公开(公告)号：US10581904B2

公开(公告)日：2020-03-03

申请号：US15585090

申请日：2017-05-02

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

公开(公告)号：US10169479B2

公开(公告)日：2019-01-01

申请号：US14686591

申请日：2015-04-14

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: G06F15/16 ,  G06F17/30 ,  H04L29/12 ,  H04L29/06 ,  H04L29/08 ,  H04L29/14 ,  G06F21/55 ,  G06F21/00 ,  G06Q30/02 ,  G06Q10/10 ,  G06F17/22 ,  H04L12/58

Abstract: A proxy server for limiting Internet connection speed of visitors that pose a threat. The proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to the request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server reduces the speed at which the proxy server processes the request while keeping a connection to the client device open.

公开(公告)号：US09342620B2

公开(公告)日：2016-05-17

申请号：US13648203

申请日：2012-10-09

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Stephen Joel ,  Jason Thomas Walter Benterou ,  Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: G06F15/16 ,  G06F15/00 ,  G06F17/30

CPC classification number: H04L67/02 ,  G06F17/30905 ,  H04L61/1511 ,  H04L67/2842 ,  H04L67/42 ,  H04L69/16

Abstract: A method and apparatus for improving loading of web resources. A server receives a request for a Hypertext Markup Language (HTML) document requested by a client network application. The server retrieves the requested document. The server automatically modifies objects referenced in the HTML document that have an external source such that loading of those objects by the client network application will be deferred. The server inserts a client-side script loader or a reference to the client-side script loader into the HTML document. The client-side script loader is configured to, when executed by the client network application, attempt to load the objects that have been deferred. The server transmits the modified HTML document to the client network application.

Abstract translation: 一种改善网页资源加载的方法和装置。 服务器接收到客户端网络应用程序请求的超文本标记语言（HTML）文档的请求。 服务器检索所请求的文档。 服务器自动修改HTML文档中引用的具有外部源的对象，以便客户端网络应用程序加载这些对象将被推迟。 服务器将客户端脚本加载器或客户端脚本加载器的引用插入到HTML文档中。 客户端脚本加载程序配置为在客户端网络应用程序执行时尝试加载已被延迟的对象。 服务器将修改的HTML文档发送到客户端网络应用程序。

公开(公告)号：US20160014087A1

公开(公告)日：2016-01-14

申请号：US14686591

申请日：2015-04-14

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye

IPC: H04L29/06 ,  H04L29/12

CPC classification number: H04L47/745 ,  G06F15/16 ,  G06F17/2247 ,  G06F17/30861 ,  G06F17/3089 ,  G06F21/00 ,  G06F21/552 ,  G06Q10/107 ,  G06Q30/0241 ,  G06Q30/0251 ,  G06Q30/0277 ,  H04L29/12066 ,  H04L51/22 ,  H04L61/1511 ,  H04L61/2007 ,  H04L61/6013 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0254 ,  H04L63/0281 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/102 ,  H04L63/126 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/1458 ,  H04L63/1466 ,  H04L67/02 ,  H04L67/146 ,  H04L67/28 ,  H04L67/2804 ,  H04L67/2842 ,  H04L69/40

Abstract: A proxy server for limiting Internet connection speed of visitors that pose a threat. The proxy server receives from a client device a request to perform an action on an identified resource that is hosted at an origin server for a domain. The proxy server receives the request as a result of a DNS request for the domain resolving to the proxy server. The origin server is one of multiple origin servers that belong to different domains that resolve to the proxy server and are owned by different entities. The proxy server analyzes the request to determine whether a visitor belonging to the request poses a threat. If the proxy server determines that the visitor poses a threat, the proxy server reduces the speed at which the proxy server processes the request while keeping a connection to the client device open.

公开(公告)号：US20240121265A1

公开(公告)日：2024-04-11

申请号：US18508122

申请日：2023-11-13

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L9/40 ,  G06F21/55 ,  G06F21/57

CPC classification number: H04L63/1458 ,  G06F21/552 ,  G06F21/577 ,  H04L63/0281 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1466 ,  H04L63/20

Abstract: An authoritative domain name system (DNS) server receives DNS requests for domains. The authoritative DNS server transmits DNS responses to the DNS requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first DNS response can include IP addresses different from IP addresses included in a second DNS response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may select the IP addresses to include in DNS responses to the DNS requests using a round-robin process.

公开(公告)号：US20200322374A1

公开(公告)日：2020-10-08

申请号：US16800175

申请日：2020-02-25

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US10574690B2

公开(公告)日：2020-02-25

申请号：US15489421

申请日：2017-04-17

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US20190303415A1

公开(公告)日：2019-10-03

申请号：US16363835

申请日：2019-03-25

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Matthew Browning Prince ,  Ian Gerald Pye ,  Matthieu Philippe François Tourne ,  Michelle Marie Zatlyn

IPC: G06F16/958 ,  G06F16/95 ,  H04L29/08 ,  G06F21/00 ,  H04L12/911 ,  H04L29/06 ,  H04L12/58 ,  G06F17/22 ,  G06Q30/02 ,  G06Q10/10 ,  H04L29/12 ,  G06F15/16 ,  G06F21/55 ,  H04L29/14

Abstract: A proxy server receives, from multiple visitors of multiple client devices, a plurality of requests for actions to be performed on identified network resources belonging to a plurality of origin servers. At least some of the origin servers belong to different domains and are owned by different entities. The proxy server and the origin servers are also owned by different entities. The proxy server analyzes each request it receives to determine whether that request poses a threat and whether the visitor belonging to the request poses a threat. The proxy server blocks those requests from visitors that pose a threat or in which the request itself poses a threat. The proxy server transmits the requests that are not a threat and is from a visitor that is not a threat to the appropriate origin server.

公开(公告)号：US20180007085A1

公开(公告)日：2018-01-04

申请号：US15603256

申请日：2017-05-23

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/552 ,  G06F21/577 ,  H04L63/0281 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1466 ,  H04L63/20

Abstract: A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.

公开(公告)号：US20150229481A1

公开(公告)日：2015-08-13

申请号：US14692397

申请日：2015-04-21

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/08

CPC classification number: H04L9/3268 ,  H04L63/0464 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/166 ,  H04L67/28 ,  H04W76/10

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

Abstract translation: 基于云的代理服务器中的代理服务器由于针对解析到代理服务器的域的域名系统（DNS）请求而从客户端设备接收安全会话请求。 代理服务器参与与客户端设备的安全会话协商，包括将数字证书发送到绑定到域和多个其他域的客户端设备。 代理服务器从客户端设备接收对在与域对应的原始服务器上托管的资源执行的操作的加密请求。 代理服务器解密请求并参与与原始服务器的安全会话协商，包括从原始服务器接收数字证书。 代理服务器使用来自原始服务器的数字证书对解密的请求进行加密，并将加密的请求发送到原始服务器。