US 12,407,719 B2
Infrastructure distributed denial of service protection
Dvir Shapira, Sunnyvale, CA (US); Ehud Cohen, Kfar Saba (IL); Tomer Bronshtein, Ashdod (IL); Eyal Leshem, Jerusalem (IL); and Alon Ludmer, Kfar Saba (IL)
Assigned to Imperva, Inc., San Mateo, CA (US)
Filed by Imperva, Inc., San Mateo, CA (US)
Filed on Mar. 14, 2022, as Appl. No. 17/694,498.
Application 17/694,498 is a continuation of application No. 16/839,666, filed on Apr. 3, 2020, granted, now 11,277,441.
Application 16/839,666 is a continuation of application No. 16/749,883, filed on Jan. 22, 2020, granted, now 11,533,334.
Application 16/749,883 is a continuation of application No. 15/628,620, filed on Jun. 20, 2017, granted, now 10,574,691, issued on Feb. 25, 2020.
Claims priority of provisional application 62/353,021, filed on Jun. 21, 2016.
Prior Publication US 2022/0201033 A1, Jun. 23, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); H04L 12/721 (2013.01); H04L 45/12 (2022.01)
CPC H04L 63/1458 (2013.01) [H04L 63/0236 (2013.01); H04L 63/029 (2013.01); H04L 63/10 (2013.01); H04L 63/1408 (2013.01); H04L 45/12 (2013.01); H04L 63/1441 (2013.01)] 14 Claims
OG exemplary drawing
 
1. A method comprising:
announcing, as an internet protocol (IP) address associated with a server of a plurality of servers, a first anycast IP address to represent the server, the first anycast IP address being one of a plurality of anycast IP addresses, the first anycast IP address as an anycast address for a plurality of scrubbing centers for a scrubbing center network, the first anycast IP address allocated specifically to the server, wherein each of the plurality of anycast IP addresses is allocated to a respective server of the plurality of servers by the scrubbing center network, and wherein an actual IP address of the server is maintained confidential between the scrubbing center network and the server;
receiving, at the scrubbing center network, an incoming network packet intended for the server, the incoming network packet identified using the first anycast IP address;
determining, by the scrubbing center network, whether the incoming network packet is legitimate;
in response to determining that the incoming network packet is legitimate, routing, by a processor, the incoming network packet to the server at the actual IP address of the server using a generic routing encapsulation (GRE) tunnel;
anycasting a second anycast IP address towards the server from each scrubbing center of the scrubbing center network simultaneously;
receiving, at a scrubbing center of the plurality of scrubbing centers, an encapsulated outgoing network packet from the server, wherein the encapsulated outgoing network packet is an outgoing network packet which has been encapsulated by the server with a header information comprising the second anycast IP address as a destination address;
decapsulating the outgoing network packet to generate a decapsulated outgoing network packet by removing the encapsulation added by the server that includes the header information, wherein the decapsulating is performed by a scrubbing center of the scrubbing center network that is nearest to the server; and
transmitting the decapsulated outgoing network packet to an end user,
wherein the decapsulating is performed by a scrubbing center of the plurality of scrubbing centers that is nearest to the server.