公开(公告)号：US09641549B2

公开(公告)日：2017-05-02

申请号：US14172823

申请日：2014-02-04

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/552 ,  G06F21/577 ,  H04L63/0281 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1466 ,  H04L63/20

Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

公开(公告)号：US20150207814A1

公开(公告)日：2015-07-23

申请号：US14503299

申请日：2014-09-30

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L29/06 ,  H04L29/08

CPC classification number: G06F17/3089 ,  G06F15/16 ,  G06F17/2247 ,  G06F17/30861 ,  G06F21/00 ,  G06F21/552 ,  G06Q10/107 ,  G06Q30/0241 ,  G06Q30/0251 ,  G06Q30/0277 ,  H04L29/12066 ,  H04L51/22 ,  H04L61/1511 ,  H04L61/2007 ,  H04L63/0236 ,  H04L63/0245 ,  H04L63/0254 ,  H04L63/0281 ,  H04L63/083 ,  H04L63/0861 ,  H04L63/102 ,  H04L63/126 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/1458 ,  H04L63/1466 ,  H04L67/02 ,  H04L67/146 ,  H04L67/28 ,  H04L67/2804 ,  H04L67/2842 ,  H04L69/40

Abstract: A validating server receives from a client device a first request that does not include a cookie for a validating domain that resolves to the validating sever. The first request is received at the validating server as a result of a proxy server redirecting the client device to the validating domain upon a determination that a visitor belonging to the client device is a potential threat based on an IP (Internet Protocol) address assigned to the client device used for a second request to perform an action on an identified resource hosted on an origin server for an origin domain. The validating server sets a cookie for the client device, determines a set of characteristics associated with the first client device, and transmits the cookie and a block page to the client device that has been customized based on the set of characteristics, the block page indicating that the second request has been blocked.

Abstract translation: 验证服务器从客户端设备接收到不包含用于解析为验证服务器的验证域的cookie的第一请求。 由于代理服务器在确定属于客户端设备的访问者是基于分配给的IP（因特网协议）地址的潜在威胁的确定时，代理服务器将客户端设备重定向到验证域，则在验证服务器处接收到第一请求。 用于第二请求的客户端设备对原始域的原始服务器上承载的标识资源执行动作。 验证服务器为客户端设备设置cookie，确定与第一客户端设备相关联的一组特征，并将cookie和块页面发送到已经基于该特征集合定制的客户端设备，该块页面指示 第二个请求已被阻止。