公开(公告)号：US20180375819A1

公开(公告)日：2018-12-27

申请号：US16121320

申请日：2018-09-04

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming

IPC: H04L29/12

CPC classification number: H04L61/1511 ,  H04L61/1552

Abstract: A method and apparatus for managing CNAME records such that CNAME records at the root domain are supported while complying with the RFC specification (an IP address is returned for any Address query for the root record). The authoritative DNS infrastructure acts as a DNS resolver where if there is a CNAME at the root record, rather than returning that record directly, a recursive lookup is used to follow the CNAME chain until an A record is located. The address associated with the A record is then returned. This effectively “flattens” the CNAME chain. This complies with the requirements of the DNS specification and is invisible to any service that interacts with the DNS server.

公开(公告)号：US20180323969A1

公开(公告)日：2018-11-08

申请号：US16043972

申请日：2018-07-24

Applicant: CLOUDFLARE, INC.

Inventor： Sébastien Andreas Henry Pahl ,  Matthieu Philippe François Tourne ,  Piotr Sikora ,  Ray Raymond Bejjani ,  Dane Orion Knecht ,  Matthew Browning Prince ,  John Graham-Cumming ,  Lee Hahn Holloway ,  Nicholas Thomas Sullivan ,  Albertus Strasheim

IPC: H04L9/08 ,  H04L9/32 ,  H04L29/06 ,  H04L9/14 ,  H04L9/30

CPC classification number: H04L9/0844 ,  H04L9/14 ,  H04L9/30 ,  H04L9/321 ,  H04L9/3263 ,  H04L9/3268 ,  H04L63/061 ,  H04L63/166

Abstract: A first server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different, second, server. The first server transmits messages between the client device and the second server where the second server has access to a private key that is not available on the first server. The first server receives from the second server a set of session key(s) used in the secure session for encrypting/decrypting communication between the client device and the first server. The session key(s) are generated using a master secret that is generated using a premaster secret generated using Diffie-Hellman public values selected by the client device and the second server. The first server uses the session key(s) to encrypt/decrypt communication with the client device.

公开(公告)号：US10097520B2

公开(公告)日：2018-10-09

申请号：US15590290

申请日：2017-05-09

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming

IPC: G06F15/16 ,  H04L29/06 ,  H04L29/08 ,  H04L9/12

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted. The response includes a first number of redirects to be completed prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, the remote server determines whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US10044826B2

公开(公告)日：2018-08-07

申请号：US15233157

申请日：2016-08-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming ,  Matthew Browning Prince

IPC: G06F15/16 ,  H04L29/08 ,  H04L29/06

Abstract: A near end point of presence (PoP) of a cloud proxy service receives, from a client device, a request for a network resource. A far end PoP from a plurality of PoPs of the cloud proxy service is identified. Responsive to determining that a version of the network resource is stored in the near end PoP, a request for the network resource is transmitted to the far end PoP with a version identifier that identifies that version. The far end PoP receives, from the near end PoP, a response that includes difference(s) between the version of the network resource stored in the near end PoP with a most current version of the network resource. The response does not include the entire network resource. The near end PoP applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits it to the client device.

公开(公告)号：US10038715B1

公开(公告)日：2018-07-31

申请号：US15793569

申请日：2017-10-25

Applicant: Cloudflare, Inc.

Inventor： Marek Przemyslaw Majkowski ,  Gilberto Bertin ,  Christopher Philip Branch ,  John Graham-Cumming

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/0227 ,  H04L63/0263 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1466

Abstract: A server receives a SYN packet and generates a SYN packet signature from the SYN packet. The server generates multiple aggregate signatures for the SYN packet signature that each include a generalized value for at least one element, where each aggregate signature has a different level of specificity and corresponds with a different fingerprint table. The server sequentially iterates through the fingerprint tables starting with the most specific aggregate signature and the most specific fingerprint table until a match exceeding a counter threshold is found, if any. If an aggregate signature does not match a fingerprint in a fingerprint table, the aggregate signature is added to that fingerprint table and an initial value for the counter is set. A bytecode using an attack fingerprint as input is generated in a form understandable by a network filter, and installed in a network filter.

公开(公告)号：US20180069837A1

公开(公告)日：2018-03-08

申请号：US15590290

申请日：2017-05-09

Applicant: CLOUDFLARE, INC.

