Abstract: A relay service enables two peers attempting to communicate with one another to each connect to a publicly-accessible relay server, which servers are associated with an overlay network and are selected by a directory service. After end-to-end connectivity is established, preferably the hosts communicate with each other by relaying data packets via the overlay network relay servers. Communications (both connection control messages and data being relayed) between a host and a relay server occurs at an application layer using a modified version of the TURN protocol.

Abstract: An origin server selectively enables an intermediary (e.g., an edge server) to shunt into and out of an active TLS session that is on-going between a client and the origin server. The technique allows for selective pieces of a data stream to be delegated from an origin to the edge server for the transmission (by the edge server) of authentic cached content, but without the edge server having the ability to obtain control of the entire stream or to decrypt arbitrary data after that point. The technique enables an origin to authorize the edge server to inject cached data at certain points in a TLS session, as well as to mathematically and cryptographically revoke any further access to the stream until the origin deems appropriate.

Abstract: According to non-limiting embodiments disclosed herein, the functionality of an object cache in a server can be extended to monitor and track web traffic, and in particular to perform rate accounting on selected web traffic. As the server communicates with clients (e.g., receiving HTTP requests and responding to those requests), the server can use its existing object cache storage and existing object cache services to monitor web traffic by recording how often a client makes a particular request in the object cache and/or other data about the requests. Preferably, the object cache is still used for conventional caching of objects, the object cache thus providing a dual role by storing both web objects and rate accounting data.

Abstract: A cloud-based firewall system and service is provided to protect customer sites from attacks, leakage of confidential information, and other security threats. In various embodiments, such a firewall system and service can be implemented in conjunction with a content delivery network (CDN) having a plurality of distributed content servers. The CDN servers receive requests for content identified by the customer for delivery via the CDN. The CDN servers include firewalls that examine those requests and take action against security threats, so as to prevent them from reaching the customer site. The CDN provider implements the firewall system as a managed firewall service, with the operation of the firewalls for given customer content being defined by that customer, independently of other customers. In some embodiments, a customer may define different firewall configurations for different categories of that customer's content identified for delivery via the CDN.

Abstract: According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection.

Abstract: According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection.

Abstract: Disclosed herein are methods and systems for detecting congestion in a mobile network and for determining those end-user mobile devices that are affected. In one embodiment, a server communicates with a set of mobile devices, on which have been installed a suitable client application. At certain times, the server initiates a congestion detection routine. The server may request the mobile devices to report on their current wireless attachment point to the mobile network. The server can then test for congestion by performing a data transfer between itself and the mobile clients, which may be in either direction. The server can use the results to determine whether a given attachment point is congested. In one embodiment, a dynamically selected, random subset of mobile devices for a current attachment point are tested, and the result is imputed to all mobile devices similarly situated.

Abstract: The subject matter herein generally relates to transcoding content, typically audio/video files though not limited to such, from one version to another in preparation for online streaming or other delivery to end users. Such transcoding may involve converting from one format to another (e.g., changing codecs or container formats), or creating multiple versions of an original source file in different bitrates, frame-sizes, or otherwise, to support distribution to a wide array of devices and to utilize performance-enhancing technologies like adaptive bitrate streaming. A transcoding platform is described herein that, in certain embodiments, leverages distributed computing techniques to transcode content in parallel across a platform of machines that are preferably idle or low-utilization resources of a content delivery network.

Abstract: A content delivery network (CDN) edge server is provisioned to provide last mile acceleration of content to requesting end users. The CDN edge server fetches, compresses and caches content obtained from a content provider origin server, and serves that content in compressed form in response to receipt of an end user request for that content. It also provides “on-the-fly” compression of otherwise uncompressed content as such content is retrieved from cache and is delivered in response to receipt of an end user request for such content. A preferred compression routine is gzip, as most end user browsers support the capability to decompress files that are received in this format. The compression functionality preferably is enabled on the edge server using customer-specific metadata tags.

Abstract: The teachings herein generally relate to client-server communications and the delivery of content over computer networks to clients, and provide improved methods, systems, and apparatus for identifying and/or characterizing client devices that are requesting content from a server. For example, based on information sent in a client device's request for content, a web server modified in accordance with the teachings hereof can identify a set of characteristics associated with that client device. Such characteristics might include the model name of the client device, the screen dimensions of the client device, information about the particular operating system or browser name/version it is running, content formats it is capable of consuming, and so on. The web server can use this information to modify and customize its response for the given client device.

Abstract: Described herein are, among other things, distributed processing methods and systems for frame rate conversion. In an embodiment, a transcoding management machine manages a distributed transcoding process, creating a plurality of video segments and assigning the video segments across a set of distributed transcoding resources for frame rate conversion. The management machine typically sends a given segment to a given transcoding resource along with instructions to convert the frame rate to a specified output frame rate. In addition, the management machine can send certain transcoding assistance information that preferably facilitates the frame rate change process and helps the transcoding resource to create a more accurate output segment. Hence, in some embodiments, each transcoding resource can perform its transcode job independently, but with reference to the input segment it is responsible for transcoding and the assistance information provided by the management machine.

