Abstract: A technology is described for prioritizing DNS name resolutions requests received from DNS resolvers. An example method may include identifying a resolver as a public DNS resolver. Receiving a DNS name resolution request from the public DNS resolver. Assigning a priority to the DNS name resolution request received from the public DNS resolver that is lower priority as compared to a priority assigned to DNS name resolution requests received from known DNS resolvers, and providing the DNS name resolution request to the DNS name server according to the priority assigned to the DNS name resolution request.

Abstract: A technology is provided for call failure backoff in a computing service environment. An allowable call failure rate is defined for application programming interface (API) calls sent to one or more endpoints. Each endpoint may use a token bucket containing a plurality of tokens, wherein a single token is defined as being equal to one API call failure. A number of tokens in the token bucket are determined prior to executing an API call to the one or more endpoints. A health status of the one or more endpoints is identified according to the number of tokens in the token bucket. The API calls to the one or more endpoints having the determined number of tokens in the token bucket that are equal to zero or may be delayed for a predetermined backoff time period.

Abstract: A technology is described for prioritizing DNS name resolutions requests received from DNS resolvers. An example method may include receiving a DNS name resolution request addressed to a DNS name server from a DNS resolver. The DNS resolver associated with the DNS name resolution request may be identified as a known DNS resolver or an unknown DNS resolver, where a known DNS resolver may have DNS resolver characteristics that correspond to a valid DNS resolver. The DNS name resolution request may be prioritized according to the identity of the DNS resolver as a known DNS resolver or an unknown DNS resolver. The DNS name resolution request may then be provided to the DNS name server according to the priority assigned to the DNS name resolution request.

Abstract: A technology is described for prioritizing network packets using suspicion weights assigned to packet attributes of the network packets. An example method may include analyzing a network packet for packet attributes that have values indicating that the network packet may be associated with a potential network attack. Suspicion weights for the packet attributes identified as having a value that indicates that the network packet is associated with the potential network attack may be obtained, and a suspicion score may be calculated for the network packet using the suspicion weights.

Abstract: Technology is described for establishing and transferring transmission control protocol (TCP) connections. A connection may be established when an acknowledgement (ACK) packet is received from the client. A connection handoff packet may be generated that includes connection parameters that describe the connection with the client. The connection handoff packet may be sent to a destination host to enable the destination host to take over the connection with the client based on the connection parameters in the SYN cookie.

Abstract: A technology is described for limiting the rate at which a number of requests to perform a network action are granted using rate limiters. An example method may include receiving a request for a token granting permission to perform a network action via a computer network. In response, rate limiters may be identified by generating hash values using hash functions and a network address representing a source network where the hash values identify memory locations for the rate limiters. The rate limiters may have a computer memory capacity to store tokens that are distributed in response to the request. Token balances for the rate limiters may be determined, and permission to perform the network action may be granted as a result of at least one of the token balances being greater than zero.

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract: This disclosure generally relates to the generation of a packet signature for packets determined to correspond to a network attack, such as a denial of service (“DoS”) attack. Specifically, a set of data packets captured during normal system operations can be analyzed to determine a set of baseline attributes. Additional packets captured during an attack can be compared to the baseline attributes, to determine, for individual packets, a probability that the packet forms a part of the attack. A packet signature can then be generated to identify attributes that are characteristic of the attack. That signature can then be used to filter out packets and mitigate the attack.

Abstract: A pattern recognition security system (“PRSS”) generates a packet signature from network traffic, including attack packets. The PRSS can utilize a statistical pattern recognition based approach to generate attack traffic signatures, such as for DDoS or DoS attacks. In some embodiments, the PRSS dynamically creates training sets from actual captured data, allowing the PRSS to adapt to changes in network attacks. For example, more sophisticated DDoS attacks commonly rotate through different attacking computers to vary the packet attributes of attack packets sent to a target system. However, as the PRSS can determine packet signatures based on the actual captured data packets, the PRSS can adapt to the changes in the attack. In some embodiments, the PRSS may determine packet signatures in real-time or near real time during an attack, allowing the PRSS to quickly react to changes in attack traffic.