Source specific network scanning in a distributed environment

US 10,320,750 B1
Filed: 03/30/2016
Issued: 06/11/2019
Est. Priority Date: 03/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a request to execute a network scan of a virtual network of a plurality of virtual networks operated by a plurality of customers of a computing resource service provider, the request indicating the network scan be internal to the virtual network and the plurality of virtual networks implemented by computing resources provided by the computing resource service provider;

fulfilling the request by at least generating a scanning packet including network address information corresponding to the virtual network;

generating an encapsulated packet corresponding to the scanning packet, where the encapsulated packet includes information identifying the virtual network so that the encapsulated packet is routed to the virtual network over a computing resource service provider network;

transmitting the encapsulated packet to an endpoint of the virtual network, wherein the virtual network responds to the scanning packet as if the scanning packet originated from the endpoint and is addressable from within the virtual network;

de-encapsulating the scanning packet from the encapsulated packet; and

delivering the scanning packet to a destination within the virtual network based at least in part on network address information included in the scanning packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Customers of a computing resource service provider may operate one or more computing resources, provided by the computing resource service provider, within a virtual network. The customers may request network scans of the computing resources with the virtual network. Scanning packets may be generated and encapsulated to ensure delivery to an appropriate destination within the virtual network. The information in the scanning packet may appear to be generated by a source within the virtual network.

Citations

20 Claims

1. A computer-implemented method, comprising:
- obtaining a request to execute a network scan of a virtual network of a plurality of virtual networks operated by a plurality of customers of a computing resource service provider, the request indicating the network scan be internal to the virtual network and the plurality of virtual networks implemented by computing resources provided by the computing resource service provider;
  
  fulfilling the request by at least generating a scanning packet including network address information corresponding to the virtual network;
  
  generating an encapsulated packet corresponding to the scanning packet, where the encapsulated packet includes information identifying the virtual network so that the encapsulated packet is routed to the virtual network over a computing resource service provider network;
  
  transmitting the encapsulated packet to an endpoint of the virtual network, wherein the virtual network responds to the scanning packet as if the scanning packet originated from the endpoint and is addressable from within the virtual network;
  
  de-encapsulating the scanning packet from the encapsulated packet; and
  
  delivering the scanning packet to a destination within the virtual network based at least in part on network address information included in the scanning packet.
- View Dependent Claims (2, 3, 20)
- - 2. The computer-implemented method of claim 1, wherein generating the scanning packet further comprises assigning a local network address of the virtual network to a network interface trunk and including the local network address in a header of the scanning packet, where the local network address is determined by the computing resource service provider and the network interface trunk is connected to the virtual network and at least one other virtual network of the plurality of virtual networks.
  - 3. The computer-implemented method of claim 1, wherein the computer-implemented method further comprises:
    - obtaining a response from the destination by at least transmitting the response to a source of the scanning packet indicated in the encapsulated packet; and
      
      analyzing the response to generate network scan information.
  - 20. The computer-implemented method of claim 1, wherein the computer-implemented method further comprises detecting, based at least in part on a response to the scanning packet, a computing resource on the virtual network.

4. A system, comprising:
- one or more processors; and
  
  memory that includes instructions that, when executed by the one or more processors, cause the system to;
  
  execute an internal scan of a virtual network by at least;
  
  generating a set of packets directed to a destination within an address space of the virtual network;
  
  encapsulating the set of packets to generate a set of encapsulated packets, the set of encapsulated packets including additional information to cause one or more routing devices to direct encapsulated packets of the set of encapsulated packets to the virtual network over one or more other networks; and
  
  transmitting the set of encapsulated packets to an endpoint of the virtual network, wherein the virtual network responds to a packet in the set of packets as if the packet originated from the endpoint and the packet has an address from within the virtual network; and
  
