公开(公告)号：US11159652B2

公开(公告)日：2021-10-26

申请号：US17138410

申请日：2020-12-30

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch

IPC: H04L29/06 ,  H04L29/08

Abstract: A TCP intermediate device receives a SYN packet from a TCP client that is destined for a TCP origin server and indicates support for TCP fast open (TFO). A SYN-ACK packet is transmitted to the TCP client that includes a TFO cookie set by the TCP intermediate device. The TCP intermediate device receives a first ACK packet from the TCP client. A SYN packet is sent to the TCP origin server and a second SYN-ACK packet is received in response that does not indicate support for TFO. An ACK packet to the TCP origin server. Sometime after the TCP connection is completed, the TCP intermediate device receives a SYN packet from the TCP client that includes the TFO cookie and a payload of data. The TCP intermediate device establishes a TCP connection with the TCP origin server and transmits the payload of data to the TCP origin server.

公开(公告)号：US10778582B2

公开(公告)日：2020-09-15

申请号：US16444795

申请日：2019-06-18

Applicant: CLOUDFLARE, INC.

Inventor： Christopher Philip Branch ,  Dane Orion Knecht

IPC: H04L12/741 ,  H04L12/46 ,  H04L29/06 ,  H04L29/08

Abstract: Method and apparatus for traffic optimization in virtual private networks (VPNs). A client device establishes a first VPN connection with a first server based on first VPN credentials. Traffic is transmitted and received through the first VPN connection to and from the first server. A second server is identified based on traffic optimization criteria that need to be satisfied by the VPN connection. Upon receipt of the identification of the second server the client device is to use the second server as a destination of a second VPN connection. The second VPN connection satisfies a set of traffic optimization goals for at least one flow from the flows forwarded through the first VPN connection. Based on the identification of the second server, the client device establishes the second VPN connection for the flow between the client device and the second server.

公开(公告)号：US10038715B1

公开(公告)日：2018-07-31

申请号：US15793569

申请日：2017-10-25

Applicant: Cloudflare, Inc.

Inventor： Marek Przemyslaw Majkowski ,  Gilberto Bertin ,  Christopher Philip Branch ,  John Graham-Cumming

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/0227 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1466

Abstract: A server receives a SYN packet and generates a SYN packet signature from the SYN packet. The server generates multiple aggregate signatures for the SYN packet signature that each include a generalized value for at least one element, where each aggregate signature has a different level of specificity and corresponds with a different fingerprint table. The server sequentially iterates through the fingerprint tables starting with the most specific aggregate signature and the most specific fingerprint table until a match exceeding a counter threshold is found, if any. If an aggregate signature does not match a fingerprint in a fingerprint table, the aggregate signature is added to that fingerprint table and an initial value for the counter is set. A bytecode using an attack fingerprint as input is generated in a form understandable by a network filter, and installed in a network filter.