Inventor： John Graham-Cumming

IPC: H04L29/06 ,  H04L29/08 ,  H04L9/12

CPC classification number: H04L63/0428 ,  H04L9/12 ,  H04L45/22 ,  H04L45/566 ,  H04L63/06 ,  H04L63/0846 ,  H04L63/101 ,  H04L63/1416 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/10 ,  H04L67/125 ,  H04L67/28 ,  H04L67/2814 ,  H04L67/2842 ,  H04L67/42 ,  H04L69/22

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted. The response includes a first number of redirects to be completed prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, the remote server determines whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US20170359432A1

公开(公告)日：2017-12-14

申请号：US15179454

申请日：2016-06-10

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2814 ,  H04L63/0428 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/42

Abstract: A method and apparatus for delaying responses to requests in a server are described. Upon receipt, from a client device, of a first request for a resource at a first location, a response that includes a redirection instruction to a second location is transmitted, where the response includes a first number of redirects that the client device is to complete prior to the first request being fulfilled. Upon receipt of a following request including a number of redirects, determining whether the number of redirects has been performed. When the number of redirects has not been performed the transmission of the redirection instruction is repeated with a number of redirects smaller than the first number of redirects until the receipt of a request indicating that the number of redirects has been performed. When the number of redirects has been performed the request is fulfilled.

公开(公告)号：US09843590B1

公开(公告)日：2017-12-12

申请号：US15477938

申请日：2017-04-03

Applicant: CLOUDFLARE, INC.

Inventor： Dane Orion Knecht ,  John Graham-Cumming

IPC: H04L29/06 ,  H04L29/08 ,  H04L29/12 ,  H04L9/32

CPC classification number: H04L63/101 ,  H04L9/3228 ,  H04L9/3297 ,  H04L61/10 ,  H04L61/1511 ,  H04L63/0227 ,  H04L63/0428 ,  H04L63/0838 ,  H04L63/108 ,  H04L63/1416 ,  H04L63/1458 ,  H04L67/02 ,  H04L67/10 ,  H04L67/28 ,  H04L67/2833 ,  H04L67/2842 ,  H04L67/42 ,  H04L2463/142

Abstract: A method and apparatus for causing a delay in processing requests for Internet resources received from client devices is described. A server receives from a client device a request for a resource. The server transmits a response to the first client device indicating that access to the resource is temporarily denied. The response includes a cryptographic token associated with the first request and a predetermined period of time during which the first client device is to wait prior to transmitting another request to access the resource. The server receives a second request for the resource, upon determining that the second request includes a valid cryptographic token, the server causes the second request to be processed. The server receives a third request for the resource, and upon determining that the third request does not include a valid cryptographic token, the server blocks the third request.

公开(公告)号：US20170171172A1

公开(公告)日：2017-06-15

申请号：US14964491

申请日：2015-12-09

Applicant: CLOUDFLARE, INC.

Inventor： Nicholas Thomas Sullivan ,  Lee Hahn Holloway ,  Piotr Sikora ,  Ryan Lackey ,  John Graham-Cumming ,  Dane Orion Knecht ,  Patrick Donahue ,  Zi Lin

IPC: H04L29/06 ,  G06F21/33

CPC classification number: H04L63/061 ,  G06F21/33 ,  H04L63/205

Abstract: A server receives a request from a client to establish a secure session. The server analyzes the request to determine a set of one or more properties of the request. The server selects, based at least in part on the determined set of properties, one of multiple certificates for a hostname of the server, where each of the certificates is signed using a different signature and hash algorithm pair. The server returns the selected certificate to the client.

公开(公告)号：US20160014226A1

公开(公告)日：2016-01-14

申请号：US14659909

申请日：2015-03-17

Applicant: CloudFlare, Inc.

Inventor： John Graham-Cumming

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2828 ,  H04L29/08783 ,  H04L67/1023 ,  H04L67/2842 ,  H04L67/2876 ,  H04L69/02 ,  H04L69/04

Abstract: A near end network optimizer receives, from a client device, a request for a network resource. Responsive to determining that a version of the network resource is stored in the near end network optimizer, a request for the network resource is transmitted to a far end network optimizer along with a version identifier that identifies that version. The near end network optimizer receives, from the far end network optimizer, a response that includes a differences file that specifies the difference(s) between the version of the network resource stored in the near end network optimizer with a most current version of the network resource. The response does not include the entire network resource. The near end network optimizer applies the specified difference(s) to the version that it has stored to generate an updated version of the network resource, and transmits the updated version of the network resource to the client device.