Abstract: Methods and apparatus for preventing unauthorized access to online content, including in particular streaming video and other media, are provided. In various embodiments, techniques are provided to authorize users and to authenticate clients (e.g., client media players) to a content delivery system. The content delivery system may comprise a content delivery network with one or more content or “edge” servers therein. The requesting client is sent a program at the time of content delivery. The program may be embedded in the content stream, or sent outside of the stream. The program contains instructions that are executed by the client and cause it to return identifying information to the content delivery system, which can then determine whether the client player is recognized and, if so, authorized to view the content. Unrecognized and/or altered players may be prevented from viewing the content.

Abstract: Front-end optimization (FEO) configuration information is leveraged to identify “key” resources required to load other pages on a site, and to automatically cause key resources to be prefetched to a server, and to the browser. In this approach, an FEO analyzer uses knowledge of configured optimization templates to determine the key resources required to load pages for each template. The key resources for pages belonging to other optimization templates are then selectively prefetched by other pages. In a preferred approach, the FEO analyzer provides an edge server cache process a list of key resources and instructions to prefetch the key resources, as well as instructions to rewrite the HTML of the page to include instructions for the browser to prefetech the key resources. On the client, key resources are prefetched if missing from a cache on the browser. Key resources preferably are stored in the browser's HTML5 local storage cache.

Abstract: Described herein are methods, systems, and apparatus in which the functionality of a DNS server is modified to take into account security intelligence when determining an answer to return in response to a requesting client. Such a DNS server may consider a variety of security characteristics about the client and/or the client's request, as described more fully herein. Such a DNS server can react to clients in a variety of ways based on the threat assessment, preferably in a way that proactively counters or mitigates the perceived threat.

Abstract: According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended with a mechanism for identifying connections with clients that have exhibited attack characteristics (for example, characteristics indicating a DoS attack), and for transitioning internal ownership of those connections such that server resources consumed by the connection are reduced, while keeping the connection open. The connection thus moves from a state of relatively high resource use to a state of relatively low server resource use. According to certain non-limiting embodiments disclosed herein, the functionality of a server is extended by enabling the server to determine that any of a client and a connection exhibits one or more attack characteristics (e.g., based on at least one of client attributes, connection attributes, and client behavior during the connection, or otherwise). As a result of the determination, the server changes its treatment of the connection.

Abstract: A domain to be published to an enterprise ECDN is associated with a set of one or more enterprise zones configurable in a hierarchy. When a DNS query arrives for a hostname known to be associated with given content within the control of the ECDN, a DNS server responds by handing back an IP address, by executing a zone referral to a next (lower) level name server in a zone hierarchy, or by CNAMing to another hostname, thereby restarting the lookup procedure. At any level in the zone hierarchy, there is an associated zone server that executes logic that applies the requested hostname against a map. A name query to ECDN-managed content may be serviced in coordination with various sources of distributed network intelligence.

Abstract: Stream-based data deduplication is provided in a multi-tenant shared infrastructure but without requiring “paired” endpoints having synchronized data dictionaries. Data objects processed by the dedupe functionality are treated as objects that can be fetched as needed. As such, a decoding peer does not need to maintain a symmetric library for the origin. Rather, if the peer does not have the chunks in cache that it needs, it follows a conventional content delivery network procedure to retrieve them. In this way, if dictionaries between pairs of sending and receiving peers are out-of-sync, relevant sections are then re-synchronized on-demand. The approach does not require that libraries maintained at a particular pair of sender and receiving peers are the same. Rather, the technique enables a peer, in effect, to “backfill” its dictionary on-the-fly. On-the-wire compression techniques are provided to reduce the amount of data transmitted between the peers.

Abstract: A server in a distributed environment includes a process that manages incoming client requests and selectively forwards service requests to other servers in the network. The server includes storage in which at least one forwarding queue is established. The server includes code for aggregating service requests in the forwarding queue and then selectively releasing the requests, or some of them, to another server. The queuing mechanism preferably is managed by metadata, which, for example, controls how many service requests may be placed in the queue, how long a given service request may remain in the queue, what action to take in response to a client request if the forwarding queue's capacity is reached, etc. In one embodiment, the server generates an estimate of a current load on an origin server (to which it is sending forwarding requests) and instantiates the forward request queuing when that current load is reached.

Abstract: The subject matter herein generally relates to transcoding content, typically audio/video files though not limited to such, from one version to another in preparation for online streaming or other delivery to end users. Such transcoding may involve converting from one format to another (e.g., changing codecs or container formats), or creating multiple versions of an original source file in different bitrates, frame-sizes, or otherwise. A transcoding platform is described herein that, in certain embodiments, leverages distributed computing techniques to transcode content in parallel across a platform of machines that are preferably idle or low-utilization resources of a content delivery network. The transcoding system also utilizes, in certain embodiments, improved techniques for segmenting the original source file so as to enable different segments to be sent to different machines for parallel transcodes.

Abstract: This patent document describes, among other things, methods, apparatus, and systems for tracking those resources that a server has pushed to a client, e.g., using the HTTP 2.0 or other server push mechanism. Pushed resources may be cached at the client. By tracking such pushed resources, a server can avoid pushing such cached resources in response to subsequent requests from that client; doing so would be wasteful if the client already has the resource cached. Among other things, techniques for storing, encoding, organizing, and managing data about pushed resources in cookies are disclosed.