Determining the likelihood of traffic being legitimately received at a proxy server in a cloud-based proxy service

US 8,646,064 B1
Filed: 10/31/2012
Issued: 02/04/2014
Est. Priority Date: 08/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method for determining a likelihood of a packet having a particular source address being received at a particular one of a plurality of proxy servers that are anycasted to a same IP address, wherein the proxy servers are part of a cloud-based proxy service and are situated between a plurality of client computing devices accessing network resources and a plurality of origin servers that serve network resources, the method comprising:

receiving, from each of the plurality of proxy servers, one or more messages that indicate source IP addresses of packets received at that proxy server that are directed to the same IP address, wherein the proxy servers receive traffic at the same IP address as a result of one or more domains resolving to the same IP address; and

wherein a particular one of the proxy servers receives packets directed to the same IP address as a result of an anycast protocol implementation selecting that particular one of the proxy servers as the closest in terms of routing protocol metric used to route traffic to the proxy servers;

determining, based on the one or more messages from each of the plurality of proxy servers, a likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers;

transmitting, to each of the proxy servers, a message that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

39 Citations

View as Search Results

27 Claims

1. A method for determining a likelihood of a packet having a particular source address being received at a particular one of a plurality of proxy servers that are anycasted to a same IP address, wherein the proxy servers are part of a cloud-based proxy service and are situated between a plurality of client computing devices accessing network resources and a plurality of origin servers that serve network resources, the method comprising:
- receiving, from each of the plurality of proxy servers, one or more messages that indicate source IP addresses of packets received at that proxy server that are directed to the same IP address, wherein the proxy servers receive traffic at the same IP address as a result of one or more domains resolving to the same IP address; and
  
  wherein a particular one of the proxy servers receives packets directed to the same IP address as a result of an anycast protocol implementation selecting that particular one of the proxy servers as the closest in terms of routing protocol metric used to route traffic to the proxy servers;
  
  determining, based on the one or more messages from each of the plurality of proxy servers, a likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers;
  
  transmitting, to each of the proxy servers, a message that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the message transmitted to each of the proxy servers includes a set of rules to rate limit packets received with source IP addresses that are not likely to be legitimately received by that proxy server.
  - 3. The method of claim 1, wherein the message transmitted to each of the proxy servers includes a set of rules to block packets received with source IP addresses that are not likely to be legitimately received by that proxy server.
  - 4. The method of claim 1, wherein the message transmitted to each of the proxy servers specifies the source IP addresses of packets that are likely to be legitimately received at that proxy server.
  - 5. The method of claim 1, wherein the message transmitted to each of the proxy servers specifies the source IP addresses of packets that are not likely to be legitimately received at that proxy server.
  - 6. The method of claim 1, wherein the step of receiving from each of the plurality of proxy servers the one or more messages that indicate source IP addresses of packets received at that proxy server that are directed to the same IP address, occurs only when the same IP address is not believed to be currently under a denial of service (DoS) attack.
  - 7. The method of claim 1, wherein the one or more messages received from each of the plurality of proxy servers further indicates a number of packets of each source IP address received at that proxy server.
  - 8. The method of claim 1, wherein the one or more messages are received as a result of a client-side script that is inserted by the proxy servers into web pages of domains that resolve to the same IP address, wherein the client-side script, when executed, causes a packet to be transmitted to the same IP address.
  - 9. The method of claim 1, further comprising:
    - responsive to a network event that affects the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers, transmitting a message to the proxy servers that indicates a suspension of any rate limits that have been installed as a result of transmitting the messages to the proxy servers that indicate which source IP addresses of packets are not likely to be legitimately received at the proxy servers.

10. An apparatus, comprising:
- a plurality of proxy servers that are anycasted to a same IP address, wherein each of the plurality of proxy servers is configured to perform the following;
  
  receive packets at the same IP address as a result of one or more domains resolving to the same IP address, wherein this proxy server receives the packets at the same IP address as a result of an anycast protocol implementation selecting this one of the plurality of proxy servers as the closest in terms of routing protocol metric used to route traffic to the plurality of proxy servers;
  
  transmit one or more messages to a central server that indicate source IP addresses of the received packets; and
  
  receive, from the central server, a message that indicate source IP addresses of packets that are not likely to be legitimately received at that proxy server; and
  
  install, based on the received message, one or more rules to rate limit packets that are received having a source IP address that is not likely to be legitimately received at that proxy server; and
  
  the central server coupled with the plurality of proxy servers, wherein the central server is configured to perform the following;
  
  receive, from each of the plurality of proxy servers, the one or more messages that indicate source IP addresses of the received packets;
  
  determine, based on the one or more messages received from the plurality of proxy servers, a likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers; and
  
