Method and system for protecting web sites from public internet threats
First Claim
1. A method of protecting a Web site from attack, wherein a given content provider makes the Web site available at an origin server at an IP address, comprising:
- establishing and maintaining a content delivery network (CDN) having a set of content servers organized into regions provide content delivery on behalf of participating content providers;
offloading given content from the Web site to the CDN so that the given content can be delivered from the CDN instead of from the origin server, wherein the offloading step is accomplished by aliasing a given content provider domain to a domain managed by the CDN;
providing at least some of the set of CDN content servers with the IP address of the origin server so that a given CDN content server can locate the origin server in the event that the given content cannot be served from the CDN and the given CDN content server has to return to the origin server to try to obtain the given content;
using the CDN to shield the origin server from given Internet Protocol (IP) traffic routable over the public Internet;
wherein the using step restricts access to the origin server except by CDN content servers that have obtained the IP address of the origin server as a result of the providing step;
wherein the IP address is located in a private IP address space and the using step further includes restricting IP spoofing for addresses within the private IP address space using an access control; and
serving content to a requesting end user from one of the set of content servers.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention addresses the known vulnerabilities of Web site infrastructure by making an origin server substantially inaccessible via Internet Protocol traffic. In particular, according to a preferred embodiment, the origin server is “shielded” from the publicly-routable IP address space. Preferably, only given machines (acting as clients) can access the origin server, and then only under restricted, secure circumstances. In a preferred embodiment, these clients are the servers located in a “parent” region of a content delivery network (CDN) tiered distribution hierarchy. The invention implements an origin server shield that protects a site against security breaches and the high cost of Web site downtime by ensuring that the only traffic sent to an enterprise'"'"'s origin infrastructure preferably originates from CDN servers. The inventive “shielding” technique protects a site'"'"'s Web servers (as well as backend infrastructure, such as application servers, databases, and mail servers) from unauthorized intrusion—improving site uptime and in the process, customer loyalty.
196 Citations
6 Claims
-
1. A method of protecting a Web site from attack, wherein a given content provider makes the Web site available at an origin server at an IP address, comprising:
-
establishing and maintaining a content delivery network (CDN) having a set of content servers organized into regions provide content delivery on behalf of participating content providers; offloading given content from the Web site to the CDN so that the given content can be delivered from the CDN instead of from the origin server, wherein the offloading step is accomplished by aliasing a given content provider domain to a domain managed by the CDN; providing at least some of the set of CDN content servers with the IP address of the origin server so that a given CDN content server can locate the origin server in the event that the given content cannot be served from the CDN and the given CDN content server has to return to the origin server to try to obtain the given content; using the CDN to shield the origin server from given Internet Protocol (IP) traffic routable over the public Internet; wherein the using step restricts access to the origin server except by CDN content servers that have obtained the IP address of the origin server as a result of the providing step; wherein the IP address is located in a private IP address space and the using step further includes restricting IP spoofing for addresses within the private IP address space using an access control; and serving content to a requesting end user from one of the set of content servers. - View Dependent Claims (2, 3, 4, 5, 6)
-
Specification
-
- Resources
-
Current AssigneeAkamai Technologies, Inc.
-
Original AssigneeAkamai Technologies, Inc.
-
InventorsSundaram, Ravi, Rahul, Hariharan S., Afergan, Michael M., Ellis, Andrew B.
-
Primary Examiner(s)Dalencourt; Yves
-
Application NumberUS10/191,309Publication NumberTime in Patent Office1,869 DaysField of Search709/229, 705/51US Class Current709/229CPC Class CodesH04L 63/0209 Architectural arrangements,...H04L 63/0227 Filtering policies mail mes...H04L 63/0263 Rule managementH04L 63/101 Access control lists [ACL]H04L 63/1441 Countermeasures against mal...H04L 65/1101 Session protocolsH04L 65/612 for unicastH04L 67/1001 for accessing one among a p...
