公开(公告)号：US10200402B2

公开(公告)日：2019-02-05

申请号：US15714993

申请日：2017-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06 ,  H04L29/12

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US09774619B1

公开(公告)日：2017-09-26

申请号：US14864638

申请日：2015-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US11330008B2

公开(公告)日：2022-05-10

申请号：US16799625

申请日：2020-02-24

Applicant: Amazon Technologies, Inc.

Inventor： Hardeep Singh Uppal ,  Jorge Vasquez ,  Craig Wesley Howard ,  Anton Stephen Radlein

IPC: H04L29/06 ,  H04L101/604 ,  H04L9/32 ,  H04L45/7453 ,  H04L61/4511 ,  H04L101/659 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30 ,  H04L45/00

Abstract: Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

公开(公告)号：US10924411B2

公开(公告)日：2021-02-16

申请号：US16219770

申请日：2018-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Hardeep Singh Uppal ,  Dennis Marinus ,  Dhiraj Gupta

IPC: G06F15/173 ,  H04L12/803 ,  H04L12/747 ,  H04L29/12 ,  H04L12/801 ,  H04L12/851 ,  H04L12/721 ,  H04L12/715 ,  H04L12/741 ,  H04L12/24 ,  H04L12/46 ,  H04W28/02 ,  H04W28/08 ,  H04W36/00 ,  H04W36/08 ,  H04L29/08 ,  H04L12/26

Abstract: Systems and methods are described to enable the load-balanced use of globalized network addresses, addressable throughout a network to access a network-accessible service. A set of global access points are provided, which advertise availability of the globalized network addresses. On receiving a request to access a network-accessible service, a global access point can select an endpoint for the service from among a number of data centers, based on a desired distribution of traffic among the data centers. The access point then forwards the traffic to the selected endpoint. In one embodiment, the access point applies network address translation to enable the traffic to be routed to the endpoint without terminating a connection at the endpoint. The access point may use a variety of techniques to ensure resiliency of the network and knowledge of available endpoints.

公开(公告)号：US20200162959A1

公开(公告)日：2020-05-21

申请号：US16219797

申请日：2018-12-13

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Hardeep Singh Uppal ,  Dennis Marinus ,  Dhiraj Gupta

IPC: H04W28/02 ,  H04W28/08 ,  H04W36/08 ,  H04W36/00 ,  H04L12/46

Abstract: Systems and methods are described to enable the load-balanced use of globalized network addresses, addressable throughout a network to access a network-accessible service. A set of global access points are provided, which advertise availability of the globalized network addresses. The access points enable rapid use of connection-oriented communication sessions by conducting an initialization phase of the sessions locally on the access point. Session context information is then handed off to an endpoint for the service, which can provide the service through the already-established sessions. To avoid breaking sessions due to changes in network routing, each access point can apply a uniform selection criteria for endpoints, such that if client traffic is routed to a different access point, that access point redirects the traffic to the same endpoint previously servicing the traffic via an established session.

公开(公告)号：US10469513B2

公开(公告)日：2019-11-05

申请号：US15389314

申请日：2016-12-22

Applicant: Amazon Technologies, Inc.

Inventor： Hardeep Singh Uppal ,  Jorge Vasquez ,  Craig Wesley Howard ,  Anton Stephen Radlein

IPC: H04L9/00 ,  H04L29/06 ,  H04L9/32 ,  H04L12/743 ,  H04L29/12 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30 ,  H04L12/733

Abstract: Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

公开(公告)号：US20190173941A1

公开(公告)日：2019-06-06

申请号：US16267263

申请日：2019-02-04

Applicant: Amazon Technologies, Inc.

Inventor： Katarzyna Anna Puchala ,  Anton Stephen Radlein ,  David Alexander Dunlap

IPC: H04L29/08 ,  H04L12/803

Abstract: A system, method and computer-readable medium for data uploading based on points of presence (POPs) are provided. In response to a client's request for data uploading, the system provides routing information for POPs that may facilitate data communications between the client and a data storage service provider. The client may fragment the upload data and transmit the data fragments via data connections to POPs, which in turn may relay the received fragments to the data storage service provider. Upon receipt of necessary data fragments, the data storage service provider may merge the data fragments to reconstruct a copy of the upload data for storage.

公开(公告)号：US10097566B1

公开(公告)日：2018-10-09

申请号：US14815863

申请日：2015-07-31

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Craig Wesley Howard ,  Nathan Alan Dye

IPC: H04L29/06 ,  G06F17/30

Abstract: Systems and methods are described to enable identification of computing resources targeted in a network attack. Network attacks, such as denial of service attacks, are frequently directed to network addresses that host multiple sets of content, each representing a distinct potential target of the network attack. Aspects of this disclosure enable each set of content to be assigned a unique or semi-unique combination of network addresses at which the set of content is accessible. During a network attack, a hosting system can compare the network addresses under attack to those assigned to each set of content to determine which sets of content are potentially targeted by the attack. Where the combination of network addresses is associated with only a single set of content, that set of content can be identified as the target of the network attack.

公开(公告)号：US20180109553A1

公开(公告)日：2018-04-19

申请号：US15714993

申请日：2017-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US20180097631A1

公开(公告)日：2018-04-05

申请号：US15389302

申请日：2016-12-22

Applicant: Amazon Technologies, Inc.

Inventor： Hardeep Singh Uppal ,  Jorge Vasquez ,  Craig Wesley Howard ,  Anton Stephen Radlein

IPC: H04L9/32 ,  H04L12/743 ,  H04L29/12 ,  H04L29/06

CPC classification number: H04L63/1425 ,  H04L9/0643 ,  H04L9/14 ,  H04L9/30 ,  H04L9/3236 ,  H04L9/3247 ,  H04L45/20 ,  H04L45/7453 ,  H04L61/1511 ,  H04L61/6004 ,  H04L61/6059 ,  H04L63/0428 ,  H04L63/1458

Abstract: Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.