Network traffic data scrubbing with services offered via anycasted addresses

US 9,350,706 B1
Filed: 03/13/2014
Issued: 05/24/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method of data scrubbing network traffic, the method comprising:

assigning a first anycast Internet Protocol (“

IP”

) address to each of a plurality of servers;

assigning a second anycast IP address to each of one or more data scrubbing appliances in an at least one data scrubbing appliance network;

establishing, in a routing table at one or more network elements, a first route directing traffic that is addressed to the first anycast IP address to at the least one data scrubbing appliance network;

receiving, at the one or more data scrubbing appliances of the at least one data scrubbing appliance network, network traffic addressed to the first anycast IP address;

filtering, with the one or more data scrubbing appliances, the network traffic to block undesirable network traffic;

transmitting, with the one or more data scrubbing appliances, filtered network traffic from the one or more data scrubbing appliances to at least one data scrubbing router;

establishing one or more tunnels, via the at least one data scrubbing router, to at least one server router;

transmitting, via the one or more tunnels, the filtered network traffic to the at least one server router;

identifying, at the at least one server router, a respective unicast address for each of one or more servers of the plurality of servers assigned to the first anycast IP address;

load balancing the filtered network traffic between the one or more servers, via the at least one server router, wherein the filtered network traffic is routed directly to one or more of the respective unicast addresses of the one or more servers.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Novel tools and techniques for filtering network traffic in an anycasting environment includes receiving network traffic addressed to a plurality of anycasted servers at an edge router, the plurality of anycasted servers comprising one or more anycasted servers. The network traffic is received from the edge server at least one data scrubbing appliance. The at least one data scrubbing appliance filters out undesirable traffic from the network traffic. The at least one data scrubbing appliance “on-ramps” the filtered network traffic to the plurality of anycasted servers. The filtered network traffic is transmitted to the plurality of anycasted servers in a load balanced manner.

63 Citations

View as Search Results

20 Claims

1. A method of data scrubbing network traffic, the method comprising:
- assigning a first anycast Internet Protocol (“
  
  IP”
  
  ) address to each of a plurality of servers;
  
  assigning a second anycast IP address to each of one or more data scrubbing appliances in an at least one data scrubbing appliance network;
  
  establishing, in a routing table at one or more network elements, a first route directing traffic that is addressed to the first anycast IP address to at the least one data scrubbing appliance network;
  
  receiving, at the one or more data scrubbing appliances of the at least one data scrubbing appliance network, network traffic addressed to the first anycast IP address;
  
  filtering, with the one or more data scrubbing appliances, the network traffic to block undesirable network traffic;
  
  transmitting, with the one or more data scrubbing appliances, filtered network traffic from the one or more data scrubbing appliances to at least one data scrubbing router;
  
  establishing one or more tunnels, via the at least one data scrubbing router, to at least one server router;
  
  transmitting, via the one or more tunnels, the filtered network traffic to the at least one server router;
  
  identifying, at the at least one server router, a respective unicast address for each of one or more servers of the plurality of servers assigned to the first anycast IP address;
  
  load balancing the filtered network traffic between the one or more servers, via the at least one server router, wherein the filtered network traffic is routed directly to one or more of the respective unicast addresses of the one or more servers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, further comprising overriding the first route of the routing table with a second route that routes traffic directly to the servers at the first anycast IP address.
  - 3. The method of claim 2, wherein overriding the first route comprises assigning a lower preference value to the first route than the second route at the routing table.
  - 4. The method of claim 3, wherein overriding the first route comprises configuring the second route as a more specific route than the first route.
  - 5. The method of claim 1, further comprising establishing static routes between each of a plurality of routers in communication with the one or more data scrubber appliances and the plurality of servers, wherein transmitting the filtered network traffic comprises transmitting the filtered traffic on the static routes.
  - 6. The method of claim 1, wherein transmitting the filtered network traffic comprises transmitting the filtered network traffic through one or more network tunnels.
  - 7. The method of claim 6, further comprising:
    - configuring a first network tunnel between a first router in communication with at least one of the one or more data scrubbing appliances and a second router in communication with at least one of the plurality of servers;
      
      wherein transmitting the filtered network traffic comprises injecting at least a portion of the filtered network traffic from the one or more data scrubber appliances to the first router.
  - 8. The method of claim 7, further comprising:
    - configuring a plurality of network tunnels, the plurality of network tunnels comprising the first network tunnel, each of the plurality of network tunnels traversing between one of a first plurality of routers collectively in communication with the one or more data scrubbing appliances and one of a second plurality of routers collectively in communication with the plurality of servers, the first plurality of routers comprising the first router and the second plurality of routers comprising the second router;
      
