公开(公告)号：US20150215331A1

公开(公告)日：2015-07-30

申请号：US14671843

申请日：2015-03-27

Applicant: Amazon Technologies, Inc.

Inventor： Amit J. Mhatre ,  Andrew John Kiggins ,  Michael F. Diggins

IPC: H04L29/06

CPC classification number: H04L63/1416 ,  G06F21/566 ,  H04L63/1458

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract translation: 本公开通常涉及为对应于诸如拒绝服务（“DoS”）攻击的网络攻击确定的分组的生成分组签名。 具体地，可以分析在正常系统操作期间捕获的一组数据分组以确定一组基线属性。 在攻击期间捕获的附加数据包可以与基线属性进行比较，以确定各个数据包是数据包构成攻击的一部分的概率。 然后可以生成分组签名以识别作为攻击特征的属性。 然后可以使用该签名来过滤掉数据包并减轻攻击。

公开(公告)号：US10541857B1

公开(公告)日：2020-01-21

申请号：US15976851

申请日：2018-05-10

Applicant: Amazon Technologies, Inc.

Inventor： Bryan Mark Benson ,  David Dongyi Lu ,  Michael F. Diggins ,  Xingbo Wang ,  Colm MacCarthaigh

IPC: H04L29/12 ,  H04L29/06

Abstract: A technology is described for prioritizing DNS name resolutions requests received from DNS resolvers. An example method may include identifying a resolver as a public DNS resolver. Receiving a DNS name resolution request from the public DNS resolver. Assigning a priority to the DNS name resolution request received from the public DNS resolver that is lower priority as compared to a priority assigned to DNS name resolution requests received from known DNS resolvers, and providing the DNS name resolution request to the DNS name server according to the priority assigned to the DNS name resolution request.

公开(公告)号：US09979588B1

公开(公告)日：2018-05-22

申请号：US14623408

申请日：2015-02-16

Applicant: Amazon Technologies, Inc.

Inventor： Bryan Mark Benson ,  David Dongyi Lu ,  Michael F. Diggins ,  Xingbo Wang ,  Colm MacCarthaigh

IPC: H04L29/12 ,  H04L29/06

CPC classification number: H04L29/12066 ,  H04L61/106 ,  H04L61/1511 ,  H04L61/6009 ,  H04L61/6068 ,  H04L63/1425

Abstract: A technology is described for prioritizing DNS name resolutions requests received from DNS resolvers. An example method may include receiving a DNS name resolution request addressed to a DNS name server from a DNS resolver. The DNS resolver associated with the DNS name resolution request may be identified as a known DNS resolver or an unknown DNS resolver, where a known DNS resolver may have DNS resolver characteristics that correspond to a valid DNS resolver. The DNS name resolution request may be prioritized according to the identity of the DNS resolver as a known DNS resolver or an unknown DNS resolver. The DNS name resolution request may then be provided to the DNS name server according to the priority assigned to the DNS name resolution request.

公开(公告)号：US10296411B1

公开(公告)日：2019-05-21

申请号：US15087921

申请日：2016-03-31

Applicant: Amazon Technologies, Inc.

Inventor： Michael F. Diggins ,  Craig Wesley Howard

IPC: G06F11/07 ,  H04L29/08 ,  G06F3/06

Abstract: A technology is provided for call failure backoff in a computing service environment. An allowable call failure rate is defined for application programming interface (API) calls sent to one or more endpoints. Each endpoint may use a token bucket containing a plurality of tokens, wherein a single token is defined as being equal to one API call failure. A number of tokens in the token bucket are determined prior to executing an API call to the one or more endpoints. A health status of the one or more endpoints is identified according to the number of tokens in the token bucket. The API calls to the one or more endpoints having the determined number of tokens in the token bucket that are equal to zero or may be delayed for a predetermined backoff time period.

公开(公告)号：US09749355B1

公开(公告)日：2017-08-29

申请号：US14668432

申请日：2015-03-25

Applicant: Amazon Technologies, Inc.

Inventor： Bryan Mark Benson ,  Michael F. Diggins ,  David Dongyi Lu ,  Xingbo Wang ,  Colm MacCarthaigh ,  Anshul Saxena

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/1441

Abstract: A technology is described for prioritizing network packets using suspicion weights assigned to packet attributes of the network packets. An example method may include analyzing a network packet for packet attributes that have values indicating that the network packet may be associated with a potential network attack. Suspicion weights for the packet attributes identified as having a value that indicates that the network packet is associated with the potential network attack may be obtained, and a suspicion score may be calculated for the network packet using the suspicion weights.

公开(公告)号：US09654483B1

公开(公告)日：2017-05-16

申请号：US14582054

申请日：2014-12-23

Applicant: Amazon Technologies, Inc.

Inventor： Bryan Mark Benson ,  Michael F. Diggins ,  Anton Romanov ,  David Dongyi Lu ,  Xingbo Wang

IPC: H04L29/06

CPC classification number: H04L63/108 ,  H04L63/1458 ,  H04L63/1466

Abstract: A technology is described for limiting the rate at which a number of requests to perform a network action are granted using rate limiters. An example method may include receiving a request for a token granting permission to perform a network action via a computer network. In response, rate limiters may be identified by generating hash values using hash functions and a network address representing a source network where the hash values identify memory locations for the rate limiters. The rate limiters may have a computer memory capacity to store tokens that are distributed in response to the request. Token balances for the rate limiters may be determined, and permission to perform the network action may be granted as a result of at least one of the token balances being greater than zero.

公开(公告)号：US09749354B1

公开(公告)日：2017-08-29

申请号：US14623396

申请日：2015-02-16

Applicant: Amazon Technologies, Inc.

Inventor： Michael F. Diggins ,  Bryan Mark Benson ,  Anton Romanov

IPC: G06F11/00 ,  H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/166

Abstract: Technology is described for establishing and transferring transmission control protocol (TCP) connections. A connection may be established when an acknowledgement (ACK) packet is received from the client. A connection handoff packet may be generated that includes connection parameters that describe the connection with the client. The connection handoff packet may be sent to a destination host to enable the destination host to take over the connection with the client based on the connection parameters in the SYN cookie.

公开(公告)号：US09432387B2

公开(公告)日：2016-08-30

申请号：US14671843

申请日：2015-03-27

Applicant: Amazon Technologies, Inc.

Inventor： Amit J. Mhatre ,  Andrew John Kiggins ,  Michael F. Diggins

IPC: H04L29/06 ,  G06F21/56

CPC classification number: H04L63/1416 ,  G06F21/566 ,  H04L63/1458

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract translation: 本公开通常涉及为对应于诸如拒绝服务（“DoS”）攻击的网络攻击确定的分组的生成分组签名。 具体地，可以分析在正常系统操作期间捕获的一组数据分组以确定一组基线属性。 在攻击期间捕获的附加数据包可以与基线属性进行比较，以确定各个数据包是数据包构成攻击的一部分的概率。 然后可以生成分组签名以识别作为攻击特征的属性。 然后可以使用该签名来过滤掉数据包并减轻攻击。