公开(公告)号：US10044826B2

公开(公告)日：2018-08-07

申请号：US15233157

申请日：2016-08-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Matthew Browning Prince

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/06

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.

公开(公告)号：US09769240B2

公开(公告)日：2017-09-19

申请号：US15156094

申请日：2016-05-16

Applicant: CloudFlare, Inc.

Inventor： Christopher Stephen Joel ,  Jason Thomas Walter Benterou ,  Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: G06F15/16 ,  G06F15/00 ,  G06F17/30 ,  H04L29/08 ,  H04L29/12 ,  H04L29/06

CPC classification number: H04L67/02 ,  G06F17/30905 ,  H04L61/1511 ,  H04L67/2842 ,  H04L67/42 ,  H04L69/16

Abstract: A method and apparatus for improving loading of web resources. A server receives a request for a Hypertext Markup Language (HTML) document requested by a client network application. The server retrieves the requested document. The server automatically modifies objects referenced in the HTML document that have an external source such that loading of those objects by the client network application will be deferred. The server inserts a client-side script loader or a reference to the client-side script loader into the HTML document. The client-side script loader is configured to, when executed by the client network application, attempt to load the objects that have been deferred. The server transmits the modified HTML document to the client network application.

公开(公告)号：US20170237757A1

公开(公告)日：2017-08-17

申请号：US15585090

申请日：2017-05-02

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06

Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

公开(公告)号：US09641549B2

公开(公告)日：2017-05-02

申请号：US14172823

申请日：2014-02-04

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/552 ,  G06F21/577 ,  H04L63/0281 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1466 ,  H04L63/20

Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

公开(公告)号：US20160156588A1

公开(公告)日：2016-06-02

申请号：US14728961

申请日：2015-06-02

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  Michelle Marie Zatlyn

IPC: H04L29/12

CPC classification number: H04L61/2007 ,  H04L41/069 ,  H04L61/1511 ,  H04L63/0281 ,  H04L63/14 ,  H04L67/1034 ,  H04L67/2814 ,  H04L67/2842 ,  H04L69/40

Abstract: A domain name is received from a customer. DNS is queried for multiple possible subdomains of the domain. For each subdomain that resolves, information about that subdomain's corresponding resource record is stored in a zone file that also includes a resource record for the domain name. The zone file is presented to the customer. A designation from the customer of which of the resource records are to point to an IP address of a proxy server is received. The resource records are modified according to the input of the customer and the zone file is propagated including the modified resource records.

Abstract translation: 从客户收到一个域名。 对域的多个可能的子域进行DNS查询。 对于解析的每个子域，关于该子域的相应资源记录的信息存储在还包含域名资源记录的区域文件中。 该区域文件被呈现给客户。 收到客户指定哪个资源记录指向代理服务器的IP地址的指定。 根据客户的输入修改资源记录，传播包含修改的资源记录的区域文件。

公开(公告)号：US20160014114A1

公开(公告)日：2016-01-14

申请号：US14675385

申请日：2015-03-31

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L9/3263 ,  G06F21/33 ,  H04L9/083 ,  H04L9/0841 ,  H04L9/0844 ,  H04L9/14 ,  H04L9/3013 ,  H04L9/3247 ,  H04L63/0428 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0869 ,  H04L63/164 ,  H04L63/166 ,  H04L63/205 ,  H04L67/141 ,  H04L67/42

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract translation: 服务器与客户端设备建立安全会话，其中在建立安全会话时用于握手的私钥被存储在不同的服务器中。 在握手过程中，服务器接收使用与客户端设备尝试建立安全会话的域绑定的公共密钥进行加密的预安全秘密。 服务器将加密的前端机密发送到不同的服务器以进行解密，以及计算主密钥所需的其他信息。 不同的服务器解密加密的前提密码，生成主密钥，并将主密钥发送到服务器。 服务器接收主密钥并继续握手过程，包括生成在安全会话中使用的一个或多个会话密钥，用于加密和解密客户端设备与服务器之间的通信。

公开(公告)号：US20150281168A1

公开(公告)日：2015-10-01

申请号：US14676631

申请日：2015-04-01

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming

IPC: H04L29/12

CPC classification number: H04L61/1511 ,  H04L61/1552

Abstract: A method and apparatus for managing CNAME records such that CNAME records at the root domain are supported while complying with the RFC specification (an IP address is returned for any Address query for the root record). The authoritative DNS infrastructure acts as a DNS resolver where if there is a CNAME at the root record, rather than returning that record directly, a recursive lookup is used to follow the CNAME chain until an A record is located. The address associated with the A record is then returned. This effectively “flattens” the CNAME chain. This complies with the requirements of the DNS specification and is invisible to any service that interacts with the DNS server.

Abstract translation: 用于管理CNAME记录的方法和装置，以便在符合RFC规范（根记录的任何地址查询返回一个IP地址）的同时支持根域下的CNAME记录。 权威的DNS基础架构充当DNS解析器，如果根记录中存在CNAME，而不是直接返回该记录，则使用递归查找来跟随CNAME链，直到找到A记录。 然后返回与A记录相关联的地址。 这有效地“平坦化”CNAME链。 这符合DNS规范的要求，对于与DNS服务器进行交互的任何服务都是不可见的。

公开(公告)号：US20150207814A1

公开(公告)日：2015-07-23

申请号：US14503299

申请日：2014-09-30

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L29/06 ,  H04L29/08

CPC classification number: G06F17/3089 ,  G06F15/16 ,  G06F17/2247 ,  G06F17/30861 ,  G06F21/00 ,  G06F21/552 ,  G06Q10/107 ,  G06Q30/0241 ,  G06Q30/0251 ,  G06Q30/0277 ,  H04L29/12066 ,  H04L51/22 ,  H04L61/1511 ,  H04L61/2007 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0254 ,  H04L63/0281 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/102 ,  H04L63/126 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/1458 ,  H04L63/1466 ,  H04L67/02 ,  H04L67/146 ,  H04L67/28 ,  H04L67/2804 ,  H04L67/2842 ,  H04L69/40

Abstract: A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked.

Abstract translation: 验证服务器从客户端设备接收到不包含用于解析为验证服务器的验证域的cookie的第一请求。 由于代理服务器在确定属于客户端设备的访问者是基于分配给的IP（因特网协议）地址的潜在威胁的确定时，代理服务器将客户端设备重定向到验证域，则在验证服务器处接收到第一请求。 用于第二请求的客户端设备对原始域的原始服务器上承载的标识资源执行动作。 验证服务器为客户端设备设置cookie，确定与第一客户端设备相关联的一组特征，并将cookie和块页面发送到已经基于该特征集合定制的客户端设备，该块页面指示 第二个请求已被阻止。