Methods and apparatuses for providing Internet-based proxy services

US 10,243,927 B2
Filed: 10/29/2013
Issued: 03/26/2019
Est. Priority Date: 04/01/2010
Status: Active Grant

First Claim

Patent Images

1. A method in a proxy server for providing Internet-based proxy services, the method comprising:

receiving, at the proxy server from a first one of a plurality of client devices, a first request for an action to be performed on an identified network resource of domain of an origin server, wherein the first request is received at the proxy server as a result of a Domain Name System (DNS) request for the domain returning an IP address of the proxy server;

analyzing the first request to determine whether that first request itself poses a threat;

responsive to determining that the first request itself poses a threat, blocking that first request from being transmitted to the origin server;

receiving, at the proxy server from a second one of the plurality of client devices, a second request for an action to be performed on the identified network resource of the origin server;

analyzing the second request to determine whether that second request itself poses a threat; and

responsive to determining that the second request itself does not pose a threat, transmitting the second request to the origin server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

217 Citations

15 Claims

1. A method in a proxy server for providing Internet-based proxy services, the method comprising:
- receiving, at the proxy server from a first one of a plurality of client devices, a first request for an action to be performed on an identified network resource of domain of an origin server, wherein the first request is received at the proxy server as a result of a Domain Name System (DNS) request for the domain returning an IP address of the proxy server;
  
  analyzing the first request to determine whether that first request itself poses a threat;
  
  responsive to determining that the first request itself poses a threat, blocking that first request from being transmitted to the origin server;
  
  receiving, at the proxy server from a second one of the plurality of client devices, a second request for an action to be performed on the identified network resource of the origin server;
  
  analyzing the second request to determine whether that second request itself poses a threat; and
  
  responsive to determining that the second request itself does not pose a threat, transmitting the second request to the origin server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - responsive to transmitting the second request origin server, receiving a corresponding response from that origin server that includes the identified network resource; and
      
      transmitting the received response to the second client device.
  - 3. The method of claim 2, further comprising:
    - storing the identified network resource in cache available to the proxy server;
      
      receiving, at the proxy server from a third one of the plurality of client devices, a third request for an action to be performed on the identified network resource of the origin server;
      
      analyzing the third request to determine whether that third request itself poses a threat; and
      
      responsive to determining that the third request itself does not pose a threat and the identified network resource is available in the cache, returning the cached requested network resource to the third client device without querying the origin server.
  - 4. The method of claim 1, wherein analyzing the first request to determine whether that first request itself poses a threat includes performing one or more of the following:
    - determining whether that first request includes a malformed cookie,determining whether that first request includes a malformed header,determining whether that first request includes a malformed URL (Uniform Resource Locator),determining whether that first request includes a URL that contains a known threat signature, andresponsive to determining that the first request is a POST request, analyzing content that is to be POSTed to determine whether that content is a threat; and
      
      wherein the first request poses a threat due to it including one or more of a malformed cookie, a malformed header, a malformed URL, a URL that contains a known threat signature, and content to be POSTed that is a threat.
  - 5. The method of claim 1, further comprising:
    - prior to transmitting the second request to the origin sever, analyzing the second request to determine whether that second request is from a visitor that poses a threat including performing the following for that second request;
      
      determining whether an IP address of the second request is on one or more of;
      
      a global restricted IP address list that identifies IP addresses that are not allowed to access content of any one of a plurality of origin servers, anda local IP restricted address list that identifies IP addresses that are not allowed to access content of the requested origin server;
      
      responsive to determining that the IP address of the second request is on one or more of the global restricted IP address list and the local IP restricted IP address list, performing the following;
      
      determining that the second request includes a cookie that is on one or more of;
      
      a global allow cookie list that identifies cookies that indicate access to content of all of the plurality of origin servers is allowed, anda local allow cookie list that identifies cookies that indicate access to content of the requested origin server is allowed.

