公开(公告)号：US20190215166A1

公开(公告)日：2019-07-11

申请号：US16356304

申请日：2019-03-18

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/08 ,  H04L29/06

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

公开(公告)号：US10129296B2

公开(公告)日：2018-11-13

申请号：US15603256

申请日：2017-05-23

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/57 ,  G06F21/55

Abstract: A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.

公开(公告)号：US11546175B2

公开(公告)日：2023-01-03

申请号：US17181917

申请日：2021-02-22

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/40 ,  H04L9/32 ,  H04L67/56 ,  H04W76/10

Abstract: An attack is detected on a first IP address and a determination is made that the first IP address is associated with a primary digital certificate that is bound with multiple different domains. For each of these domains, a secondary certificate is accessed that is bound only to that domain and that secondary certificate is associated with a unique IP address such that each of the different domains has a unique IP address associated with its secondary certificate respectively. The attack is isolated to the domain the attack follows.

公开(公告)号：US20210176079A1

公开(公告)日：2021-06-10

申请号：US17181917

申请日：2021-02-22

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/06 ,  H04L29/08

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

公开(公告)号：US10581904B2

公开(公告)日：2020-03-03

申请号：US15585090

申请日：2017-05-02

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined. A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.

公开(公告)号：US20240121265A1

公开(公告)日：2024-04-11

申请号：US18508122

申请日：2023-11-13

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L9/40 ,  G06F21/55 ,  G06F21/57

CPC classification number: H04L63/1458 ,  G06F21/552 ,  G06F21/577 ,  H04L63/0281 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1466 ,  H04L63/20

Abstract: An authoritative domain name system (DNS) server receives DNS requests for domains. The authoritative DNS server transmits DNS responses to the DNS requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first DNS response can include IP addresses different from IP addresses included in a second DNS response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may select the IP addresses to include in DNS responses to the DNS requests using a round-robin process.

公开(公告)号：US20200322374A1

公开(公告)日：2020-10-08

申请号：US16800175

申请日：2020-02-25

Applicant: Cloudflare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US10574690B2

公开(公告)日：2020-02-25

申请号：US15489421

申请日：2017-04-17

Applicant: CloudFlare, Inc.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, Jr.

IPC: H04L29/06 ,  G06F21/55 ,  G06F21/57

Abstract: A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.

公开(公告)号：US20180007085A1

公开(公告)日：2018-01-04

申请号：US15603256

申请日：2017-05-23

Applicant: CLOUDFLARE, INC.

Inventor： Lee Hahn Holloway ,  Srikanth N. Rao ,  Matthew Browning Prince ,  Matthieu Philippe François Tourne ,  Ian Gerald Pye ,  Ray Raymond Bejjani ,  Terry Paul Rodery, JR.

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/552 ,  G06F21/577 ,  H04L63/0281 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1466 ,  H04L63/20

Abstract: A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.

公开(公告)号：US20150229481A1

公开(公告)日：2015-08-13

申请号：US14692397

申请日：2015-04-21

Applicant: CLOUDFLARE, INC.

Inventor： Matthew Browning Prince ,  Srikanth N. Rao ,  Lee Hahn Holloway ,  Ian Gerald Pye

IPC: H04L9/32 ,  H04L29/08

CPC classification number: H04L9/3268 ,  H04L63/0464 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/166 ,  H04L67/28 ,  H04W76/10

Abstract: A proxy server in a cloud-based proxy service receives a secure session request from a client device as a result of a Domain Name System (DNS) request for a domain resolving to the proxy server. The proxy server participates in a secure session negotiation with the client device including transmitting a digital certificate to the client device that is bound to domain and multiple other domains. The proxy server receives an encrypted request from the client device for an action to be performed on a resource that is hosted at an origin server corresponding to the domain. The proxy server decrypts the request and participates in a secure session negotiation with the origin server including receiving a digital certificate from the origin server. The proxy server encrypts the decrypted request using the digital certificate from the origin server and transmits the encrypted request to the origin server.

Abstract translation: 基于云的代理服务器中的代理服务器由于针对解析到代理服务器的域的域名系统（DNS）请求而从客户端设备接收安全会话请求。 代理服务器参与与客户端设备的安全会话协商，包括将数字证书发送到绑定到域和多个其他域的客户端设备。 代理服务器从客户端设备接收对在与域对应的原始服务器上托管的资源执行的操作的加密请求。 代理服务器解密请求并参与与原始服务器的安全会话协商，包括从原始服务器接收数字证书。 代理服务器使用来自原始服务器的数字证书对解密的请求进行加密，并将加密的请求发送到原始服务器。