      wherein transmitting the filtered network traffic comprises injecting the filtered network traffic from the one or more data scrubber appliances to at least some of the first plurality of routers.
  - 9. The method of claim 8, further comprising:
    - routing the traffic from the second plurality of routers to the first anycast IP address assigned to each of the plurality of servers, such that traffic from each of the second plurality of routers will be routed to a server of the plurality of servers logically closest to that router.
  - 10. The method of claim 8, further comprising:
    - establishing a static route between each of the second plurality of routers and one or more of the plurality of servers to which the first anycast IP address is assigned.
  - 11. The method of claim 10, wherein each static route routes traffic to a unicast IP address assigned to one of the servers.
  - 12. The method of claim 8, wherein the plurality of network tunnels comprises one or more multiprotocol label switching (“
    - MPLS”
      
      ) network tunnels.
  - 13. The method of claim 8, wherein the plurality of network tunnels comprises one or more generic routing encapsulation (“
    - GRE”
      
      ) network tunnels.
  - 14. The method of claim 1, wherein the plurality of servers comprises a plurality of web servers.
  - 15. The method of claim 1, wherein the plurality of servers comprises a plurality of domain name service (“
    - DNS”
      
      ) servers.
  - 16. The method of claim 1, further comprising:
    - assigning a third anycast IP address to a subset of the plurality of servers, wherein load balancing the filtered network traffic to the one or more servers comprises routing at least some of the filtered network to the second anycast IP address.
  - 17. The method of claim 1, further comprising:
    - receiving, at an edge router, the network traffic addressed to the first anycast IP address;
      
      and transmitting, with the edge router, the network traffic to the one or more data scrubbing appliances;
      
      wherein the one or more network elements includes the edge router, wherein the edge router includes at least part of the routing table.

18. A system for data scrubbing network traffic, the system comprising:
- a plurality of servers, each comprising one or more processors, each of the plurality of servers having assigned thereto a first anycast Internet Protocol (“
  
  IP”
  
  ) address;
  
  a plurality of data scrubbing appliances in communication with the plurality of servers, wherein the plurality of data scrubbing appliances has assigned thereto a second anycast IP address;
  
  one or more network elements having stored thereon a routing table, the routing table comprising a first route directing network traffic that is addressed to the first anycast IP address to one or more of the plurality of data scrubbing appliances;
  
  a first router in communication with one or more data scrubbing appliances of the plurality of data scrubbing appliances;
  
  a second router in communication with one or more servers of the plurality of servers and further in communication with the first router;
  
  wherein the plurality of data scrubbing appliances are configured to;
  
  receive network traffic addressed to the first anycast IP address;
  
  filter the network traffic to block undesirable network traffic;
  
  transmit the filtered network traffic to the first router;
  
  wherein the first router is programmed to;
  
  receive filtered network traffic from the one or more data scrubbing appliances;
  
  establish one or more tunnels to the second router;
  
  transmit, via the one or more tunnels, the filtered network traffic to the second router;
  
  wherein the second router is programmed to;
  
  identify a respective unicast address for each of the one or more servers assigned to the first anycast IP address; and
  
  load balancing the filtered network traffic to the plurality of servers, wherein the filtered network traffic is directly routed to one or more unicast addresses respectively corresponding to one or more servers of the plurality of servers.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, further comprising:
    - a first plurality of routers, comprising the first router, collectively in communication with the plurality of data scrubbing appliances;
      
      a second plurality of routers, comprising the second router, each of the second plurality of routers in communication with one of the first plurality of routers via a network tunnel, the second plurality of routers collectively being in communication with the plurality of servers;
      
      wherein transmitting the filtered network traffic comprises injecting the filtered network traffic from the plurality of data scrubber appliances to at least some of the first plurality of routers.
  - 20. The system of claim 18, wherein the first plurality of routers has assigned thereto a third anycast IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CenturyLink Intellectual Property LLC (Lumen Technologies, Inc.)
Original Assignee
CenturyLink Intellectual Property LLC (Lumen Technologies, Inc.)
Inventors
Garner, Christopher L., Smith, Donald J., Glenn, Michael, Schiel, John A.
Primary Examiner(s)
Khoshnoodi, Nadia
Assistant Examiner(s)
Wilcox, James J

Application Number

US14/209,682
Time in Patent Office

803 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 47/125   by balancing the load, e.g....

H04L 47/801   Real time traffic

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/10   for controlling access to d...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

Network traffic data scrubbing with services offered via anycasted addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network traffic data scrubbing with services offered via anycasted addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links