Protecting communications between a content delivery network and an origin server

US 10,630,641 B2
Filed: 07/17/2018
Issued: 04/21/2020
Est. Priority Date: 07/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method of operating a content delivery network, the method comprising:

assigning a plurality of network addresses allocated to the content delivery network to an origin to establish a privatized link between the content delivery network and the origin, whereby the content delivery network uses a first network address of the plurality of network addresses as the network address of the origin when requesting content from the origin;

in a content server of the content delivery network, receiving requests for content potentially cached by the content server;

in response to the requests, transmitting origin requests to the origin using the first network address from the plurality of network addresses to obtain the requested content from the origin;

in response to an attack on the first network address, selecting a second network address from the plurality of network addresses based on a predetermined order; and

transmitting subsequent origin requests to the origin using the second network address to obtain the requested content from the origin.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Citations

21 Claims

1. A method of operating a content delivery network, the method comprising:
- assigning a plurality of network addresses allocated to the content delivery network to an origin to establish a privatized link between the content delivery network and the origin, whereby the content delivery network uses a first network address of the plurality of network addresses as the network address of the origin when requesting content from the origin;
  
  in a content server of the content delivery network, receiving requests for content potentially cached by the content server;
  
  in response to the requests, transmitting origin requests to the origin using the first network address from the plurality of network addresses to obtain the requested content from the origin;
  
  in response to an attack on the first network address, selecting a second network address from the plurality of network addresses based on a predetermined order; and
  
  transmitting subsequent origin requests to the origin using the second network address to obtain the requested content from the origin.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising, in response to each of the requests, determining if the content can be served from a local cache or if the content must be obtained from the origin.
  - 3. The method of claim 2 wherein transmitting the origin requests occurs in response to determining that the content cannot be served from the local cache.
  - 4. The method of claim 3 wherein the content cannot be served from the local cache when the content is not stored in the local cache.
  - 5. The method of claim 3 wherein the content cannot be served from the local cache when the content as-stored in the local cache has expired.
  - 6. The method of claim 1 wherein the attack comprises a distributed denial of service (DDoS) attack.
  - 7. The method of claim 1 wherein the first network address comprises an Internet protocol (IP) address within an address range allocated to the content delivery network.
  - 8. The method of claim 7 wherein:
    - the second network address comprises a different IP address within the address range allocated to the content delivery network;
      
      the predetermined order is known to both the content delivery network and the origin; and
      
      the content delivery network and the origin each mutually switch to a next predetermined network address from the plurality of network addresses in response to an attack on a current network address for the origin.
  - 9. The method of claim 1 wherein the predetermined order is a formulaic order.
  - 10. The method of claim 1 wherein the predetermined order is a listed order known to both the content delivery network and the origin.

11. A computing apparatus comprising:
- one or more computer readable storage media;
  
  a processing system operatively coupled to the one or more computer readable storage media; and
  
  program instructions stored on the one or more computer readable storage media for implementing a content server in a content delivery network, wherein the content server, when read and executed by the processing system, direct the computing apparatus to at least;
  
  receive requests for content potentially cached by the content delivery network;
  
  in response to the requests, transmit origin requests to an origin to obtain the requested content from the origin, the origin requests sent to a first network address from a plurality of network addresses allocated to the content delivery network and assigned to the origin to establish a privatized link between the content delivery network and the origin; and
  
  in response to an attack on the network address, transmit subsequent origin requests to the origin using a second network address from the plurality of network addresses to obtain the requested content from the origin, the second network address selected from the plurality of network addresses based on a predetermined order.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computing apparatus of claim 11 wherein the program instructions further direct the computing system to, in response to each of the requests, determine if the content can be served from a local cache or if the content must be obtained from the origin.
  - 13. The computing apparatus of claim 12 wherein transmitting the origin requests occurs in response to determining that the content cannot be served from the local cache.
  - 14. The computing apparatus of claim 11 wherein the attack comprises a distributed denial of service (DDoS) attack.
  - 15. The computing apparatus of claim 11 wherein the first network address comprises an Internet protocol (IP) address within an address range allocated to the content delivery network.
  - 16. The computing apparatus of claim 15 wherein:
    - the second network address comprises a different IP address within the address range allocated to the content delivery network;
      
      the predetermined order is known to both the content delivery network and the origin; and
      
      the content delivery network and the origin each mutually switch to a next predetermined network address from the plurality of network addresses in response to an attack on a current network address for the origin.
  - 17. The computing apparatus of claim 15 wherein the address range allocated to the content delivery network comprises a /24 address range.

18. A method of operating an origin server, the method comprising:
- receiving a plurality of network addresses from a content delivery network;
  
  selecting a first network address from the plurality of network addresses as a private network address for the origin server to establish a privatized link between the content delivery network and the origin server;
  
  receiving requests for content from a content server in the content delivery network, wherein the requests are sent to the first network address;
  
  in response to the requests, transmitting the requested content to the content server using the first network address;
  
  in response to an attack on the first network address, switching the private network address to a second network address from the plurality of network addresses according to a predetermined order; and
  
  replying to subsequent requests with the requested content using the second network address.
- View Dependent Claims (19, 20, 21)
- - 19. The method of claim 18 wherein the attack comprises a distributed denial of service (DDoS) attack.
  - 20. The method of claim 19 wherein the first network address comprises an Internet protocol (IP) address within an address range allocated to the content delivery network.
  - 21. The method of claim 19 wherein:
    - the second network address comprises a different IP address within the address range allocated to the content delivery network;
      
      the predetermined order is known to both the content delivery network and the origin server; and
      
      the content delivery network and the origin server each mutually switch to a next predetermined network address from the plurality of network addresses in response to an attack on a current network address for the origin server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fastly Incorporated
Original Assignee
Fastly Incorporated
Inventors
Leach, Sean A., Bergman, Artur, Daly, Thomas J.
Primary Examiner(s)
Li, Meng

Application Number

US16/037,962
Publication Number

US 20190014080A1
Time in Patent Office

644 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5038   for local use, e.g. in LAN ...

H04L 61/5061   Pools of addresses

H04L 61/5092   by self-assignment, e.g. pi...

H04L 63/02   for separating internal fro...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

Protecting communications between a content delivery network and an origin server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting communications between a content delivery network and an origin server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links