network 102.
`In one implementation, main memory 230 may include
`computer programming instructions that implement a
`
`4
`CHAINS host software component 202 and/or console soft
`ware component 203. The operation of host component 202
`and console component 203 will be described in more detail
`below.
`
`Chains
`
`FIG. 3 is a diagram conceptually illustrating the interac
`tion of CHAINS host component 202 with resources asso
`ciated with server 103. In particular, host component 202
`may interact with communication interface 280, storage
`device 250, memory 230, and processor 220. In general,
`these elements of server 103 can be considered to be
`resources of server 103. Host component 202 monitors and
`controls the activity level of these resources.
`FIG. 4 is a flow chart illustrating operation of host
`component 202 consistent with an aspect of the invention.
`Host component 202 may begin by checking an activity
`level of communication interface 280. This may include
`checking the number of open connections between server
`103 and end-user computing devices 101. An end-user
`computing device 101 that wishes to receive information
`from server 103 begins by transmitting a request for a
`connection with server 103. Server 103, in turn, can accept
`or reject the connection. Additionally, server 103 may keep
`track of the number of open connections at any particular
`time.
`Host component 202 maintains a threshold level relating
`to the activity level of communication interface 280. The
`threshold level may be set by a user either locally at server
`103 or, as will be described in more detail below, from a
`remote computer running console component 203. The
`threshold level may be derived manually by the user, or
`automatically, based on historical activity levels. Host com
`ponent 202 may check to determine whether the activity
`level of communication interface 280 is above the threshold
`(Act 402). If it is, host component 202 may take remedial
`actions to effectively throttle back the number of active
`connections (Act 403). Such actions can include closing
`open connections. For example, host component 202 may
`first close connections that are open but inactive. If the
`number of connections is still too high, host component 202
`may close connections that the server 103 classifies as lower
`priority connections. If the number of connections is still too
`high, host component 202 may begin to randomly close open
`connections. In addition, while the number of open connec
`tions is above the threshold, host component 202 may refuse
`any new connection requests from end-user computing
`devices 101.
`In addition to checking an activity level of communica
`tion interface 280, host component 202 may check usage of
`memory 230. When memory capacity exceeds a predeter
`mined threshold level (e.g., b 95% of memory 230 is full),
`host component 202 may take memory-related remedial
`actions (Acts 405 and 406). These actions may include, for
`example, shutting down inactive processes (often referred to
`as Zombie processes).
`Host component 202 may also check processor usage.
`When the load on processor 220 is above a predetermined
`threshold (e.g., 90% of total processor capacity), host com
`ponent 220 may take remedial actions (Acts 408 and 409).
`These actions may be similar to the actions taken in Act 406,
`and may include, for example, shutting down inactive pro
`cesses or shutting down lower priority processes.
`Host component 202 may also check the capacity of
`storage device 250, such as a hard disk drive(s). When
`storage device 250 has exceeded a predetermined threshold
`
`US 7,353,538 B2
`
`10
`
`15
`
`25
`
`30
`
`35
`
`45
`
`50
`
`55
`
`60
`
`65
`
`Cloudflare - Exhibit 1087, page 10
`
`

`

`5
`capacity (e.g., 95% of capacity), host component 220 may
`again take remedial action, (Acts 411 and 412). Such as
`redirecting future disk write commands to console (i.e., to a
`monitor) or compressing non-critical files, such as log files.
`Host component 202 may alert administrators of the
`actions taken in Acts 403, 406, 409, and 412 (Act 413). The
`alert may take the form of an e-mail, a pager notice, or a
`screen alert to an operator. Additionally, host component 202
`may transmit an indication of the alert to a remote computer
`(Act 414). More particularly, consistent with an aspect of the
`invention, console component 203, residing at the remote
`computer, may receive the alert. Console component 203
`may be configured to receive and monitor alerts from a
`number of host components 202 running on a number of
`different servers 103. This aspect of the invention is
`described in more detail below.
`One of ordinary skill in the art will recognize that com
`mands to check processor load, storage device load, and
`network connection load are well known, and are thus not
`described in detail herein.
