公开(公告)号：US11438178B2

公开(公告)日：2022-09-06

申请号：US16820489

申请日：2020-03-16

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/32 ,  H04L9/40 ,  G06F21/33 ,  H04L9/08 ,  H04L67/141 ,  H04L67/01 ,  H04L9/14 ,  H04L9/30

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US11321419B2

公开(公告)日：2022-05-03

申请号：US17176921

申请日：2021-02-16

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: G06F15/16 ,  G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L67/561 ,  G06Q30/02 ,  G06Q10/10 ,  H04L61/4511 ,  H04L67/02 ,  H04L67/568 ,  H04L69/40 ,  G06F40/143 ,  G06F40/14 ,  G06F21/00 ,  H04L67/56 ,  H04L67/146 ,  H04L61/5007 ,  H04L51/42 ,  H04L47/74 ,  H04L61/59

Abstract: A proxy server for limiting Internet connection speed of visitors that pose a threat. The proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to the request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server reduces the speed at which the proxy server processes the request while keeping a connection to the client device open.

公开(公告)号：US11245662B2

公开(公告)日：2022-02-08

申请号：US16835042

申请日：2020-03-30

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  Michelle Marie Zatlyn

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12 ,  H04L29/14 ,  H04L12/24

Abstract: A domain name is received from a customer. DNS is queried for multiple possible subdomains of the domain. For each subdomain that resolves, information about that subdomain's corresponding resource record is stored in a zone file that also includes a resource record for the domain name. The zone file is presented to the customer. A designation from the customer of which of the resource records are to point to an IP address of a proxy server is received. The resource records are modified according to the input of the customer and the zone file is propagated including the modified resource records.

公开(公告)号：US11159563B2

公开(公告)日：2021-10-26

申请号：US16800175

申请日：2020-02-25

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US11044335B2

公开(公告)日：2021-06-22

申请号：US16057722

申请日：2018-08-07

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Matthew Browning Prince

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/06

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.

公开(公告)号：US20210165843A1

公开(公告)日：2021-06-03

申请号：US17176921

申请日：2021-02-16

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: G06F16/958 ,  H04L29/08 ,  G06Q30/02 ,  H04L29/06 ,  G06F15/16 ,  G06Q10/10 ,  G06F21/00 ,  H04L29/14 ,  H04L12/58 ,  H04L29/12 ,  G06F21/55 ,  H04L12/911 ,  G06F40/143 ,  G06F16/95

Abstract: A proxy server for limiting Internet connection speed of visitors that pose a threat. The proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to the request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server reduces the speed at which the proxy server processes the request while keeping a connection to the client device open.

公开(公告)号：US20200280452A1

公开(公告)日：2020-09-03

申请号：US16820489

申请日：2020-03-16

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/32 ,  H04L29/06 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08 ,  H04L9/14 ,  H04L9/30

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US20200228490A1

公开(公告)日：2020-07-16

申请号：US16835042

申请日：2020-03-30

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  Michelle Marie Zatlyn

IPC: H04L29/12 ,  H04L29/06 ,  H04L29/08 ,  H04L29/14

Abstract: A domain name is received from a customer. DNS is queried for multiple possible subdomains of the domain. For each subdomain that resolves, information about that subdomain's corresponding resource record is stored in a zone file that also includes a resource record for the domain name. The zone file is presented to the customer. A designation from the customer of which of the resource records are to point to an IP address of a proxy server is received. The resource records are modified according to the input of the customer and the zone file is propagated including the modified resource records.

公开(公告)号：US10594496B2

公开(公告)日：2020-03-17

申请号：US16019109

申请日：2018-06-26

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L9/32 ,  G06F21/33 ,  H04L9/08 ,  H04L29/08 ,  H04L9/14 ,  H04L9/30

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

公开(公告)号：US10585967B2

公开(公告)日：2020-03-10

申请号：US15425711

申请日：2017-02-06

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne

IPC: G06F15/16 ,  G06F16/958 ,  G06F16/95 ,  G06F21/55 ,  H04L29/06 ,  H04L29/08 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  H04L29/14 ,  G06F21/00 ,  G06F17/22 ,  H04L12/58 ,  H04L12/911

Abstract: A proxy server receives from a client device a request for a network resource that is hosted at an origin server for a domain. The request is received at the proxy server as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server retrieves the requested network resource. The proxy server determines that the requested resource is an HTML page, automatically modifies the HTML page, and transmits the modified HTML page to the client device.