Network addresses with encoded DNS-level information

US 10,616,250 B2
Filed: 12/22/2016
Issued: 04/07/2020
Est. Priority Date: 10/05/2016
Status: Active Grant

First Claim

Patent Images

1. A content delivery system configured to mitigate network attacks on a domain name, wherein the domain name is associated with content provided by the content delivery system, the content delivery system comprising:

a domain name system (DNS) computing device comprising a processor configured with computer-executable instructions to;

obtain one or more encoding rules for encoding DNS-level information into network addresses provided by the DNS computing device, wherein the one or more rules comprise multiple rule versions;

obtain a request to resolve the domain name into a network address of a host device providing content associated with the domain name;

encode, into the network address of the host device and according to the one or more encoding rules, the domain name and a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the encoded network address; and

return the network address of the host device in response to the request;

a computing device comprising a processor configured with computer-executable instructions to;

obtain one or more decoding rules for decoding DNS-level information encoded into network addresses by the DNS computing device;

detect a malicious data packet addressed to the network address of the host device, wherein the malicious data packet forms at least a part of a network attack on the content delivery system;

decode, according to the one or more decoding rules, the domain name from the network address of the host device which the malicious data packet is addressed; and

identify the domain name decoded from the network address of the host device to which the malicious data packet is addressed as a target of the network attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

1602 Citations

19 Claims

1. A content delivery system configured to mitigate network attacks on a domain name, wherein the domain name is associated with content provided by the content delivery system, the content delivery system comprising:
- a domain name system (DNS) computing device comprising a processor configured with computer-executable instructions to;
  
  obtain one or more encoding rules for encoding DNS-level information into network addresses provided by the DNS computing device, wherein the one or more rules comprise multiple rule versions;
  
  obtain a request to resolve the domain name into a network address of a host device providing content associated with the domain name;
  
  encode, into the network address of the host device and according to the one or more encoding rules, the domain name and a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the encoded network address; and
  
  return the network address of the host device in response to the request;
  
  a computing device comprising a processor configured with computer-executable instructions to;
  
  obtain one or more decoding rules for decoding DNS-level information encoded into network addresses by the DNS computing device;
  
  detect a malicious data packet addressed to the network address of the host device, wherein the malicious data packet forms at least a part of a network attack on the content delivery system;
  
  decode, according to the one or more decoding rules, the domain name from the network address of the host device which the malicious data packet is addressed; and
  
  identify the domain name decoded from the network address of the host device to which the malicious data packet is addressed as a target of the network attack.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The content delivery system of claim 1, wherein the network address is formatted as an Internet Protocol version 6 (Ipv6) address.
  - 3. The content delivery system of claim 1, wherein the one or more encoding rules specify information to be included within individual bits of the network addresses.
  - 4. The content delivery system of claim 1, wherein the network address comprises a first portion corresponding to routing information on a publically addressable network, and a second portion including encoded DNS-level information.
  - 5. The content delivery system of claim 1, wherein the computing device is at least one of a content server computing device or a networking routing computing device.

6. A computer-implemented method for providing DNS-level information within encoded network addresses, the computer-implemented method comprising:
- obtaining one or more rules for encoding DNS-level information into the encoded network addresses and decoding DNS-level information from the encoded network addresses, wherein the rules specify a format of the DNS-level information when encoded in the encoded network addresses and individual bits of the encoded network addresses to utilize in representing the DNS-level information;
  
  receiving a DNS request to resolve a domain name into a network address of a host device providing content associated with the domain name;
  
  using the one or more rules to encode DNS-level information associated with the DNS request into the network address of the host device, wherein one or more rules comprise multiple rule versions, and wherein using the one or more rules to encode the DNS-level information associated with the DNS request into the network address of the host device further comprising encoding into the network address a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the network address;
  
  returning the network address of the host device in response to the DNS request;
  
  receiving a network packet addressed to the network address of the host device;
  
  using the one or more rules to decode the DNS-level information from the network address of the host device; and
  
  routing data packet address to the network address based at least in part on the DNS-level information decoded from the network address of the host device.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The computer-implemented method of claim 6, wherein the DNS-level information includes at least one of the domain name, security information associated with the domain name, timing information of the DNS request, information specifying a source of the DNS request, or validity information indicating a validity of the network address generated based at least in part on the DNS request.
  - 8. The computer-implemented method of claim 6, wherein the DNS-level information includes the domain name, the computer-implemented method further comprising:
    - identifying the network packet as malicious and forming at least part of a network attack; and
      
      identifying the domain name decoded from the network address to which the malicious network packet is addressed as a target of the network attack.
  - 9. The computer-implemented method of claim 6, wherein the DNS-level information includes validity information, and wherein routing the data packet based at least in part on the DNS-level information decoded from the network address comprises:
    - detecting that the validity information indicates that network packet is addressed to an invalid network address; and
      
      discarding the network packet.
  - 10. The computer-implemented method of claim 6, wherein the DNS-level information includes validity information, and wherein routing the data packet based at least in part on the DNS-level information decoded from the network address comprises:
    - detecting that the validity information indicates that network packet is addressed to a valid network address; and
      
      routing the network packet to a content server associated with the domain name.
  - 11. The computer-implemented method of claim 10, wherein the validity information indicates a time of the DNS request, and wherein detecting that the validity information indicates that network packet is addressed to the valid network address includes detecting that a period of time between a current time and the time of the DNS request falls with a threshold time-to-live value.
  - 12. The computer-implemented method of claim 10, wherein the validity information includes a digital signature associated with a public key, and wherein detecting that the validity information indicates that network packet is addressed to the valid network address includes verifying the digital signature using the public key.

13. Non-transitory computer-readable media comprising computer-executable instructions for encoding DNS-level information within network addresses that, when executed, cause a computing system to:
- obtain one or more rules for encoding the DNS-level information into the network addresses and decoding the DNS-level information from the network addresses;
  
  obtain a request for an encoded network address of a host device providing content associated with a domain name, wherein the request includes DNS-level information associated with a DNS request to resolve the domain name into the encoded network address of the host device;
  
  encode the DNS-level information into the encoded network address of the host device according to at least the one or more rules, wherein one or more rules comprise multiple rule versions, and wherein the instructions further cause the computing system to encode into the network address a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the network address;
  
  return the encoded network address of the host device in response to the request;
  
  receive a network request associated with the encoded network address of the host device;
  
  decode the encoded network address of the host device according to at least the one or more rules to result in the DNS-level information; and
  
  respond to the network request based at least in part on the DNS-level information obtained by decoding the encoded network address of the host device.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The non-transitory computer-readable media of claim 13, wherein the network request is at least one of a request to decode the encoded network address or a request to obtain content associated with the encoded network address.
  - 15. The non-transitory computer-readable media of claim 13, wherein the computer-executable instructions cause the computing system to respond to the network request based at least in part on the DNS-level information by at least one of:
    - returning the DNS-level information in response to the network request;
      
      returning content associated with the network request;
      
      discarding the network request;
      
      or forwarding the network request to a content server associated with the DNS-level information.
  - 16. The non-transitory computer-readable media of claim 13, wherein the DNS-level information includes a domain name and an identifier of a security certificate associated with the domain name, and wherein the computer-executable instructions cause the computing system to respond to the network request at least partly by initiating a secure connection utilizing the security certificate.
  - 17. The non-transitory computer-readable media of claim 13, wherein the computer-executable instructions cause the computing system to determine the rule version of the multiple rule versions to utilize in encoding the encoded network address based at least in part on a current time and a security level associated with the domain name.
  - 18. The non-transitory computer-readable media of claim 13, wherein the DNS-level information includes a domain name, and wherein the computer-executable instructions cause the computing system to encode the DNS-level information into the encoded network address at least in part by:
    - hashing the domain name according to a hash function to result in a hash value; and
      
      including the hash value as a portion of the encoded network address.
  - 19. The non-transitory computer-readable media of claim 18, wherein the hash function is a cryptographic hash function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Uppal, Hardeep Singh, Vasquez, Jorge, Howard, Craig Wesley, Radlein, Anton Stephen
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
White Taylor, Sakinah

Application Number

US15/389,276
Publication Number

US 20180097831A1
Time in Patent Office

1,202 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/659   Internet protocol version 6...

H04L 45/20   Hop count for routing purpo...

H04L 45/7453   using hashing

H04L 61/4511   using domain name system [DNS]

H04L 63/0428   wherein the data content is...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3247   involving digital signatures

Network addresses with encoded DNS-level information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1602 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Network addresses with encoded DNS-level information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1602 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others