6. A proxy server to provide Internet-based proxy services, the proxy server comprising:
- a memory to store instructions;
  
  a processor coupled with the memory to process the stored instructions to;
  
  receive, from a first one of a plurality of client devices, a first request for an action to be performed on an identified network resource of domain of an origin server, wherein the first request is received at the proxy server as a result of a Domain Name System (DNS) request for the domain returning an IP address of the proxy server;
  
  analyze the first request to determine whether that first request itself poses a threat;
  
  responsive to a determination that the first request itself poses a threat, block that first request from being transmitted to the origin server;
  
  receive, from a second one of the plurality of client devices, a second request for an action to be performed on the identified network resource of the origin server;
  
  analyze the second request to determine whether that second request itself poses a threat; and
  
  responsive to determining that the second request itself does not pose a threat, transmit the second request to the origin server.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The proxy server of claim 6, wherein the processor is further to process the stored instructions to:
    - responsive to transmission of the second request to the origin server, receive a corresponding response from that origin server that includes the identified network resource; and
      
      transmit the received response to the second client device.
  - 8. The proxy server of claim 7, wherein the processor is further to process the stored instructions to:
    - store the identified network resource in cache available to the proxy server;
      
      receive, at the proxy server from a third one of the plurality of client devices, a third request for an action to be performed on the identified network resource of the origin server;
      
      analyze the third request to determine whether that third request itself poses a threat;
      
      responsive to a determination that the third request itself does not pose a threat and the identified network resource is available in the cache, return the cached requested network resource to the third client device without querying the origin server.
  - 9. The proxy server of claim 6, wherein analyzing the first request to determine whether that first request itself poses a threat includes the processor to perform one or more of the following:
    - determine whether that first request includes a malformed cookie,determine whether that first request includes a malformed header,determine whether that first request includes a malformed URL (Uniform Resource Locator),determine whether that first request includes a URL that contains a known threat signature, andresponsive to a determination that the request is a POST request, analyze content that is to be POSTed to determine whether that content is a threat; and
      
      wherein the first request poses a threat due to it including one or more of;
      
      a malformed cookie, a malformed header, a malformed URL, a URL that contains a known threat signature, and content to be POSTed that is a threat.
  - 10. The proxy server of claim 6, wherein prior to transmission of the second request to the origin server, the processor is further to process the stored instructions to analyze the second request to determine whether that second request is from a visitor that poses a threat including the processor to perform the following for that second request:
    - determine whether an IP address of the second request is on one or more of;
      
      a global restricted IP address list that identifies IP addresses that are not allowed to access content of any one of a plurality of origin servers, anda local IP restricted address list that identifies IP addresses that are not allowed to access content of the requested origin server;
      
      responsive to a determination that the IP address of the second request is on one or more of the global restricted IP address list and the local IP restricted IP address list, perform the following;
      
      determine that the second request includes a cookie that is on one or more of;
      
      a global allow cookie list that identifies cookies that indicate access to content of all of the plurality of origin servers is allowed, anda local allow cookie list that identifies cookies that indicate access to content of the requested origin server is allowed.

11. A non-transitory machine-readable storage medium that provides instructions that, when executed by a processor of a proxy server, cause said processor to perform operations comprising:
- receiving, at the proxy server from a first one of a plurality of client devices, a first request for an action to be performed on an identified network resource of domain of an origin server, wherein the first request is received at the proxy server as a result of a Domain Name System (DNS) request for the domain returning an IP address of the proxy server;
  
  analyzing the first request to determine whether that first request itself poses a threat;
  
  responsive to determining that the first request itself poses a threat, blocking that first request from being transmitted to the origin server;
  
  receiving, at the proxy server from a second one of the plurality of client devices, a second request for an action to be performed on the identified network resource of the origin server;
  
  analyzing the second request to determine whether that second request itself poses a threat; and
  
  responsive to determining that the second request itself does not pose a threat, transmitting the second request to the origin server.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The non-transitory machine-readable storage medium of claim 11, wherein the non-transitory machine-readable storage medium further provides instructions that, when executed by the processor, cause said processor to further perform operations comprising:
    - responsive to transmitting the second request to the origin server, receiving a corresponding response from that origin server that includes the identified network resource; and
      
