| CPC H04L 63/101 (2013.01) [H04L 45/748 (2013.01); H04L 61/256 (2013.01); H04L 61/4511 (2022.05); H04L 67/02 (2013.01)] | 20 Claims |
|
1. A method, comprising:
storing, by a processor and in a data structure, network addresses of devices hosting a plurality of blacklisted domains and blacklisted domain identifiers corresponding to the plurality of blacklisted domains;
receiving, by the processor, traffic destined for a destination device associated with a destination network address;
determining, by the processor, that the destination network address corresponds to a network address of the network addresses stored in the data structure;
determining, by the processor and based on determining that the destination network address corresponds to the network address, that the network address corresponds to a blacklisted domain identifier of the blacklisted domain identifiers and that a threat level associated with the blacklisted domain identifier satisfies a threshold;
selecting, by the processor, a sinkhole server identifier from a plurality of sinkhole server identifiers associated with the blacklisted domain identifier based on the threat level,
wherein the sinkhole server identifier is selected based on:
geographic proximity to a location of a client device, or
a round-robin scheduling process; and
redirecting, by the processor, the traffic towards a sinkhole server associated with the sinkhole server identifier.
|