Mitigating network attacks

US 10,200,402 B2
Filed: 09/25/2017
Issued: 02/05/2019
Est. Priority Date: 09/24/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

detecting a network attack on one or more computing devices of a content delivery system, wherein the network attack is directed to a combination of addressing information sets including at least two different addressing information sets, each addressing information set, of the at least two addressing information sets, used by the one or more computing devices to provide access to multiple different sets of content from a plurality of sets of content made available on the content delivery system;

identifying a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of addressing information sets to which the attack is directed; and

mitigating the network attack based at least in part on redirecting requests to access the first set of content to one or more alternative computing devices on the content delivery system.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

1385 Citations

20 Claims

1. A computer-implemented method comprising:
- detecting a network attack on one or more computing devices of a content delivery system, wherein the network attack is directed to a combination of addressing information sets including at least two different addressing information sets, each addressing information set, of the at least two addressing information sets, used by the one or more computing devices to provide access to multiple different sets of content from a plurality of sets of content made available on the content delivery system;
  
  identifying a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of addressing information sets to which the attack is directed; and
  
  mitigating the network attack based at least in part on redirecting requests to access the first set of content to one or more alternative computing devices on the content delivery system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein an addressing information set comprises at least one of a network address, a port number, or a protocol.
  - 3. The computer-implemented method of claim 1, wherein redirecting requests to access the first set of content to one or more alternative computing devices on the content delivery system comprises transmitting instructions to a resolution server of the content delivery system to provide, in response to requests to resolve an identifier of the first set of content, a second combination of addressing information sets associated with one or more alternative computing devices on the content delivery system.
  - 4. The computer-implemented method of claim 1, wherein redirecting requests to access the first set of content to one or more alternative computing devices on the content delivery system comprises:
    - transmitting instructions to the one or more computing devices to withdrawal their association with individual addressing information sets of the combination of addressing information sets; and
      
      transmitting instructions to the one or more alternative computing devices to generate an association between the one or more alternative computing devices and the combination of addressing information sets.
  - 5. The computer-implemented method of claim 4, wherein the instructions to the one or more computing devices to withdrawal their association with the combination of addressing information sets comprise instructions for the one or more computing devices to generate a border gateway protocol (“
    - BGP”
      
      ) packet and transmit the BGP packet to at least one router in communication with the one or more computing devices.
  - 6. The computer-implemented method of claim 1, wherein redirecting requests to access the first set of content to one or more alternative computing devices on the content delivery system comprises instructing the one or more alternative computing devices to discard the requests to access the first set of content.
  - 7. The computer-implemented method of claim 1, wherein the one or more computing devices are included within a point of presence (POP) of the content delivery system.

8. A system comprising:
- a memory comprising computer-executable instructions; and
  
  one or more computing devices configured to execute the computer-executable instructions to;
  
  detect a network attack on one or more computing devices of a content delivery system, wherein the network attack is directed to a combination of addressing information sets including at least two different addressing information sets, each addressing information set, of the at least two addressing information sets, used by the one or more computing devices to provide access to multiple different sets of content from a plurality of sets of content made available on the content delivery system;
  
  identify a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of addressing information sets to which the attack is directed; and
  
  mitigate the network attack based at least in part on redirecting requests to access the first set of content to an alternative location on the content delivery system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the one or more computing devices are configured to redirect requests to access the first set of content to one or more alternative computing devices on the content delivery system at least partly by transmitting instructions to a resolution server of the content delivery system to provide, in response to requests to resolve an identifier of the first set of content, a second combination of addressing information sets associated with one or more alternative computing devices on the content delivery system.
  - 10. The system of claim 8, wherein the resolution server is a domain name system (DNS) server.
  - 11. The system of claim 8, wherein the alternative location on the content delivery system corresponds to one or more alternative computing devices, and wherein the one or more computing devices are further configured to generate the instructions to the resolution server, and wherein the instructions request that the resolution server identify the one or more alternative computing devices based at least in part on a characteristic of the one or more alternative computing devices included within the instructions.
  - 12. The system of claim 11, wherein the characteristic of the one or more alternative computing devices includes execution, by the one or more alternative computing devices, of network attack mitigation software.
  - 13. The system of claim 8, wherein the one or more computing devices are configured to redirect requests to access the first set of content to an alternative location on the content delivery system at least partly by transmitting instructions to one or more routing devices, in communication with the content delivery system, to redirect traffic addressed to the combination of addressing information sets from the one or more computing devices to the alternative location on the content delivery system.
  - 14. The system of claim 8, wherein the instructions cause the one or more routing devices to limit traffic addressed to the combination of addressing information sets to less than all physical ports on the one or more routing devices.

15. Non-transitory computer-readable media comprising instructions that, when executed by a computing system, cause the computing system to:
- detect a network attack on one or more computing devices of a content delivery system, wherein the network attack is directed to a combination of addressing information sets including at least two different addressing information sets, each addressing information set, of the at least two addressing information sets, used by the one or more computing devices to provide access to multiple different sets of content from a plurality of sets of content made available on the content delivery system;
  
  identify a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of addressing information sets to which the attack is directed; and
  
  mitigate the network attack based at least in part on redirecting requests to access the first set of content to an alternative location on the content delivery system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable media of claim 15, wherein individual sets of content, within the plurality of sets of content, correspond to at least one of individual domain names, individual web sites, or individual network-accessible services.
  - 17. The non-transitory computer-readable media of claim 15, wherein the instructions cause the computing system to redirect requests to access the first set of content to the alternative location on the content delivery system at least partly by transmitting instructions to a resolution server of the content delivery system to provide, in response to requests to resolve an identifier of the first set of content, a second combination of addressing information sets associated with the alternative location.
  - 18. The non-transitory computer-readable media of claim 15, wherein the instructions cause the computing system to redirect requests to access the first set of content to the alternative location on the content delivery system at least partly by transmitting instructions to one or more routing devices, in communication with the content delivery system, to redirect traffic addressed to the combination of addressing information sets from the one or more computing devices to the alternative location.
  - 19. The non-transitory computer-readable media of claim 18, wherein the instructions to the one or more computing devices to withdrawal their association with the combination of addressing information sets comprise instructions for the one or more computing devices to generate a border gateway protocol (“
    - BGP”
      
      ) packet and transmit the BGP packet to at least one router in communication with the one or more computing devices.
  - 20. The non-transitory computer-readable media of claim 15, wherein redirecting requests to access the first set of content to the alternative location comprises transmitting instructions to the one or more computing devices to withdrawal their association with the combination of addressing information sets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Radlein, Anton Stephen, Dye, Nathan Alan, Howard, Craig Wesley, Jones, Harvo Reyzell
Primary Examiner(s)
Le, Chau

Application Number

US15/714,993
Publication Number

US 20180109553A1
Time in Patent Office

498 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Mitigating network attacks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

1385 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating network attacks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1385 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links