  transmit, to each of the proxy servers, the message that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus of claim 10, wherein the message transmitted to each of the proxy servers includes a set of rules to rate limit packets received with source IP addresses that are not likely to be legitimately received by that proxy server.
  - 12. The apparatus of claim 10, wherein the message transmitted to each of the proxy servers includes a set of rules to block packets received with source IP addresses that are not likely to be legitimately received by that proxy server.
  - 13. The apparatus of claim 10, wherein the message transmitted to each of the proxy servers specifies the source IP addresses of packets that are likely to be legitimately received at that proxy server.
  - 14. The apparatus of claim 10, wherein the message transmitted to each of the proxy servers specifies the source IP addresses of packets that are not likely to be legitimately received at that proxy server.
  - 15. The apparatus of claim 10, wherein the proxy servers are configured to transmit the one or more messages to the central server that indicate source IP addresses of the received packets only when the destination IP address of those packets is not believed to be currently under a denial of service (DoS) attack.
  - 16. The apparatus of claim 10, wherein the one or more messages to be transmitted by each of the proxy servers further indicates a number of packets of each source IP address received at that proxy server.
  - 17. The apparatus of claim 10, wherein the one or more messages to be transmitted by each of the proxy servers are to be transmitted as a result of a client-side script that is inserted by the proxy servers into web pages of domains that resolve to the same IP address, wherein the client-side script, when executed, causes a packet to be transmitted to the same IP address.
  - 18. The apparatus of claim 10, further comprising:
    - responsive to a network event that affects the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers, transmitting a message to the proxy servers that indicates a suspension of any rate limits that have been installed as a result of transmitting the messages to the proxy servers that indicate which source IP addresses of packets are not likely to be legitimately received at the proxy servers.

19. A non-transitory computer-readable storage medium that provides instructions that, if executed by a processor, will cause said processor to perform operations for determining a likelihood of a packet having a particular source address being received at a particular one of a plurality of proxy servers that are anycasted to a same IP address, wherein the proxy servers are part of a cloud-based proxy service and are situated between a plurality of client computing devices accessing network resources and a plurality of origin servers that serve network resources, the operations comprising:
- receiving, from each of the plurality of proxy servers, one or more messages that indicate source IP addresses of packets received at that proxy server that are directed to the same IP address, wherein the proxy servers receive traffic at the same IP address as a result of one or more domains resolving to the same IP address; and
  
  wherein a particular one of the proxy servers receives packets directed to the same IP address as a result of an anycast protocol implementation selecting that particular one of the proxy servers as the closest in terms of routing protocol metric used to route traffic to the proxy servers;
  
  determining, based on the one or more messages from each of the plurality of proxy servers, a likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers;
  
  transmitting, to each of the proxy servers, a message that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The non-transitory computer-readable storage medium of claim 19, wherein the message transmitted to each of the proxy servers includes a set of rules to rate limit packets received with source IP addresses that are not likely to be legitimately received by that proxy server.
  - 21. The non-transitory computer-readable storage medium of claim 19, wherein the message transmitted to each of the proxy servers includes a set of rules to block packets received with source IP addresses that are not likely to be legitimately received by that proxy server.
  - 22. The non-transitory computer-readable storage medium of claim 19, wherein the message transmitted to each of the proxy servers specifies the source IP addresses of packets that are likely to be legitimately received at that proxy server.
  - 23. The non-transitory computer-readable storage medium of claim 19, wherein the message transmitted to each of the proxy servers specifies the source IP addresses of packets that are not likely to be legitimately received at that proxy server.
  - 24. The non-transitory computer-readable storage medium of claim 19, wherein the step of receiving from each of the plurality of proxy servers the one or more messages that indicate source IP addresses of packets received at that proxy server that are directed to the same IP address, occurs only when the same IP address is not believed to be currently under a denial of service (DoS) attack.
  - 25. The non-transitory computer-readable storage medium of claim 19, wherein the one or more messages received from each of the plurality of proxy servers further indicates a number of packets of each source IP address received at that proxy server.
  - 26. The non-transitory computer-readable storage medium of claim 19, wherein the one or more messages are received as a result of a client-side script that is inserted by the proxy servers into web pages of domains that resolve to the same IP address, wherein the client-side script, when executed, causes a packet to be transmitted to the same IP address.
  - 27. The non-transitory computer-readable storage medium of claim 19, wherein the operations further comprise:
    - responsive to a network event that affects the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers, transmitting a message to the proxy servers that indicates a suspension of any rate limits that have been installed as a result of transmitting the messages to the proxy servers that indicate which source IP addresses of packets are not likely to be legitimately received at the proxy servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
CloudFlare Incorporated
Inventors
Holloway, Lee Hahn, Rao, Srikanth N., Prince, Matthew Browning, Tourne, Matthieu Philippe Franois, Pye, Ian Gerald, Bejjani, Ray Raymond, Rodery, Terry Paul Jr.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US13/665,807
Publication Number

US 20140047539A1
Time in Patent Office

461 Days
Field of Search

None
US Class Current

726/12
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0281   Proxies

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

Determining the likelihood of traffic being legitimately received at a proxy server in a cloud-based proxy service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Determining the likelihood of traffic being legitimately received at a proxy server in a cloud-based proxy service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links