Identifying targets of network attacks

US 10,097,566 B1
Filed: 07/31/2015
Issued: 10/09/2018
Est. Priority Date: 07/31/2015
Status: Active Grant

First Claim

Patent Images

1. A content delivery system comprising:

a point of presence (“

POP”

) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content;

a domain name system (“

DNS”

) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content from the plurality of sets of content, and to respond to the requests for network addresses with a plurality of network addresses identifying computing devices from the point of presence at which the individual sets of content may be accessed; and

one or more computing devices implementing a target lookup service, the one or more computing devices configured with specific computer-executable instructions to;

detect a network attack on the content delivery system, the network attack directed to a plurality of attacked network addresses, wherein each attacked network address of plurality of attacked network addresses is associated with at least two of the plurality of sets of content on the content delivery system;

generate a mapping between the individual sets of content and corresponding combinations of network addresses on the content delivery system at which the individual sets of content may be accessed, the corresponding combinations of network addresses determined based at least in part on identifiers of the individual sets of content;

compare the plurality of attacked network addresses to the generated mapping to identify a first set of content from the plurality of sets of content that is associated with each attacked network address of the plurality of attacked network addresses; and

identify the first set of content as a target of the network attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described to enable identification of computing resources targeted in a network attack. Network attacks, such as denial of service attacks, are frequently directed to network addresses that host multiple sets of content, each representing a distinct potential target of the network attack. Aspects of this disclosure enable each set of content to be assigned a unique or semi-unique combination of network addresses at which the set of content is accessible. During a network attack, a hosting system can compare the network addresses under attack to those assigned to each set of content to determine which sets of content are potentially targeted by the attack. Where the combination of network addresses is associated with only a single set of content, that set of content can be identified as the target of the network attack.

1352 Citations

19 Claims

1. A content delivery system comprising:
- a point of presence (“
  
  POP”
  
  ) comprising a plurality of computing devices, the point of presence configured to retrieve content requests and transmit, in response to the content requests, a plurality of sets of content;
  
  a domain name system (“
  
  DNS”
  
  ) server comprising one or more processors configured with specific computer-executable instructions to retrieve requests for network addresses of individual sets of content from the plurality of sets of content, and to respond to the requests for network addresses with a plurality of network addresses identifying computing devices from the point of presence at which the individual sets of content may be accessed; and
  
  one or more computing devices implementing a target lookup service, the one or more computing devices configured with specific computer-executable instructions to;
  
  detect a network attack on the content delivery system, the network attack directed to a plurality of attacked network addresses, wherein each attacked network address of plurality of attacked network addresses is associated with at least two of the plurality of sets of content on the content delivery system;
  
  generate a mapping between the individual sets of content and corresponding combinations of network addresses on the content delivery system at which the individual sets of content may be accessed, the corresponding combinations of network addresses determined based at least in part on identifiers of the individual sets of content;
  
  compare the plurality of attacked network addresses to the generated mapping to identify a first set of content from the plurality of sets of content that is associated with each attacked network address of the plurality of attacked network addresses; and
  
  identify the first set of content as a target of the network attack.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The content delivery system of claim 1, wherein the identifiers of the individual sets of content are domain names of the individual sets of content.
  - 3. The content delivery system of claim 1, wherein the attacked network addresses are internet protocol (IP) addresses.
  - 4. The content delivery system of claim 1, wherein the network attack is a denial of service (DoS) attack.
  - 5. The content delivery system of claim 1, wherein the network addresses for an individual set of content are selected from a group of network addresses available to the plurality of sets of content.