`FIG. 5 is a diagram illustrating an implementation of
`console component 203 consistent with aspects of the inven
`tion. Console component 203 may execute on a computing
`device 504, such as a server computer 103, and communi
`cate with one or more host components 202. As shown in
`25
`FIG. 5, console component 203 is connected to a number of
`host components 202, executing at servers 501-503.
`Servers 501 and 502 may be a group of clustered servers
`that are connected locally or through a local area network to
`console component 203. Server 503 may be coupled
`remotely to console component 203 via wide area network
`51O.
`Each of host components 202 may operate to transmit
`information relating to their generated alerts (see FIG. 4. Act
`414). Operators local to console component 203 may view
`the alert information from multiple host components 202
`and manage threshold settings for the host components 202.
`FIG. 6 is a diagram illustrating an exemplary graphical
`user interface (GUI) 600 that may be displayed by console
`component 203. GUI 600 may include an output section 601
`and input section 610. Console component 203 may display
`alerts received from host components 202 to output section
`601. In input section 610, operators may change configura
`tion information, Such as the threshold values, for a particu
`lar host component 202. Input section 610 may include a
`selection box 611 through which the user may select the host
`component 202 that the user is configuring. As shown in
`FIG. 6, the host component 202 at the server called
`“Server3” is being configured. Input section 610 may addi
`tionally include input boxes 612-615 for inputting threshold
`information relating to the memory usage threshold, the
`processor usage threshold, the connection threshold, and the
`disk usage threshold, respectively.
`In addition to merely monitoring and logging resource
`alerts from host components 202, console component 203
`may provide analysis and resource management functions.
`For example, console component 203 may correlate
`resource alerts from multiple host components 202. If a
`number of host components 202 generate similar resource
`alerts at approximately the same time, this may indicate that
`a concerted DoS attack is being performed against these
`computers. Console component 203 may then output infor
`mation to a user indicating a possible DoS attack.
`In some implementations, console component 203 may
`reallocate resources among servers based on alerts received
`from host components 202. For example, if host component
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 7,353,538 B2
`
`10
`
`15
`
`6
`202 at server 501 issues a disk resource alert, console
`component 203 may instruct server 501 to begin using the
`disk resources of server 502.
`
`CONCLUSION
`
`The CHAINS components described above operate to
`ensure that servers do not crash because of issues relating to
`resource overload. By constantly monitoring resources of
`various servers and throttling back resource access when the
`resources of a server are over taxed, the CHAINS compo
`nent helps to ensure that the server will continue to operate.
`Sometimes the best method for preventing attacks such as
`DoS and DDoS attacks is to prevent the attack from occur
`ring in the first place. By keeping servers under DoS and
`DDoS attacks from failing, an attacker may give up and
`move on to a more susceptible target.
`The foregoing description of preferred embodiments of
`the invention provides illustration and description, but is not
`intended to be exhaustive or to limit the invention to the
`precise form disclosed. Modifications and variations are
`possible in light of the above teachings or may be acquired
`from practice of the invention. Moreover, while a series of
`acts have been presented with respect to FIG. 4, the order of
`the acts may be different in other implementations consistent
`with the present invention. Moreover, non-dependent acts
`may be performed in parallel.
`Certain portions of the invention have been described as
`software that performs one or more functions. The software
`may more generally be implemented as any type of logic.
`This logic may include hardware, such as an application
`specific integrated circuit or a field programmable gate array,
`software, or a combination of hardware and software.
`No element, act, or instruction used in the description of
`the present application should be construed as critical or
`essential to the invention unless explicitly described as such.
`Also, as used herein, the article 'a' is intended to include
`one or more items. Where only one item is intended, the term
`'one' or similar language is used.
`The scope of the invention is defined by the claims and
`their equivalents.
`What is claimed:
`1. A method for managing resources, comprising:
`monitoring a plurality of resources associated with a
`network server, the plurality of resources including at
`least an activity level at a communication interface of
`the network server and an activity level corresponding
`to memory usage of the network server,
`comparing activity levels of the plurality of resources to
`predetermined threshold activity levels; and in
`response to the comparing,
`reducing usage of one of the plurality of resources when
`the activity level associated with the one of the plurality
`of resources increases above the predetermined thresh
`old activity level associated therewith, reducing usage
`including reducing the activity level at the communi
`cation interface of the network server when the respec
`tive activity level increases above the predetermined
`threshold activity level associated therewith, and
`including shutting down inactive processes to thereby
`reduce memory usage of the network server when the
`memory usage increases above the predetermined
`threshold activity level associated therewith.
