Abstract: A method of delivering dynamic web content by a proxy server is disclosed. A plurality of responses to requests for dynamic web content at a URL (uniform resource locator) is prefetched by a proxy server from an origin server. The plurality of prefetched responses is cached by the proxy server in a one-time cache, wherein each prefetched response cached in the one-time cache is served at most once and then removed from the one-time cache. A request from a client device for the dynamic web content at the URL is received by the proxy server. One of the plurality of prefetched responses cached in the one-time cache is served by the proxy server to the client device, wherein the one of the plurality of prefetched responses is removed from the one-time cache after the one of the plurality of prefetched responses has been served.

Abstract: A resource identifier to be encoded dynamically upon detection of a triggering event is identified. The resource identifier is allowed to remain not encoded prior to detection of the triggering event. The triggering event that will cause the resource identifier to be consumed by a web browser is detected. In response to detecting the triggering event, the resource identifier is encoded, and an encoded version of the resource identifier is provided for consumption by the web browser.

Abstract: This document describes among other things, network security systems that incorporate a feedback loop so as to automatically and dynamically adjust the scope of network traffic that is subject to inspection. Risky traffic can be sent for inspection; risky traffic that is demonstrated to have high rate of threats can be outright blocked without further inspection; traffic that is causing errors due to protocol incompatibility or should not be inspected for regulatory or other reasons can be flagged so it bypasses the security inspection system. The system can operate on a domain by domain basis, IP address basis, or otherwise.

Abstract: This document describes systems, methods and apparatus for locating an object and/or processed versions of that object in a CDN cache system. When a CDN server needs to send a forward request to an origin server to retrieve an object, the CDN server can append a ‘cache hint’ (sometimes referred to herein as a pointer or as ‘reverse cookie’) to its request. The cache hint preferably includes information that will be stored at the origin server and provided to other CDN servers that subsequently ask for the same object. Preferably the information is a pointer that will enable the object to be located within the CDN and/or enable the location of modified version of the object that have already been created and stored within the CDN.

Abstract: Among other things, this document describes systems, methods and devices for performance testing and dynamic placement of computing tasks in a distributed computing environment. In embodiments, a given client request is forwarded up a hierarchy of nodes, or across tiers in the hierarchy. A particular computing node in the system self-determines to perform a computing task to generate (or help generate) particular content for a response to the client. The computing node injects its identifier into the response indicating that it performed those tasks; the identifier is transmitted to the client with particular content. The client runs code that assesses the performance of the system from the client's perspective, e.g., in servicing the request, and beacons this performance data, along with the aforementioned identifier, to a system intelligence component. The performance information may be used to dynamically place and improve the placement of the computing task(s).

Abstract: This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.

Abstract: Among other things, this document describes systems, devices, and methods for executing rules in an application layer firewall, including in particular a web application firewall (WAF). An application layer firewall engine employs symbolic execution techniques that result in improved performance and efficiency. In preferred embodiments, an arbitrary firewall rule can be pre-processed to discover and define a set of one or more properties that an input must have in order for the input to have the potential to trigger the rule. By quickly examining an input for these properties, then application layer firewall can conclude that the input cannot trigger and therefore skip full execution of the rule against the input. This can be repeated for many if not all rules in a firewall ruleset. When a high proportion of the inputs have the required properties for rule-skipping, performance can be dramatically improved.

Abstract: A method of detecting bots, preferably in an operating environment supported by a content delivery network (CDN) that comprises a shared infrastructure of distributed edge servers from which CDN customer content is delivered to requesting end users (clients). The method begins as clients interact with the edge servers. As such interactions occur, transaction data is collected. The transaction data is mined against a set of “primitive” or “compound” features sets to generate a database of information. In particular, preferably the database comprises one or more data structures, wherein a given data structure associates a feature value with its relative percentage occurrence across the collected transaction data. Thereafter, and upon receipt of a new transaction request, primitive or compound feature set data derived from the new transaction request are compared against the database. Based on the comparison, an end user client associated with the new transaction request is then characterized, e.g.

Abstract: Radix trees and other trees use memory inefficiently when storing key-value associations with ‘or’ conditions. Their function can be optimized by using multiple key field trees, each corresponding to a key field, which is typically a character (or group thereof) in a string input key. The tree for the final key field has nodes with the output values, and these are annotated to identify, for each output value, the valid key field values from prior key fields. To execute a lookup, each key field tree is traversed to find a matching key field value. The final key field tree is traversed to reach one or more output values; then the previously determined key field values are compared against the valid key field values to determine if there is a match for a particular output value. The matched and valid key field values can be expressed in encoded form.

Abstract: Described in this document, among other things, is an overload protection system that can protect data sinks from overload by controlling the volume of data sent to those data sinks in a fine-grained manner. The protection system preferably sits in between edge servers, or other producers of data, and data sinks that will receive some or all of the data. Preferably, each data sink owner defines a policy to control how and when overload protection will be applied. Each policy can include definitions of how to monitor the stream of data for overload and specify one or more conditions upon which throttling actions are necessary. In embodiments, a policy can contain a multi-part specification to identify the class(es) of traffic to monitor to see if the conditions have been triggered.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: Generally, aspects of the invention involve creating a data structure (a map) that reflects routing of Internet traffic to Anycast prefixes. Assume, for example, that each Anycast prefix is associated with two or more deployments (Points of Presence or PoPs) that can provide a service such as DNS, content delivery (e.g., via proxy servers, as in a CDN), distributed network storage, compute, or otherwise. The map is built in such a way as to identify portions of the Internet (e.g., in IP address space) that are consistently routed with one another, i.e., always to the same PoP as one another, regardless of how the Anycast prefixes are deployed. Aspects of the invention also involve the use of this map, once created. The map can be applied in a variety of ways to assist and/or improve the operation of Anycast deployments and thus represents an improvement to computer networking technology.

