Mitigating network attacks

US 9,742,795 B1
Filed: 09/24/2015
Issued: 08/22/2017
Est. Priority Date: 09/24/2015
Status: Active Grant

First Claim

Patent Images

1. A content delivery system comprising:

a first point of presence (“

POP”

) comprising a first plurality of computing devices, the first POP configured to retrieve and respond to client requests for a plurality of sets of content;

a second POP comprising a second plurality of computing devices, the second POP configured to retrieve and respond to client requests for the plurality of sets of content; and

one or more computing devices implementing an attack mitigation service, the one or more computing devices configured with specific computer-executable instructions to;

detect a network attack on the first POP, wherein the network attack is directed to a combination of network addresses utilized by the first POP;

identify, based at least in part on the combination of network addresses, a first set of content, from the plurality of sets of content, as a target of the network attack;

identify, based at least in part on the combination of network addresses, a second set of content, from the plurality of sets of content, as not targeted by the network attack, wherein the second set of content is made available at at least one network address of the combination of network addresses;

disassociate the second set of content from the at least one network address; and

modify routing of network transmissions to the first set of content based at least partly on transmitting instructions to the first POP to withdrawal its association with the combination of network addresses and transmitting instructions to the second POP to generate an association between the second POP and the combination of network addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

1241 Citations

23 Claims

1. A content delivery system comprising:
- a first point of presence (“
  
  POP”
  
  ) comprising a first plurality of computing devices, the first POP configured to retrieve and respond to client requests for a plurality of sets of content;
  
  a second POP comprising a second plurality of computing devices, the second POP configured to retrieve and respond to client requests for the plurality of sets of content; and
  
  one or more computing devices implementing an attack mitigation service, the one or more computing devices configured with specific computer-executable instructions to;
  
  detect a network attack on the first POP, wherein the network attack is directed to a combination of network addresses utilized by the first POP;
  
  identify, based at least in part on the combination of network addresses, a first set of content, from the plurality of sets of content, as a target of the network attack;
  
  identify, based at least in part on the combination of network addresses, a second set of content, from the plurality of sets of content, as not targeted by the network attack, wherein the second set of content is made available at at least one network address of the combination of network addresses;
  
  disassociate the second set of content from the at least one network address; and
  
  modify routing of network transmissions to the first set of content based at least partly on transmitting instructions to the first POP to withdrawal its association with the combination of network addresses and transmitting instructions to the second POP to generate an association between the second POP and the combination of network addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The content delivery system of claim 1, wherein the combination of network addresses includes internet protocol (IP) addresses.
  - 3. The content delivery system of claim 1, wherein the network attack is a denial of service (DoS) attack.
  - 4. The content delivery system of claim 1, wherein the instructions to the first POP to withdrawal its association with the combination of network addresses comprise instructions for the first POP to generate a border gateway protocol (“
    - BGP”
      
      ) packet and transmit the BGP packet to at least one router in communication with the first POP.
  - 5. The content delivery system of claim 1, wherein the specific computer-executable instructions configure the one or more computing devices to disassociate the second set of content from the at least one network address at least partly by transmitting instructions to a domain name system (“
    - DNS”
      
      ) server to provide, in response to requests to resolve an identifier of the second set of content, network addresses associated with a third POP of the content delivery system.
  - 6. The content delivery system of claim 1, wherein the specific computer-executable instructions further configure the one or more computing devices to transmit instructions to a third POP to generate an association between the third POP and least one network address.
  - 7. The content delivery system of claim 1, wherein individual sets of content, within the plurality of sets of content, correspond to individual domain names.
  - 8. The content delivery system of claim 1, wherein individual sets of content, within the plurality of sets of content, correspond to individual web sites.
  - 9. The content delivery system of claim 1, wherein individual sets of content, within the plurality of sets of content, correspond to individual network-accessible services.