      transmitting the received response to the second client device.
  - 13. The non-transitory machine-readable storage medium of claim 12, wherein the non-transitory machine-readable storage medium further provides instructions that, when executed by the processor, cause said processor to further perform operations comprising:
    - storing the identified network resource in cache available to the proxy server;
      
      receiving, at the proxy server from a third one of the plurality of client devices, a third request for an action to be performed on the identified network resource of the origin server;
      
      analyzing the third request to determine whether that third request itself poses a threat; and
      
      responsive to determining that the third request itself does not pose a threat and the identified network resource is available in the cache, returning the cached requested network resource to the third client device without querying the origin server.
  - 14. The non-transitory machine-readable storage medium of claim 11, wherein analyzing the first request to determine whether that first request itself poses a threat includes performing one or more of the following:
    - determining whether that first request includes a malformed cookie,determining whether that first request includes a malformed header,determining whether that first request includes a malformed URL (Uniform Resource Locator),determining whether that first request includes a URL that contains a known threat signature, andresponsive to determining that the first request is a POST request, analyzing content that is to be POSTed to determine whether that content is a threat; and
      
      wherein the first request poses a threat due to it including one or more of a malformed cookie, a malformed header, a malformed URL, a URL that contains a known threat signature, and content to be POSTed that is a threat.
  - 15. The non-transitory machine-readable storage medium of claim 11, wherein the non-transitory machine-readable storage medium further provides instructions that, when executed by the processor, cause said processor to further perform operations comprising:
    - prior to transmitting the second request to the origin sever, analyzing the second request to determine whether that second request is from a visitor that poses a threat includes performing the following for that request;
      
      determining whether an IP address of the second request is on one or more of;
      
      a global restricted IP address list that identifies IP addresses that are not allowed to access content of any one of a plurality of origin servers, anda local IP restricted address list that identifies IP addresses that are not allowed to access content of the requested origin server;
      
      responsive to determining that the IP address of the second request is on one or more of the global restricted IP address list and the local IP restricted IP address list, performing the following;
      
      determining that the second request includes a cookie that is on one or more of;
      
      a global allow cookie list that identifies cookies that indicate access to content of all of the plurality of origin servers is allowed, anda local allow cookie list that identifies cookies that indicate access to content of the requested origin server is allowed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Holloway, Lee Hahn, Prince, Matthew Browning, Pye, Ian Gerald, Tourne, Matthieu Philippe Francois, Zatlyn, Michelle Marie
Primary Examiner(s)
Lewis, Lisa C

Application Number

US14/066,557
Publication Number

US 20140059668A1
Time in Patent Office

1,974 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 16/95   Retrieval from the web

G06F 16/958   Organisation or management ...

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

G06F 40/14   Tree-structured documents p...

G06F 40/143   Markup, e.g. Standard Gener...

G06Q 10/107   Computer-aided management o...

G06Q 30/0241   Advertisements

G06Q 30/0251   Targeted advertisements

G06Q 30/0277   Online advertisement

H04L 47/745   Reaction in network

H04L 51/42   Mailbox-related aspects, e....

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/59   using proxies for addressing

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

H04L 63/0281   Proxies

H04L 63/083 : using passwords cryptograph...

H04L 63/0861 : using biometrical features,...

H04L 63/102 : Entity profiles

H04L 63/126 : the source of the received ...

H04L 63/1416 : Event detection, e.g. attac...

H04L 63/1433 : Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 67/02 : based on web technology, e....

H04L 67/146 : Markers for unambiguous ide...

H04L 67/56 : Provisioning of proxy servi...

H04L 67/561 : Adding application-function...

H04L 67/568 : Storing data temporarily at...

H04L 69/40 : for recovering from a failu...

View All

Methods and apparatuses for providing Internet-based proxy services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

217 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatuses for providing Internet-based proxy services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links