公开(公告)号：US10116698B1

公开(公告)日：2018-10-30

申请号：US15092513

申请日：2016-04-06

Applicant: Amazon Technologies, Inc.

Inventor： Lee Atkinson ,  Nathan Alan Dye ,  Rich Vorwaller

IPC: G06F11/30 ,  H04L29/06

Abstract: Systems and methods for configuration of network-based firewall services based on network firewall configuration information provided by one or more sources are provided. The network firewall configuration information can include one or more lists of network address ranges that will be used by the network firewall to process data communications received at a data center. The received network firewall configuration information can be prioritized and filtered to conform to a maximum threshold number of network address ranges that can be configured on a network firewall service. The filtered and processed network address range information can then be utilized to configure one or more network firewall services or application hosted within a data center.

公开(公告)号：US10242100B2

公开(公告)日：2019-03-26

申请号：US15803553

申请日：2017-11-03

Applicant: Amazon Technologies, Inc.

Inventor： Prashanth A. Acharya ,  Ronald James Snyder, Jr. ,  Ryan F. Watson ,  Jonathan B. Corley ,  Nathan Alan Dye ,  Craig W. Howard ,  Harvo R. Jones ,  John K. Loendorf ,  Bradley E. Marshall ,  Imran Patel ,  Lee B. Rosen

IPC: G06F17/30 ,  H04L29/08

Abstract: Techniques are described for managing cached data in a network environment. In one example, the techniques include receiving a client request for a data group, determining that a cached copy of the requested data group that is stored in the persistent cache storage is no longer valid relative to a current copy of the data group stored at a remote data source system, obtaining from the remote data source system information about differences between the cached copy and the current copy and instructions associated with the identified differences, modifying, by the configured server computing system, the cached copy to include the identified differences in accordance with the received instructions, and providing, by the configured server computing system, the modified cached copy of the requested data group to the client in response to the client request.

公开(公告)号：US10200402B2

公开(公告)日：2019-02-05

申请号：US15714993

申请日：2017-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06 ,  H04L29/12

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US20180060431A1

公开(公告)日：2018-03-01

申请号：US15803553

申请日：2017-11-03

Applicant: Amazon Technologies, Inc.

Inventor： Prashanth A. Acharya ,  Jonathan B. Corley ,  Nathan Alan Dye ,  Craig W. Howard ,  Harvo R. Jones ,  John K. Loendorf ,  Bradley E. Marshall ,  Imran Patel ,  Lee B. Rosen ,  Ronald James Snyder ,  Ryan F. Watson

IPC: G06F17/30

CPC classification number: G06F17/30861 ,  G06F17/3089 ,  H04L29/0809 ,  H04L67/2852

Abstract: Techniques are described for managing cached data in a network environment. In one example, the techniques include receiving a client request for a data group, determining that a cached copy of the requested data group that is stored in the persistent cache storage is no longer valid relative to a current copy of the data group stored at a remote data source system, obtaining from the remote data source system information about differences between the cached copy and the current copy and instructions associated with the identified differences, modifying, by the configured server computing system, the cached copy to include the identified differences in accordance with the received instructions, and providing, by the configured server computing system, the modified cached copy of the requested data group to the client in response to the client request.

公开(公告)号：US09774619B1

公开(公告)日：2017-09-26

申请号：US14864638

申请日：2015-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US10097566B1

公开(公告)日：2018-10-09

申请号：US14815863

申请日：2015-07-31

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Craig Wesley Howard ,  Nathan Alan Dye

IPC: H04L29/06 ,  G06F17/30

Abstract: Systems and methods are described to enable identification of computing resources targeted in a network attack. Network attacks, such as denial of service attacks, are frequently directed to network addresses that host multiple sets of content, each representing a distinct potential target of the network attack. Aspects of this disclosure enable each set of content to be assigned a unique or semi-unique combination of network addresses at which the set of content is accessible. During a network attack, a hosting system can compare the network addresses under attack to those assigned to each set of content to determine which sets of content are potentially targeted by the attack. Where the combination of network addresses is associated with only a single set of content, that set of content can be identified as the target of the network attack.

公开(公告)号：US20180109553A1

公开(公告)日：2018-04-19

申请号：US15714993

申请日：2017-09-25

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L61/1511 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

公开(公告)号：US09794281B1

公开(公告)日：2017-10-17

申请号：US14864684

申请日：2015-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Harvo Reyzell Jones ,  Nathan Alan Dye ,  Craig Wesley Howard

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L61/1511 ,  H04L63/1416

Abstract: Systems and methods are described to enable identification of computing devices associated with network attacks, such as denial of service attacks. Data packets used to execute a network attack often include forged source address information, such that the address of an attacker is difficult or impossible to determine based on those data packets. However, attackers generally provide legitimate address information when resolving an identifier, such as a universal resource identifier (URI), of an attack target into corresponding destination addresses. The application enables individual client computing devices to be provided with different combinations of destination addresses, such that when an attack is detected on a given combination of destination address, the client computing device to which that combination of destination addresses was provided can be identified as a source of the attack.

公开(公告)号：US09742795B1

公开(公告)日：2017-08-22

申请号：US14864683

申请日：2015-09-24

Applicant: Amazon Technologies, Inc.

Inventor： Anton Stephen Radlein ,  Nathan Alan Dye ,  Craig Wesley Howard ,  Harvo Reyzell Jones

IPC: H04L29/06

CPC classification number: H04L63/1441 ,  H04L63/0218 ,  H04L63/1416 ,  H04L63/1458

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.