6. A computer-implemented method comprising:
- receiving a request from a user computing device for addressing information of a first set of content;
  
  determining at least two network addresses corresponding to the first set of content based at least in part on an identifier of the set of content;
  
  generating a DNS record including the at least two network addresses corresponding to the first set of content;
  
  transmit the DNS record to the user computing device;
  
  detecting a network attack on a content delivery system, the network attack directed to a plurality of attacked network addresses, wherein an attacked network address of the plurality of attacked network addresses is associated with at least two sets of content on the content delivery system, including the first set of content and the second set of content;
  
  generating a mapping between individual sets of content, including the first and second sets of content, and network addresses on the content delivery system at which the individual sets of content may be accessed, the network addresses on the content delivery system at which the individual sets of content may be accessed determined based at least in part on identifiers of the individual sets of content;
  
  comparing the plurality of attacked network addresses to the generated mapping to identify that the first set of content is associated with the plurality of attacked network addresses; and
  
  identifying the first set of content as a target of the network attack.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The computer-implemented method of claim 6, wherein detecting the network attack on the content delivery system comprises receiving a notification of the network attack and a listing of the plurality of attacked network addresses.
  - 8. The computer-implemented method of claim 6, wherein the network addresses for an individual set of content are selected from a group of network addresses available to the plurality of sets of content based at least in part on hashing an identifier of the individual set of content.
  - 9. The computer-implemented method of claim 6 further comprising removing at least one of the plurality of attacked network addresses from DNS records associated with the identified set of content.
  - 10. The computer-implemented method of claim 6 further comprising removing at least one of the plurality of attacked network addresses from DNS records associated with an additional set of content on the content computing system.
  - 11. The computer-implemented method of claim 6, wherein comparing the plurality of attacked network addresses to the generated mapping to identify that the first set of content is associated with the plurality of attacked network addresses comprises determining that the plurality of attacked network addresses identify the first set of content on the content delivery system.
  - 12. The computer-implemented method of claim 6, wherein comparing the plurality of attacked network addresses to the generated mapping to that the first set of content is associated with the plurality of attacked network addresses comprises determining that the plurality of attacked network addresses identifies less than a threshold number of sets of content on the content delivery system.

13. A system comprising:
- one or more computing devices implementing a target lookup service, the one or more computing devices configured with computer-executable instructions that, when executed, cause the one or more computing devices to;
  
  detect a network attack on a content delivery system, the network attack associated with at least two addressing information sets, wherein an addressing information set of the at least two addressing information sets is associated with at least two sets of content on the content delivery system;
  
  generate data mapping individual sets of content on the content delivery system to corresponding combinations of addressing information sets on the content delivery system;
  
  compare the at least two addressing information sets to the generated data to identify a first set of content on the content delivery system that is associated with the at least two addressing information sets; and
  
  identify the first set of content as a target of the network attack; and
  
  a DNS system comprising at least one computing device configured with computer-executable instructions that, when executed, cause the DNS system to;
  
  receive a request from a user computing device for addressing information of the first set of content;
  
  determine the at least two addressing information sets corresponding to the first set of content based at least in part on an identifier of the first set of content;
  
  generate a DNS record including the at least two addressing information sets corresponding to the first set of content; and
  
  transmit the DNS record to the user computing device.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the computer-executable instructions further cause the one or more computing devices to determine that the plurality of attacked network addresses identifies the first set of content on the content delivery system.
  - 15. The system of claim 13, wherein the computer-executable instructions further cause the one or more computing devices to determine that the plurality of attacked network addresses identifies less than a threshold number of sets of content on the content delivery system.
  - 16. The system of claim 13, wherein the computer-executable instructions further cause the one or more computing devices to determine the combinations of addressing information sets corresponding to the individual sets of content based at least in part on processing identifiers of the individual sets of content according to a hashing function.
  - 17. The system of claim 16, wherein the computer-executable instructions cause the one or more computing devices to determine the combinations of addressing information sets corresponding to the individual sets of content in response to detection of the network attack.
  - 18. The system of claim 16, wherein the computer-executable instructions cause the one or more computing devices to determine the combinations of addressing information sets corresponding to the individual sets of content prior to detection of the network attack.
  - 19. The system of claim 13, wherein individual addressing information sets of at least two addressing information sets identify multiple computing devices on the content delivery system at which the set of content is available.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Radlein, Anton Stephen, Jones, Harvo Reyzell, Howard, Craig Wesley, Dye, Nathan Alan
Primary Examiner(s)
Zee, Edward

Application Number

US14/815,863
Time in Patent Office

1,166 Days
Field of Search
US Class Current
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 67/00   Network arrangements or pro...

Identifying targets of network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1352 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying targets of network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1352 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links