Source specific network scanning in a distributed environment
First Claim
Patent Images
1. A computer-implemented method, comprising:
- obtaining a request to execute a network scan of a virtual network of a plurality of virtual networks operated by a plurality of customers of a computing resource service provider, the request indicating the network scan be internal to the virtual network and the plurality of virtual networks implemented by computing resources provided by the computing resource service provider;
fulfilling the request by at least generating a scanning packet including network address information corresponding to the virtual network;
generating an encapsulated packet corresponding to the scanning packet, where the encapsulated packet includes information identifying the virtual network so that the encapsulated packet is routed to the virtual network over a computing resource service provider network;
transmitting the encapsulated packet to an endpoint of the virtual network, wherein the virtual network responds to the scanning packet as if the scanning packet originated from the endpoint and is addressable from within the virtual network;
de-encapsulating the scanning packet from the encapsulated packet; and
delivering the scanning packet to a destination within the virtual network based at least in part on network address information included in the scanning packet.
1 Assignment
0 Petitions
Accused Products
Abstract
Customers of a computing resource service provider may operate one or more computing resources, provided by the computing resource service provider, within a virtual network. The customers may request network scans of the computing resources with the virtual network. Scanning packets may be generated and encapsulated to ensure delivery to an appropriate destination within the virtual network. The information in the scanning packet may appear to be generated by a source within the virtual network.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
-
obtaining a request to execute a network scan of a virtual network of a plurality of virtual networks operated by a plurality of customers of a computing resource service provider, the request indicating the network scan be internal to the virtual network and the plurality of virtual networks implemented by computing resources provided by the computing resource service provider; fulfilling the request by at least generating a scanning packet including network address information corresponding to the virtual network; generating an encapsulated packet corresponding to the scanning packet, where the encapsulated packet includes information identifying the virtual network so that the encapsulated packet is routed to the virtual network over a computing resource service provider network; transmitting the encapsulated packet to an endpoint of the virtual network, wherein the virtual network responds to the scanning packet as if the scanning packet originated from the endpoint and is addressable from within the virtual network; de-encapsulating the scanning packet from the encapsulated packet; and delivering the scanning packet to a destination within the virtual network based at least in part on network address information included in the scanning packet. - View Dependent Claims (2, 3, 20)
-
-
4. A system, comprising:
-
one or more processors; and memory that includes instructions that, when executed by the one or more processors, cause the system to; execute an internal scan of a virtual network by at least; generating a set of packets directed to a destination within an address space of the virtual network; encapsulating the set of packets to generate a set of encapsulated packets, the set of encapsulated packets including additional information to cause one or more routing devices to direct encapsulated packets of the set of encapsulated packets to the virtual network over one or more other networks; and transmitting the set of encapsulated packets to an endpoint of the virtual network, wherein the virtual network responds to a packet in the set of packets as if the packet originated from the endpoint and the packet has an address from within the virtual network; and obtain, from the destination, a set of responses to the set of packets. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11)
-
-
12. A set of one or more non-transitory computer-readable storage media having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to:
-
obtain a request to execute a network scan of a virtual network; generate a plurality of packets including address information associated with the virtual network; generate a set of encapsulated packets for at least a portion of the plurality of packets including destination information for the virtual network across one or more other networks; transmit the set of encapsulated packets across the one or more other networks; obtain, from an encapsulated packet of the set of encapsulated packets, a scanning packet of the plurality of packets including a destination within the virtual network; deliver the scanning packet to the destination within the virtual network, wherein devices in the virtual network respond to the scanning packet as if the scanning packet originated from the destination and the scanning packet has an address from within the virtual network; and detect, based at least in part on a response to the scanning packet, a computing resource on the virtual network. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification