Network addresses with encoded DNS-level information
First Claim
1. A content delivery system configured to mitigate network attacks on a domain name, wherein the domain name is associated with content provided by the content delivery system, the content delivery system comprising:
- a domain name system (DNS) computing device comprising a processor configured with computer-executable instructions to;
obtain one or more encoding rules for encoding DNS-level information into network addresses provided by the DNS computing device, wherein the one or more rules comprise multiple rule versions;
obtain a request to resolve the domain name into a network address of a host device providing content associated with the domain name;
encode, into the network address of the host device and according to the one or more encoding rules, the domain name and a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the encoded network address; and
return the network address of the host device in response to the request;
a computing device comprising a processor configured with computer-executable instructions to;
obtain one or more decoding rules for decoding DNS-level information encoded into network addresses by the DNS computing device;
detect a malicious data packet addressed to the network address of the host device, wherein the malicious data packet forms at least a part of a network attack on the content delivery system;
decode, according to the one or more decoding rules, the domain name from the network address of the host device which the malicious data packet is addressed; and
identify the domain name decoded from the network address of the host device to which the malicious data packet is addressed as a target of the network attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.
1602 Citations
19 Claims
-
1. A content delivery system configured to mitigate network attacks on a domain name, wherein the domain name is associated with content provided by the content delivery system, the content delivery system comprising:
-
a domain name system (DNS) computing device comprising a processor configured with computer-executable instructions to; obtain one or more encoding rules for encoding DNS-level information into network addresses provided by the DNS computing device, wherein the one or more rules comprise multiple rule versions; obtain a request to resolve the domain name into a network address of a host device providing content associated with the domain name; encode, into the network address of the host device and according to the one or more encoding rules, the domain name and a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the encoded network address; and return the network address of the host device in response to the request; a computing device comprising a processor configured with computer-executable instructions to; obtain one or more decoding rules for decoding DNS-level information encoded into network addresses by the DNS computing device; detect a malicious data packet addressed to the network address of the host device, wherein the malicious data packet forms at least a part of a network attack on the content delivery system; decode, according to the one or more decoding rules, the domain name from the network address of the host device which the malicious data packet is addressed; and identify the domain name decoded from the network address of the host device to which the malicious data packet is addressed as a target of the network attack. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method for providing DNS-level information within encoded network addresses, the computer-implemented method comprising:
-
obtaining one or more rules for encoding DNS-level information into the encoded network addresses and decoding DNS-level information from the encoded network addresses, wherein the rules specify a format of the DNS-level information when encoded in the encoded network addresses and individual bits of the encoded network addresses to utilize in representing the DNS-level information; receiving a DNS request to resolve a domain name into a network address of a host device providing content associated with the domain name; using the one or more rules to encode DNS-level information associated with the DNS request into the network address of the host device, wherein one or more rules comprise multiple rule versions, and wherein using the one or more rules to encode the DNS-level information associated with the DNS request into the network address of the host device further comprising encoding into the network address a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the network address; returning the network address of the host device in response to the DNS request; receiving a network packet addressed to the network address of the host device; using the one or more rules to decode the DNS-level information from the network address of the host device; and routing data packet address to the network address based at least in part on the DNS-level information decoded from the network address of the host device. - View Dependent Claims (7, 8, 9, 10, 11, 12)
-
-
13. Non-transitory computer-readable media comprising computer-executable instructions for encoding DNS-level information within network addresses that, when executed, cause a computing system to:
-
obtain one or more rules for encoding the DNS-level information into the network addresses and decoding the DNS-level information from the network addresses; obtain a request for an encoded network address of a host device providing content associated with a domain name, wherein the request includes DNS-level information associated with a DNS request to resolve the domain name into the encoded network address of the host device; encode the DNS-level information into the encoded network address of the host device according to at least the one or more rules, wherein one or more rules comprise multiple rule versions, and wherein the instructions further cause the computing system to encode into the network address a version identifier associated with a rule version, of the multiple rule versions, utilized in encoding the network address; return the encoded network address of the host device in response to the request; receive a network request associated with the encoded network address of the host device; decode the encoded network address of the host device according to at least the one or more rules to result in the DNS-level information; and respond to the network request based at least in part on the DNS-level information obtained by decoding the encoded network address of the host device. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
Specification