Abstract: A method of bot detection in a computer network leverages a machine learning system. The machine learning system receives a fingerprint derived at a server, the server having extracted a set of transport layer security parameters received from a client and processed the set parameters into the fingerprint. Based at least in part on the fingerprint, the learning system determines whether the client is likely to be a bot as opposed to a human user. The system generates and returns to the server as score having a first value when the fingerprint is determined to be associated with a good client, and having a second value when the fingerprint is determined to be associated with a bot. Based on the score received from the machine learning system, the server takes a configured action with respect to the client.

Abstract: A method of content delivery in a content delivery network (CDN), where the CDN is deployed, operated and managed by a content delivery network service provider (CDNSP). The CDN comprises a set of content servers and a domain name system (DNS). For a given content provider, a determination is first made whether the content provider has “cold content” delivery requirements by evaluating one or more factors that include: total content size, size of content objects expected to be served, uniqueness of content, total number of content objects, and a percentage of the total content size that is expected to account for a given percentage of traffic. Upon a determination that the content provider has cold content delivery requirements, a subset of the CDN content servers are configured to implement a set of one or handling rules for managing delivery of the cold content from the CDN content servers.

Abstract: This document describes, among other things, systems and methods for more efficiently resuming a client-to-origin TLS session through a proxy layer that fronts the origin in order to provide network security services. At the time of an initial TLS handshake with an unknown client, for example, the proxy can perform a set of security checks. if the client passes the checks, the proxy can transmit a ‘proxy token’ upstream to the origin. The origin can incorporate this token into session state data which is passed back to and stored on the client, e.g., using a TLS session ticket extension field, pre-shared key extension field, or other field. On TLS session resumption, when the client sends the session state data, the proxy can recover its proxy token from the session state data, and upon successful validation, bypass security checks that it would otherwise perform against the client, thereby more efficiently handling known clients.

Abstract: Stream delivery within a content delivery network (CDN) includes recording the stream using a recording tier, and playing the stream using a player tier. Recording begins when the stream is received in a source format. The stream is then converted into an intermediate format (IF), which comprises a stream manifest, one or more fragment indexes (FI), and a set of IF fragments. A player process begins when a requesting client is associated with a CDN HTTP proxy. In response to receipt at the proxy of a request for the stream, the HTTP proxy retrieves (either from the archive or the data store) the stream manifest and at least one fragment index. Using the fragment index, the IF fragments are retrieved to the HTTP proxy, converted to a target format, and then served in response to the client request. Preferably, fragments are accessed, cached and served by the proxy via HTTP.

Abstract: This document describes systems, devices, and methods for testing the integration of a content provider's origin infrastructure with a content delivery network (CDN). In embodiments, the teachings hereof enable a content provider's developer to rapidly and flexibly create test environments that send test traffic through the same CDN hardware and software that handle (or at least have the ability to handle) production traffic, but in isolation from that production traffic and from each other. Furthermore, in embodiments, the teachings hereof enable the content provider to specify an arbitrary test origin behind its corporate firewall with which the CDN should communicate.

Abstract: A high-performance distributed ledger and transaction computing network fabric over which large numbers of transactions (involving the transformation, conversion or transfer of information or value) are processed concurrently in a scalable, reliable, secure and efficient manner. In one embodiment, the computing network fabric or “core” is configured to support a distributed blockchain network that organizes data in a manner that allows communication, processing and storage of blocks of the chain to be performed concurrently, with little synchronization, at very high performance and low latency, even when the transactions themselves originate from distant sources. This data organization relies on segmenting a transaction space within autonomous but cooperating computing nodes that are configured as a processing mesh. According to an aspect of this disclosure, the CDN edge network is then used to deliver receipts associated with transactions that are processed into the blockchain.

Abstract: It is known in the art to route client traffic to a network security gateway using the domain name system, or DNS. More specifically, a local DNS resolver on a private network may apply security intelligence to client DNS lookup requests, based on the domains that clients are seeking to resolve. If a requested domain represents a known security threat, the client can be blocked or directed to the network security gateway instead of to the desired host. This routing of the client request to the network security gateway can be accomplished by giving the client the IP address of the network security gateway instead of the actual IP address corresponding to the domain name, in response to a given DNS name query from the client. Request routing can be accomplished using other techniques, such as IP layer routing, as well.

Abstract: A server interacts with a bot detection service to provide bot detection as a requesting client interacts with the server. In an asynchronous mode, the server injects into a page a data collection script configured to record interactions at the requesting client, to collect sensor data about the interactions, and to send the collected sensor data to the server. After the client receives the page, the sensor data is collected and forwarded to the server through a series of posts. The server forwards the posts to the detection service. During this data collection, the server also may receive a request from the client for a protected endpoint. When this occurs, and in a synchronous mode, the server issues a query to the detection service to obtain a threat score based in part on the collected sensor data that has been received and forwarded by the server. Based on the threat score returned, the server then determines whether the request for the endpoint should be forwarded onward for handling.