`2. The method of claim 1, wherein determining an activity
`level at the communication interface includes keeping track
`of a number of open network connections.
`
`Cloudflare - Exhibit 1087, page 11
`
`

`

`US 7,353,538 B2
`
`10
`
`15
`
`7
`3. The method of claim 1, wherein monitoring a plurality
`of resources further includes:
`determining usage of a processor of the network server.
`4. The method of claim 3, wherein monitoring a plurality
`of resources further includes:
`determining capacity of a hard disk drive associated with
`the network server.
`5. The method of claim 1, further comprising:
`alerting a user when the activity level associated with the
`one of the plurality of resources increases above the
`predetermined threshold activity level.
`6. The method of claim 5, wherein alerting the user
`includes transmitting an alert to a remote computer.
`7. The method of claim 1, wherein the predetermined
`threshold activity levels are set by a user from a remote
`computer.
`8. A computer server comprising:
`at least one processor;
`a communication interface; and
`a memory containing instructions that when executed by
`the at least one processor cause the processor to:
`monitor a usage level of the communication interface,
`the memory, and at least one of the at least one
`processor;
`compare the usage level of the communication inter
`face to a first threshold and reduce a number of active
`network connections when the usage level of the
`communication interface is greater than the first
`threshold;
`compare the usage level of the memory to a second
`threshold and shut down inactive processes when the
`usage level of the memory is above the second
`threshold; and
`compare the usage level of the monitored processor to
`a third threshold and shut down inactive processes
`when the usage level of the monitored processor is
`above the third threshold.
`9. The computer server of claim 8, further comprising:
`a magnetic storage device, wherein
`the memory contains additional instructions that when
`40
`executed by the processor cause the processor to:
`compare a usage level of the magnetic storage device to
`a fourth threshold and compress files on the magnetic
`storage device when the usage level of the magnetic
`storage device is above the fourth threshold.
`10. The computer server of claim 8, wherein the first,
`second, and third thresholds are set remotely.
`11. The computer server of claim 8, wherein the memory
`contains additional instructions that when executed by the
`processor cause the processor to transmit a resource alert to
`a remote computer.
`12. A system comprising:
`a plurality of first computing devices, each of the plurality
`of first computing devices including a corresponding
`host software component configured to monitor
`resources of the corresponding first computing device,
`the resources including at least a usage level of a
`communication interface, computer random access
`memory, and a processor, the host Software component
`reducing resource usage, including reducing the usage
`level of the communication interface, computer random
`access memory or processor, when, in response to the
`monitoring, resources of the corresponding first com
`puting device are being used above respective prede
`termined threshold levels, the host software component
`reducing the usage level of computer random access
`memory including the host Software component shut
`
`30
`
`8
`ting down inactive processes when the respective usage
`level increases above a threshold level thereof, and
`a second computing device including a console software
`component configured to display alerts when any one
`or more of the resources of the first computing device
`are being used above the predetermined threshold lev
`els.
`13. The system of claim 12, wherein when the second
`computing device receives alerts from multiple ones of the
`first computing devices, the second computing device out
`puts information describing a possible denial of service
`attack.
`14. The system of claim 12, wherein the second comput
`ing device transmits the predetermined threshold levels to
`the first computing device.
`15. The system of claim 12, wherein the second comput
`ing device is located remotely from the first computing
`device.
`16. The system of claim 12, wherein the first computing
`devices are network servers.
`17. A computer-readable medium containing instructions
`that when executed by a processor cause the processor to:
`monitor a plurality of resources associated with a network
`server, the monitored plurality of resources including at
`least an activity level at a communication interface of
`the network server and an activity level corresponding
`to memory usage of the network server,
`compare activity levels of the plurality of resources to
`predetermined threshold activity levels; and in
`response to the comparing,
`reduce usage of one of the plurality of resources when the
`activity level associated with the one of the plurality of
`resources increases above the predetermined threshold
`activity level associated with the on