Identifying targets of network attacks
First Claim
1. A content delivery system comprising:
- a point of presence (“
POP”
) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content;
a domain name system (“
DNS”
) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content from the plurality of sets of content, and to respond to the requests for network addresses with a plurality of network addresses identifying computing devices from the point of presence at which the individual sets of content may be accessed; and
one or more computing devices implementing a target lookup service, the one or more computing devices configured with specific computer-executable instructions to;
detect a network attack on the content delivery system, the network attack directed to a plurality of attacked network addresses, wherein each attacked network address of plurality of attacked network addresses is associated with at least two of the plurality of sets of content on the content delivery system;
generate a mapping between the individual sets of content and corresponding combinations of network addresses on the content delivery system at which the individual sets of content may be accessed, the corresponding combinations of network addresses determined based at least in part on identifiers of the individual sets of content;
compare the plurality of attacked network addresses to the generated mapping to identify a first set of content from the plurality of sets of content that is associated with each attacked network address of the plurality of attacked network addresses; and
identify the first set of content as a target of the network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described to enable identification of computing resources targeted in a network attack. Network attacks, such as denial of service attacks, are frequently directed to network addresses that host multiple sets of content, each representing a distinct potential target of the network attack. Aspects of this disclosure enable each set of content to be assigned a unique or semi-unique combination of network addresses at which the set of content is accessible. During a network attack, a hosting system can compare the network addresses under attack to those assigned to each set of content to determine which sets of content are potentially targeted by the attack. Where the combination of network addresses is associated with only a single set of content, that set of content can be identified as the target of the network attack.
-
Citations
19 Claims
-
1. A content delivery system comprising:
-
a point of presence (“
POP”
) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content;a domain name system (“
DNS”
) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content from the plurality of sets of content, and to respond to the requests for network addresses with a plurality of network addresses identifying computing devices from the point of presence at which the individual sets of content may be accessed; andone or more computing devices implementing a target lookup service, the one or more computing devices configured with specific computer-executable instructions to; detect a network attack on the content delivery system, the network attack directed to a plurality of attacked network addresses, wherein each attacked network address of plurality of attacked network addresses is associated with at least two of the plurality of sets of content on the content delivery system; generate a mapping between the individual sets of content and corresponding combinations of network addresses on the content delivery system at which the individual sets of content may be accessed, the corresponding combinations of network addresses determined based at least in part on identifiers of the individual sets of content; compare the plurality of attacked network addresses to the generated mapping to identify a first set of content from the plurality of sets of content that is associated with each attacked network address of the plurality of attacked network addresses; and identify the first set of content as a target of the network attack. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method comprising:
-
receiving a request from a user computing device for addressing information of a first set of content; determining at least two network addresses corresponding to the first set of content based at least in part on an identifier of the set of content; generating a DNS record including the at least two network addresses corresponding to the first set of content; transmit the DNS record to the user computing device; detecting a network attack on a content delivery system, the network attack directed to a plurality of attacked network addresses, wherein an attacked network address of the plurality of attacked network addresses is associated with at least two sets of content on the content delivery system, including the first set of content and the second set of content; generating a mapping between individual sets of content, including the first and second sets of content, and network addresses on the content delivery system at which the individual sets of content may be accessed, the network addresses on the content delivery system at which the individual sets of content may be accessed determined based at least in part on identifiers of the individual sets of content; comparing the plurality of attacked network addresses to the generated mapping to identify that the first set of content is associated with the plurality of attacked network addresses; and identifying the first set of content as a target of the network attack. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
one or more computing devices implementing a target lookup service, the one or more computing devices configured with computer-executable instructions that, when executed, cause the one or more computing devices to; detect a network attack on a content delivery system, the network attack associated with at least two addressing information sets, wherein an addressing information set of the at least two addressing information sets is associated with at least two sets of content on the content delivery system; generate data mapping individual sets of content on the content delivery system to corresponding combinations of addressing information sets on the content delivery system; compare the at least two addressing information sets to the generated data to identify a first set of content on the content delivery system that is associated with the at least two addressing information sets; and identify the first set of content as a target of the network attack; and a DNS system comprising at least one computing device configured with computer-executable instructions that, when executed, cause the DNS system to; receive a request from a user computing device for addressing information of the first set of content; determine the at least two addressing information sets corresponding to the first set of content based at least in part on an identifier of the first set of content; generate a DNS record including the at least two addressing information sets corresponding to the first set of content; and transmit the DNS record to the user computing device. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification