Abstract: Disclosed herein are systems, methods, and software for managing bot detection in a content delivery network (CDN). In one implementation, a cache node in a CDN may obtain a content request without a valid token for content not cached on the cache node and, in response to the content request, generate a synthetic response for the content request, wherein the synthetic response comprises a request for additional information from the end user device associated with the content request. The cache node further may obtain a response from the end user device and determine whether to satisfy the request based on whether the response from the end user device indicates that it is a bot.

Abstract: Methods and apparatus are disclosed herein that enable an infrastructure service to route messages to various servers, even if the servers are not addressed by individual public network addresses. The infrastructure service distributed messages by processing a portion of the message through a hash function. By utilizing a reverse hash process, a server can determine a custom port number that will cause the hash algorithm to route a reply message directly to the selected server even when addressed to a communal address.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: A server detects a failure of an outbound path based on at least a measure of forward progress made on a connection between the server and an end point. In response to the failure, the server generates a hash value based at least on an identifying value of the connection and a failure counter associated with the measure of forward progress made on the connection. The server then selects a next outbound path for the packet flow based on at least the hash value generated in response to the failure. The server also sends the packet flow over the next outbound path to the end point.

Abstract: Enhanced packet redirect capabilities are disclosed herein for draining traffic to a server. In an implementation, a server in an infrastructure service receives a packet from a stateless load balancer. The packet may comprise a request for content. A user space program on the server determines whether a connection identified in the packet belongs to the server. If the connection belongs to the server, the user space program handles the request for the content. If not, the server forwards the packet to a secondary server in the infrastructure service. The secondary server, to which the connection may belong, can then handle the request.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: Systems, methods, and software are disclosed herein for routing in-bound communications to an infrastructure service. In an implementation, an infrastructure service receives a request from an end point for content associated with an origin. The service sends a connection request to the origin from an initial network address. After detecting a failure of the origin to respond to the connection request, the service sends multiple connection requests to the origin from different network addresses. Upon receiving one or more replies to the connection requests, the service identifies which reply was received first and a network address to which the reply was sent. The service proceeds to establish a connection with the origin using the identified network address and obtains the content from the origin over the connection. The infrastructure service may then send the content to the end point.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be a direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: An edge server of an infrastructure service establishes a transport connection in user space with a client and in accordance with a transport layer network protocol. The edge server receives a packet over the transport connection with the client that comprises a request for an object. If the edge server cannot serve the object, it forwards the request to a cluster server with an intent indicated for the cluster server to reply directly to the client. The cluster server receives the forwarded request and determines whether to accept the intent indicated by the edge server. If so, the edge server conveys instructions to the cluster server for sending at least a portion of the object directly to the client. The cluster server then sends at least the portion of the object to the client in accordance with the instructions.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: Disclosed herein are enhancements for deploying application in an edge system of a communication network. In one implementation, a runtime environment identifies a request from a Hypertext Transfer Protocol (HTTP) accelerator service to be processed by an application. In response to the request, the runtime environment may identify an isolation resource to support the request, initiate execution of code for the application, and pass context to the code. Once initiated, the runtime environment may copy data from the artifact to the isolation resource using the context and return control to the HTTP accelerator service upon executing the code.

Abstract: Systems, methods, apparatuses, and software for caching tracking elements of network content are provided herein. In one example, a method of operating a cache node of a content delivery network that caches content for delivery to end user devices is provided. The method includes receiving content requests from an end user device for content cached by the cache node and responsively providing the content for delivery to the end user device, processing the content requests to determine a edge state that corresponds to the end user device, transferring information related to the edge state for delivery to at least one other cache node of the content delivery network for handling of content requests received at the at least one other cache node.

Abstract: Disclosed herein are systems, methods, and software managing the deployment of development environments for an organization. In one example, a computing system may identify a request for a development environment. In response to the request, the computing system may select one or more images for the development environment from a plurality of images based on an identifier associated with the request and initiate one or more virtual nodes from the one or more images based on a configuration associated with the identifier.

Abstract: Disclosed herein are methods, systems, and software for configuration change processing for end-user content request handling in content delivery nodes. In one example, a method of changing a content configuration for a content delivery node includes receiving a configuration change request by an end user. The method further provides, processing the configuration change request and a present configuration to generate a changed configuration comprising an assembly level code representation of the changed configuration, and transferring the changed configuration for delivery to the content delivery node.

Abstract: Systems and methods perform selective rate limiting with a distributed set of agents and a remote controller. An agent receives a packet from a client, and inspects the packet using different rules. Each rule may include at least one different (i) rule definition with traffic dimensions identifying a different attack, (ii) signal with which to identify attack traffic matching the rule definition, (iii) threshold specifying a condition, and (iv) action to implement based on the condition of the threshold being satisfied. The agent provides the signal in response to the packet matching the traffic dimensions from the rule definition of a particular rule. The controller updates a value linked to the signal and a client identifier of the client, and implements the action of the particular rule across the distributed set of agents in response to the value satisfying the condition for the particular rule threshold.

Abstract: Described herein are methods, systems, and software to handle verification information in a content node. In one example, a method of operating a content node includes receiving a secure content request from an end user device and determining the availability of verification information stored on the content node to service the secure content request. The method further provides, if the verification information is available, verifying the end user device based on the verification information. The method also includes, if the verification information is unavailable, querying an origin server to verify the end user device.

Abstract: Disclosed herein are enhancements for deploying applications in an edge system of a communication network. In one implementation, a cache node in a content delivery network identifies a request for an application that is shared by a plurality of customers. In response to the request, the cache node determines whether the customer associated with the request is permitted to execute the application and, if permitted, initiates the application as an isolation instance. The cache node further, in response to completing the application, returns control to a source operation associated with the request.

Abstract: Described herein are enhancements for operating content nodes in a content delivery network. In at least one implementation, a content node deploys a request handler configuration and a key-value object, wherein the key-value object includes one or more key-value pairs and wherein the request handler configuration calls, in response to a content request from an end user device, the key-value object using a key associated with the content request and the key-value object returns a value associated with the key. The content node further obtains a request to modify the key-value object, identifies a modification to the key-value object based on the command, and updates the key-value object with the modification.

Abstract: Systems, methods, apparatus, and software for pre-fetching and/or pre-loading sub-resources used in rendering HTML files, web pages and the like are provided herein. Implementations include expedited sub-resource loading in which a cache node or other content delivery network component receives a first end user device request seeking a primary resource (e.g., an HTML file). Using information in the first request, the content delivery network pre-fetches one or more identified sub-resources (e.g., JavaScript code) required for rendering of the HTML file. Pre-fetched sub-resources are held by the cache node. During parsing of the HTML file by the end user device, a web browser or other application requires the sub-resource(s) and the end user device thus sends a second request to the cache node asking for the required sub-resource(s). The cache node sends the requested, pre-fetched sub-resource(s).

Abstract: Systems and methods are described for linking records from different databases. A search may be performed for each record of a received record set for similar records based on having similar field values. Recommended records of the record set may be assigned with the identified similar records to sub-groups. Pairs of records may be formed for each record of the sub-group, and comparative and identifying features may be extracted from each field of the pairs of records. Then, a trained model may be applied to the differences to determine a similarity score. Cluster identifiers may be applied to records within each sub-group having similarity scores greater than a predetermined threshold. In response to a query for a requested record, all records having the same cluster identifier may be output on a graphical interface, allowing users to observe linked records for a person in the different databases.