  obtain, from the destination, a set of responses to the set of packets.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
- - 5. The system of claim 4, wherein the virtual network is one of a plurality of virtual networks implemented using computing resources of a computing resource service provider and the plurality of virtual networks are operated by customers of the computing resource service provider.
  - 6. The system of claim 4, wherein the additional information further comprises routing information to enable the destination to generate the set of responses such that the set of responses are routed to the system.
  - 7. The system of claim 4, wherein the memory further includes instructions that, when executed by the one or more processors, cause the system to obtain, from a customer, information associated with the address space of the virtual network as a result of an event triggering the internal scan of the virtual network.
  - 8. The system of claim 4, wherein the memory further includes instructions that, when executed by the one or more processors, cause the system to obtain, from storage prior to executing the internal scan of the virtual network, information associated with the address space of the virtual network.
  - 9. The system of claim 4, wherein the memory further includes instructions that, when executed by the one or more processors, cause the system to:
    - obtain information associated with a local network address of the virtual network; and
      
      assign the local network address to a network interface trunk.
  - 10. The system of claim 4, wherein the memory further includes instructions that, when executed by the one or more processors, cause the system to provide, through a user interface, a result of the internal scan of the virtual network to a customer based at least in part on the set of responses.
  - 11. The system of claim 7, wherein the memory further includes instructions that, when executed by the one or more processors, cause the system to:
    - provide information associated with the address space of the virtual network to a module, where the module is executed outside of a customer context on the system; and
      
      wherein encapsulating the set of packets to generate the set of encapsulated packets is performed by the module.

12. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to:
- obtain a request to execute a network scan of a virtual network;
  
  generate a plurality of packets including address information associated with the virtual network;
  
  generate a set of encapsulated packets for at least a portion of the plurality of packets including destination information for the virtual network across one or more other networks;
  
  transmit the set of encapsulated packets across the one or more other networks;
  
  obtain, from an encapsulated packet of the set of encapsulated packets, a scanning packet of the plurality of packets including a destination within the virtual network;
  
  deliver the scanning packet to the destination within the virtual network, wherein devices in the virtual network respond to the scanning packet as if the scanning packet originated from the destination and the scanning packet has an address from within the virtual network; and
  
  detect, based at least in part on a response to the scanning packet, a computing resource on the virtual network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The set of one or more non-transitory computer-readable storage media of claim 12, wherein the instructions that cause the computer system to transmit the set of encapsulated packets across the one or more other networks further include instructions that cause the computer system to transmit the set of encapsulated packets to an endpoint associated with the virtual network.
  - 14. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the instructions that cause the computer system to transmit the set of encapsulated packets to the endpoint associated with the virtual network further include instructions that cause the computer system to modify the set of encapsulated packets to include routing information to enable the destination to transmit a response to the computer system.
  - 15. The set of one or more non-transitory computer-readable storage media of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to obtain information associated with the endpoint prior to generating the set of encapsulated packets.
  - 16. The set of one or more non-transitory computer-readable storage media of claim 12, wherein the instructions that cause the computer system to transmit the set of encapsulated packets across the one or more other networks further include instructions that cause the computer system to transmit the set of encapsulated packets from a network interface trunk assigned a network address within an address space of the virtual network.
  - 17. The set of one or more non-transitory computer-readable storage media of claim 12, wherein the instructions that cause the computer system to generate the set of encapsulated packets further include instructions that cause the computer system to generate, for each encapsulated packet of the set of encapsulated packets, an encapsulated header indicating a location to which the response to the plurality of packets is directed.
  - 18. The set of one or more non-transitory computer-readable storage media of claim 12, wherein the instructions that cause the computer system to obtain the packet of the plurality of packets further include instructions that cause the computer system to de-encapsulate the encapsulated packet prior to delivering the packet to the destination.
  - 19. The set of one or more non-transitory computer-readable storage media of claim 18, wherein the instructions that cause the computer system to de-encapsulate the encapsulated packet further include instructions that cause the computer system to store information from a header of the encapsulated packet indicating that a scanning instance is to receive responses to the packet from the destination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, Lucas, Alexander Robin Gordon, Fitzgerald, Robert Eric
Primary Examiner(s)
Arani, Taghi T
Assistant Examiner(s)
Champakesan, Badri

Application Number

US15/085,257
Time in Patent Office

1,168 Days
Field of Search

726 15
US Class Current
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0428   wherein the data content is...

H04L 63/1433   Vulnerability analysis

Source specific network scanning in a distributed environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Source specific network scanning in a distributed environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links