Mitigating network attacks

US 9,774,619 B1
Filed: 09/24/2015
Issued: 09/26/2017
Est. Priority Date: 09/24/2015
Status: Expired due to Fees

First Claim

Patent Images

1. A content delivery system comprising:

a point of presence (“

POP”

) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content;

a domain name system (“

DNS”

) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content on the content delivery system, and to respond to the requests with network addresses identifying computing devices from the POP at which the individual sets of content may be accessed; and

one or more computing devices implementing an attack mitigation service, the one or more computing devices configured with specific computer-executable instructions to;

detect a network attack on the POP, wherein the network attack is directed to a combination of network addresses, including at least two different network addresses, utilized by the POP;

identify, based at least in part on the combination of network addresses, a first set of content, from the plurality of sets of content, as a target of the network attack;

identify, based at least in part on the combination of network addresses, a second set of content, from the plurality of sets of content, as not targeted by the network attack, wherein the second set of content is made available at at least one network address of the combination of network addresses; and

segregate traffic associated with the first and second sets of content at least partly by transmitting instructions to the DNS server to provide, in response to requests to resolve an identifier of the first set of content, network addresses associated with a second POP of the content delivery system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

Citations

20 Claims

1. A content delivery system comprising:
- a point of presence (“
  
  POP”
  
  ) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content;
  
  a domain name system (“
  
  DNS”
  
  ) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content on the content delivery system, and to respond to the requests with network addresses identifying computing devices from the POP at which the individual sets of content may be accessed; and
  
  one or more computing devices implementing an attack mitigation service, the one or more computing devices configured with specific computer-executable instructions to;
  
  detect a network attack on the POP, wherein the network attack is directed to a combination of network addresses, including at least two different network addresses, utilized by the POP;
  
  identify, based at least in part on the combination of network addresses, a first set of content, from the plurality of sets of content, as a target of the network attack;
  
  identify, based at least in part on the combination of network addresses, a second set of content, from the plurality of sets of content, as not targeted by the network attack, wherein the second set of content is made available at at least one network address of the combination of network addresses; and
  
  segregate traffic associated with the first and second sets of content at least partly by transmitting instructions to the DNS server to provide, in response to requests to resolve an identifier of the first set of content, network addresses associated with a second POP of the content delivery system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The content delivery system of claim 1, wherein the combination of network addresses includes internet protocol (IP) addresses.
  - 3. The content delivery system of claim 1, wherein the network attack is a denial of service (DoS) attack.
  - 4. The content delivery system of claim 1, wherein the specific computer-executable instructions further configure the one or more computing devices to segregate traffic associated with the first and second sets of content at least partly by transmitting instructions to the DNS service to provide, in response to request to resolve an identifier of the second set of content network addresses associated with a third POP of the content delivery system.
  - 5. The content delivery system of claim 1, wherein the specific computer-executable instructions further configure the one or more computing devices to generate the instructions to the DNS server, and wherein the instructions request that the DNS server identify the second POP based at least in part on a characteristic of the second POP included within the instructions.
  - 6. The content delivery system of claim 5, wherein the characteristic of the second POP includes execution, by the second POP, of network attack mitigation software.

7. A computer-implemented method comprising:
- detecting a network attack on one or more computing devices of a content delivery system, wherein the network attack is directed to a combination of network addresses, including at least two different network addresses, utilized by the one or more computing devices, and wherein the one or more computing devices provide access to a plurality of sets of content;
  
  identifying a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of network addresses to which the attack is directed;
  
  identifying, based at least in part on the combination of network addresses, a second set of content, from the plurality of sets of content, as not targeted by the network attack, wherein the second set of content is made available at at least one network address of the combination of network addresses; and
  
  mitigating the network attack based at least in part on segregating traffic associated with the first and second sets of content, wherein segregating the traffic comprises transmitting instructions to a resolution server of the content delivery system to provide, in response to requests to resolve an identifier of the first set of content, a second combination of network addresses associated with one or more alternative computing devices on the content delivery system.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-implemented method of claim 7, wherein the second combination of network addresses is associated with the one or more alternative computing devices via anycast routing.
  - 9. The computer-implemented method of claim 7 further comprising selecting the second combination of network addresses based at least in part on an association of the second combination of network addresses with one or more physical ports of a routing device within the content delivery system.
  - 10. The computer-implemented method of claim 7 further comprising:
    - gathering impact data for the network attack from the content delivery system; and
      
