US 11,895,149 B2
Selective traffic processing in a distributed cloud computing network
Achiel Paul van der Mandele, Austin, TX (US); and Eric Reeves, Austin, TX (US)
Assigned to CLOUDFLARE, INC., San Francisco, CA (US)
Filed by CLOUDFLARE, INC., San Francisco, CA (US)
Filed on Nov. 29, 2022, as Appl. No. 18/071,484.
Application 18/071,484 is a continuation of application No. 16/908,518, filed on Jun. 22, 2020, granted, now 11,546,374.
Prior Publication US 2023/0087129 A1, Mar. 23, 2023
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 67/288 (2022.01); H04L 69/325 (2022.01); H04L 67/01 (2022.01); H04L 67/63 (2022.01)
CPC H04L 63/1458 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 67/01 (2022.05); H04L 67/288 (2013.01); H04L 67/63 (2022.05); H04L 69/325 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A method, comprising:
receiving first internet traffic from a first client device at a first server of a plurality of servers of a distributed cloud computing network, wherein the first internet traffic is destined for a first destination, wherein each of the plurality of servers is associated with a set of one or more server identities including a server/data center certification identity;
processing, at layer 3, the first internet traffic destined for the first destination including participating in a layer 3 distributed denial of service (DDoS) protection service to protect against a layer 3 DDoS attack against the first destination;
determining that the received first internet traffic is not to be dropped by the layer 3 DDoS protection service;
determining that the first server is not permitted to process the received first internet traffic at layers 5-7, wherein the server/data center certification identity associated with the first server of the plurality of servers does not meet a selected criteria for processing internet traffic at layers 5-7;
determining that a second server of the plurality of servers is permitted to process the received first internet traffic at layers 5-7, and wherein the server/data center certification identity associated with the second server of the plurality of servers meets the selected criteria for processing internet traffic at layers 5-7;
transmitting the first internet traffic to the second server of the plurality of servers for processing the first internet traffic at layers 5-7;
receiving second internet traffic from a second client device at the first server of a plurality of servers of a distributed cloud computing network, wherein the second internet traffic is destined for a second destination;
processing, at layer 3, the second internet traffic destined for the second destination including participating in a layer 3 distributed denial of service (DDoS) protection service to protect against a layer 3 DDoS attack against the second destination;
determining that the received second internet traffic is not to be dropped by the layer 3 DDoS protection service;
determining that a policy for selective traffic processing at layers 5-7 applies to the received second internet traffic, wherein the policy indicates that internet traffic received from a first location is permitted to be processed at layers 5-7 only by servers in a second location, wherein the first server is not in the second location;
determining that the received second internet traffic is received from the first location; and
transmitting the second internet traffic to a server in the second location.