公开(公告)号：US11330008B2

公开(公告)日：2022-05-10

申请号：US16799625

申请日：2020-02-24

Applicant: Amazon Technologies, Inc.

Inventor： Hardeep Singh Uppal ,  Jorge Vasquez ,  Craig Wesley Howard ,  Anton Stephen Radlein

IPC: H04L29/06 ,  H04L101/604 ,  H04L9/32 ,  H04L45/7453 ,  H04L61/4511 ,  H04L101/659 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30 ,  H04L45/00

Abstract: Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

公开(公告)号：US10469513B2

公开(公告)日：2019-11-05

申请号：US15389314

申请日：2016-12-22

Applicant: Amazon Technologies, Inc.

Inventor： Hardeep Singh Uppal ,  Jorge Vasquez ,  Craig Wesley Howard ,  Anton Stephen Radlein

IPC: H04L9/00 ,  H04L29/06 ,  H04L9/32 ,  H04L12/743 ,  H04L29/12 ,  H04L9/06 ,  H04L9/14 ,  H04L9/30 ,  H04L12/733

Abstract: Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

公开(公告)号：US20190044846A1

公开(公告)日：2019-02-07

申请号：US16154580

申请日：2018-10-08

Applicant: Amazon Technologies, Inc.

Inventor： Craig Wesley Howard ,  Hardeep Singh Uppal

IPC: H04L12/707 ,  H04L12/26

CPC classification number: H04L43/0894 ,  G06F16/9566 ,  G06F16/9574 ,  H04L43/0876 ,  H04L61/1511

Abstract: Systems and methods for sloppy routing are provided. A client transmits a DNS query corresponding to a requested resource to a content delivery network (CDN) service provider. In some embodiments, the CDN service provider processes the DNS query to determine whether a threshold content delivery bandwidth has been exceeded by data links at cache servers. In other embodiments, additionally or alternatively, the CDN service provider determines whether a content provider has exceeded a threshold network usage that indicates a price at which the CDN service provider to provide content on behalf of the content provider. Using both or either of these thresholds, the CDN service provider can further process the DNS query by providing an alternative resource identifier or a cache IP address, both associated with an alternative POP. In some embodiments, the CDN service provider determines a routing mode for the response to the DNS query.

公开(公告)号：US20190028562A1

公开(公告)日：2019-01-24

申请号：US16143892

申请日：2018-09-27

Applicant: Amazon Technologies, Inc.

Inventor： Ryan F. Watson ,  Craig Wesley Howard ,  Chaitanya Ashok Solapurkar

IPC: H04L29/08

Abstract: An edge system receives requests from user devices to retrieves files from an origin server. Instead of retrieving the files as fast as possible, the edge system throttles the retrieval of files to a rate that just exceeds the speed at which the file is played by a browser or media player. The edge system determines an appropriate retrieval rate based on the contents of the file itself. For example, a manifest file associated with the file can indicate a time it takes to play back content and a bitrate of the content. Thus, the edge server can use this information to retrieve a file from an origin server at a rate that is just fast enough to minimize playback interruption. The retrieval rate determined by the edge server therefore does not rely on how fast or slow the user device retrieves the file from the edge server.

公开(公告)号：US10097566B1

公开(公告)日：2018-10-09

申请号：US14815863

申请日：2015-07-31

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Craig Wesley Howard ,  Nathan Alan Dye

IPC: H04L29/06 ,  G06F17/30

Abstract: Systems and methods are described to enable identification of computing resources targeted in a network attack. Network attacks, such as denial of service attacks, are frequently directed to network addresses that host multiple sets of content, each representing a distinct potential target of the network attack. Aspects of this disclosure enable each set of content to be assigned a unique or semi-unique combination of network addresses at which the set of content is accessible. During a network attack, a hosting system can compare the network addresses under attack to those assigned to each set of content to determine which sets of content are potentially targeted by the attack. Where the combination of network addresses is associated with only a single set of content, that set of content can be identified as the target of the network attack.

公开(公告)号：US10033627B1

公开(公告)日：2018-07-24

申请号：US14575798

申请日：2014-12-18

Applicant: Amazon Technologies, Inc.

Inventor： Craig Wesley Howard ,  Hardeep Singh Uppal

IPC: G06F15/173 ,  H04L12/707 ,  H04L12/747 ,  H04L12/26

CPC classification number: H04L45/22 ,  H04L43/0876 ,  H04L43/0888 ,  H04L43/16

Abstract: Systems and methods for sloppy routing are provided. A client transmits a DNS query corresponding to a requested resource to a content delivery network (CDN) service provider. In some embodiments, the CDN service provider processes the DNS query to determine whether a threshold content delivery bandwidth has been exceeded by data links at cache servers. In other embodiments, additionally or alternatively, the CDN service provider determines whether a content provider has exceeded a threshold network usage that indicates a price at which the CDN service provider to provide content on behalf of the content provider. Using both or either of these thresholds, the CDN service provider can further process the DNS query by providing an alternative resource identifier or a cache IP address, both associated with an alternative POP. In some embodiments, the CDN service provider determines a routing mode for the response to the DNS query.

公开(公告)号：US20180109553A1

公开(公告)日：2018-04-19

申请号：US15714993

申请日：2017-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US20180097631A1

公开(公告)日：2018-04-05

申请号：US15389302

申请日：2016-12-22

Applicant: Amazon Technologies, Inc.

Inventor： Hardeep Singh Uppal ,  Jorge Vasquez ,  Craig Wesley Howard ,  Anton Stephen Radlein

IPC: H04L9/32 ,  H04L12/743 ,  H04L29/12 ,  H04L29/06

CPC classification number: H04L63/1425 ,  H04L9/0643 ,  H04L9/14 ,  H04L9/30 ,  H04L9/3236 ,  H04L9/3247 ,  H04L45/20 ,  H04L45/7453 ,  H04L61/1511 ,  H04L61/6004 ,  H04L61/6059 ,  H04L63/0428 ,  H04L63/1458

Abstract: Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.

公开(公告)号：US09794281B1

公开(公告)日：2017-10-17

申请号：US14864684

申请日：2015-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Nathan Alan Dye ,  Craig Wesley Howard

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L61/1511 ,  H04L63/1416

Abstract: Systems and methods are described to enable identification of computing devices associated with network attacks, such as denial of service attacks. Data packets used to execute a network attack often include forged source address information, such that the address of an attacker is difficult or impossible to determine based on those data packets. However, attackers generally provide legitimate address information when resolving an identifier, such as a universal resource identifier (URI), of an attack target into corresponding destination addresses. The application enables individual client computing devices to be provided with different combinations of destination addresses, such that when an attack is detected on a given combination of destination address, the client computing device to which that combination of destination addresses was provided can be identified as a source of the attack.

公开(公告)号：US09742795B1

公开(公告)日：2017-08-22

申请号：US14864683

申请日：2015-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L63/0218 ,  H04L63/1416 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.