      selecting the one or more alternative computing devices based at least in part on comparing the impact data to a set of rules mapping impact data criteria to potential computing devices.
  - 11. The computer-implemented method of claim 7, wherein identifying the first set of content as the target of the network attack comprises determining that the combination of network addresses is included within a set of network addresses that identifies the first set of content.
  - 12. The computer-implemented method of claim 7 further comprising:
    - gathering impact data for the network attack on the one or more alternative computing devices;
      
      determining that the impact data satisfies a threshold value; and
      
      transmitting instructions to the resolution server to provide, in response to requests to resolve the identifier of the first set of content, a network address, wherein the content delivery system is configured to discard data addressed to the network address.

13. Non-transitory computer-readable media comprising computer-executable instructions that, when executed by a computing system, cause the computing system to:
- detect a network attack on a content delivery system, wherein the network attack is directed to a combination of addressing information sets, including at least two different addressing information sets, utilized by one or more computing devices of the content delivery system, and wherein the one or more computing devices provide access to a plurality of sets of content;
  
  identify a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of addressing information sets to which the attack is directed;
  
  identify, based at least in part on the combination addressing information sets, a second set of content, from the plurality of sets of content, as not targeted by the network attack, wherein the second set of content is made available at at least one network address of the combination of network addresses;
  
  receive a request from an accessing computing device to resolve an identifier of the first set of content;
  
  based at least partly on identifying the first set of content as the target of the network attack, determine a second combination of addressing information sets to include within a response to the request, wherein the combination of addressing information sets are associated with one or more alternative computing devices on the content delivery system; and
  
  transmit the second combination of network addresses to the accessing computing device in response to the request.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable media of claim 13, wherein addressing information sets comprises at least one of a network address, a port number, and a protocol.
  - 15. The non-transitory computer-readable media of claim 13, wherein execution of the computer-executable instructions further causes the computing system to:
    - obtain impact data for the network attack from the content delivery system; and
      
      determine the second combination of addressing information sets at least partly by comparing the impact data to a set of rules maintained in a data store of the content delivery system, the set of rules associating impact data criteria to addressing information sets of the content delivery system.
  - 16. The non-transitory computer-readable media of claim 13, wherein execution of the computer-executable instructions further causes the computing system to determine the second combination of addressing information sets based at least in part on an association of the second combination of addressing information sets with one or more physical ports of a routing device within the content delivery system.
  - 17. The non-transitory computer-readable media of claim 13, wherein execution of the computer-executable instructions further causes the computing system to:
    - receive a request from an accessing computing device to resolve an identifier of the second set of content;
      
      based at least partly on identifying the second set of content as not targeted by the network attack, determine a third combination of addressing information sets to include within a response to the request; and
      
      transmit the third combination of network addresses to the accessing computing device in response to the request.
  - 18. The non-transitory computer-readable media of claim 13, wherein execution of the computer-executable instructions further causes the computing system to identify, based at least in part on the combination of network addresses, the first set of content as a target of the network attack at least partly by determining that the combination of addressing information sets is including within a plurality of addressing information sets that identify the first set of content.
  - 19. The non-transitory computer-readable media of claim 13, wherein execution of the computer-executable instructions further causes the computing system to:
    - gather impact data for the network attack on the one or more alternative computing devices;
      
      determine that the impact data satisfies a threshold value;
      
      receive a second request to resolve the identifier of the first set of content; and
      
      transmit, in response to the second request, a predetermined addressing information set, wherein one or more routing devices within the content delivery system are configured to delay responses to data directed to the predetermined addressing information set.
  - 20. The non-transitory computer-readable media of claim 13, wherein execution of the computer-executable instructions further causes the computing system to:
    - gather impact data for the network attack on the one or more alternative computing devices;
      
      receive a second request to resolve the identifier of the first set of content;
      
      determine a third combination of addressing information sets to include within a response to the second request based at least in part on the impact data; and
      
      transmit a response to the second request including the third combination of network addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Radlein, Anton Stephen, Dye, Nathan Alan, Howard, Craig Wesley, Jones, Harvo Reyzell
Primary Examiner(s)
Le, Chau

Application Number

US14/864,638
Time in Patent Office

733 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Mitigating network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links