10. A computer-implemented method comprising:
- detecting a network attack on a first set of computing devices of a content delivery system, wherein the network attack is directed to a combination of network addresses utilized by the first set of computing devices, and wherein the first set of computing devices provide access to a plurality of sets of content;
  
  identifying a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of network addresses to which the attack is directed;
  
  identifying, a second set of content, from the plurality of sets of contents, as not targeted by the network attack based at least partly on the combination of network addresses to which the attack is directed, wherein the second set of content is made available at at least one network address of the combination of network addresses; and
  
  mitigating the network attack based at least in part on disassociating the second set of content from the at least one network address and transmitting instructions to one or more routing devices, in communication with the content delivery system, to redirect traffic addressed to the combination of network addresses from the first set of computing devices to a second set of computing devices on the content delivery system.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-implemented method of claim 10, wherein the instructions cause the one or more routing devices to associate the second set of computing devices with the combination of network addresses via anycast routing.
  - 12. The computer-implemented method of claim 10, wherein the instructions cause the one or more routing devices to limit traffic addressed to the combination of network addresses to less than all physical ports on the one or more routing devices.
  - 13. The computer-implemented method of claim 10 further comprising:
    - gathering impact data for the network attack from the content delivery system; and
      
      selecting the second set of computing devices based at least in part on comparing the impact data to a set of rules associating impact data criteria to potential sets of computing devices.
  - 14. The computer-implemented method of claim 10, wherein identifying the first set of content as the target of the network attack comprises determining that the combination of network addresses is included within a set of network addresses that identifies the first set of content.
  - 15. The computer-implemented method of claim 10 further comprising:
    - gathering impact data for the network attack on the second set of computing devices;
      
      determining that the impact data satisfies a threshold value; and
      
      modifying a routing configuration of the content delivery system to cause data addressed to the combination of network addresses to be discarded.

16. Non-transitory computer-readable media comprising computer-executable instructions that, when executed by a computing system, cause the computing system to:
- detect a network attack on a content delivery system, wherein the network attack is directed to a combination of addressing information sets utilized by one or more computing devices of the content delivery system, and wherein the one or more computing devices provide access to a plurality of sets of content;
  
  identify a first set of content, from the plurality of sets of contents, as a target of the network attack based at least partly on the combination of addressing information sets to which the attack is directed;
  
  identify a second set of content, from the plurality of sets of contents, as not targeted by the network attack based at least partly on the combination of addressing information sets to which the attack is directed, wherein the second set of content is made available at at least one addressing information set of the combination of addressing information sets; and
  
  mitigate the network attack based at least in part on disassociating the second set content from the at least one addressing information set and modifying a routing of the combination of addressing information sets within the content delivery system.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The non-transitory computer-readable media of claim 16, wherein addressing information sets comprise at least one of a network address, a port number, and a protocol.
  - 18. The non-transitory computer-readable media of claim 16, wherein execution of the computer-executable instructions further causes the computing system to mitigate the network attack based at least in part on transmitting instructions to a routing device within the content delivery system to associate one or more alternative computing devices with the combination of addressing information sets.
  - 19. The non-transitory computer-readable media of claim 18, wherein execution of the computer-executable instructions further causes the computing system to:
    - obtain impact data for the network attack from the content delivery system; and
      
      select the one or more alternative computing devices at least partly by comparing the impact data to a set of rules maintained in a data store of the content delivery system, the set of rules associating impact data criteria to potential alternative computing devices.
  - 20. The non-transitory computer-readable media of claim 19, wherein the set of rules map impact data criteria to potential alternative computing devices based at least in part on characteristics of the alternative computing devices.
  - 21. The non-transitory computer-readable media of claim 20, wherein the characteristics of the alternative computing devices include at least one of an amount of computing resources available to the alternative computing devices or an association of the alternative computing devices with network attack mitigation software.
  - 22. The non-transitory computer-readable media of claim 16, wherein execution of the computer-executable instructions causes the computing system to disassociate the second set content from the at least one addressing information set at least partly by transmitting instructions to a domain name system (“
    - DNS”
      
      ) server to provide, in response to requests to resolve an identifier of the second set of content, a second combination of addressing information sets.
  - 23. The non-transitory computer-readable media of claim 16, wherein execution of the computer-executable instructions further causes the computing system to identify, based at least in part on the combination of addressing information sets, the first set of content as a target of the network attack at least partly by determining that the combination of addressing information sets is included within a plurality of addressing information sets that identify the first set of content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Radlein, Anton Stephen, Dye, Nathan Alan, Howard, Craig Wesley, Jones, Harvo Reyzell
Primary Examiner(s)
Turchen, James

Application Number

US14/864,683
Time in Patent Office

698 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0218   Distributed architectures, ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Mitigating network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

1241 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1241 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links