Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a method includes establishing address translations which translate domain names into network addresses usable by the end user devices for reaching content at the cache nodes, with portions of the network addresses comprising stenographic information, and responsive to domain name translation requests from the end user devices, providing ones of the network addresses. The method includes receiving content requests transferred by the end user devices that comprise the network addresses, and performing one or more actions based on the stenographic information in the network addresses.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: Systems, methods, apparatuses, and software for operating content delivery networks are provided herein. In one example, a method of operating a domain name translation node in a first point-of-presence of a content delivery network is presented. The method includes receiving a translation message issued by an end user device for translation of a domain name into a content network address, and processing the translation message to identify a network address of a node that transferred the translation message. The method also includes selecting the content network address based at least in part on correlations between network addresses and performance factors to direct the end user device to a target cache node at a point-of-presence different than the point-of-presence of the domain name translation node, and transferring a response message indicating the content network address which directs the end user device to the target cache node at the second point-of-presence.

Abstract: A content delivery network is configured to receive information about wireless network conditions from a wireless device. The wireless device is configured to provide information about the conditions of the wireless device and/or the conditions of the network the wireless device is being served by. These conditions can then be used to help optimize content delivery to the wireless device or similarly situated wireless devices.

Abstract: Systems and methods are disclosed for providing distributed denial-of-service (DDoS) mitigation service. The systems and methods may receive a request to access a web server from a user host, generate an integrated user challenge page including a user challenge test and a web page image of the web server, and transmits the integrated user challenge page to the user host. The systems and methods may further receive an answer to the user challenge test from the user host, determine whether the answer to the user challenge test is correct or not. When the answer to the user challenge test is correct, the systems and methods may establish a connection between the user host and the web server.

Abstract: Disclosed herein are enhancements for operating a web application firewall to reduce load. In one implementation, a method of operating a content server for a web application comprising running a web accelerator with a plurality of threads on the content server. The method further provides receiving a request for content which will be provided to a web application, filtering the request and determining that the content will be requested from a second server. After determining that the content will be requested from a second server, reviewing the request with a web application firewall operating at a network layer 7, forwarding the request, receiving the content, and providing the content. Further, the web application firewall is controlled by a plurality of sets of rules, which can be updated without restarting the web accelerator.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: Systems, methods, apparatuses, and software for operating content delivery networks are provided herein. In one example, a method of operating a domain name translation node in a first point-of-presence of a content delivery network is presented. The method includes receiving a translation message issued by an end user device for translation of a domain name into a content network address, and processing the translation message to identify a network address of a node that transferred the translation message. The method also includes selecting the content network address based at least in part on correlations between network addresses and performance factors to direct the end user device to a target cache node at a point-of-presence different than the point-of-presence of the domain name translation node, and transferring a response message indicating the content network address which directs the end user device to the target cache node at the second point-of-presence.

Abstract: A method and system for authenticating answers to Domain Name System (DNS) queries originating from recursive DNS servers provided. A verification component provides a versification that a DNS query originated from the recursive DNS server. An authoritative DNS server receives the query via a network, such as the Internet, provides an answer to the query to an authentication component. The authentication component then provides an authentication such as a digital signature, which confirms that the received answer was provided by the authoritative DNS server, and then communicates the answer and the authentication to the verification component via the network. The verification component then verifies that the authentication corresponds to the receive answer and sends the answer to the recursive DNS server. When the verification component receives an answer in the absence of a corresponding authentication the verification component drops the answer.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: A method and system for authenticating answers to Domain Name System (DNS) queries originating from recursive DNS servers are provided. A verification component provides a verification that a DNS query originated from the recursive DNS server. An authoritative DNS server receives the query via a network, such as the Internet, and provides an answer to the query to an authentication component. The authentication component then provides an authentication, such as a digital signature, which confirms that the received answer was provided by the authoritative DNS server, and then communicates the answer and the authentication to the verification component via the network. The verification component then verifies that the authentication corresponds to the received answer and sends the answer to the recursive DNS server. When the verification component receives an answer in the absence of a corresponding authentication, the verification component drops the answer.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a content delivery network (CDN) is presented having a plurality of cache nodes that cache content for delivery to end user devices. The CDN includes an anonymization node configured to establish anonymized network addresses for transfer of content to cache nodes from one or more origin servers that store the content before caching by the CDN. The anonymization node is configured to provide indications of relationships between the anonymized network addresses and the cache nodes to a routing node of the CDN. The routing node is configured to route the content transferred by the one or more origin servers responsive to content requests of the cache nodes based on the indications of the relationships between the anonymous network addresses to the cache nodes.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a method includes, for domain name system translation nodes associated with the content delivery network, establishing address translations to translate domain names into network addresses usable by the end user devices for reaching content at the cache nodes, with portions of the network addresses comprising stenographic information. The method also includes providing ones of the network addresses with the stenographic information to the end user devices responsive to domain name translation requests issued by the end user devices. The method also includes, responsive to content requests issued by the end user devices, determining locality information associated with attack traffic directed at the content delivery network based at least on the stenographic information in the network addresses of the content requests.

Abstract: Systems, methods, apparatuses, and software for a content delivery network that caches content for delivery to end user devices is presented. In one example, a method includes establishing address translations which translate domain names into network addresses usable by the end user devices for reaching content at the cache nodes, with portions of the network addresses comprising stenographic information, and responsive to domain name translation requests from the end user devices, providing ones of the network addresses. The method includes receiving content requests transferred by the end user devices that comprise the network addresses, and performing one or more actions based on the stenographic information in the network addresses.

Abstract: A method and system for authenticating answers to Domain Name System (DNS) queries originating from recursive DNS servers are provided. A verification component provides a verification that a DNS query originated from the recursive DNS server. An authoritative DNS server receives the query via a network, such as the Internet, and provides an answer to the query to an authentication component. The authentication component then provides an authentication, such as a digital signature, which confirms that the received answer was provided by the authoritative DNS server, and then communicates the answer and the authentication to the verification component via the network. The verification component then verifies that the authentication corresponds to the received answer and sends the answer to the recursive DNS server. When the verification component receives an answer in the absence of a corresponding authentication, the verification component drops the answer.

Abstract: Systems, methods, apparatuses, and software for operating content delivery networks are provided herein. In one example, a method of operating a domain name translation node in a first point-of-presence of a content delivery network is presented. The method includes receiving a translation message issued by an end user device for translation of a domain name into a content network address, and processing the translation message to identify a network address of a node that transferred the translation message. The method also includes selecting the content network address based at least in part on correlations between network addresses and performance factors to direct the end user device to a target cache node at a point-of-presence different than the point-of-presence of the domain name translation node, and transferring a response message indicating the content network address which directs the end user device to the target cache node at the second point-of-presence.

Abstract: Requests for content cached by a content delivery network (CDN) are received by a content delivery network-wide (a.k.a., central) control node. This central control node distributes the requests to cache nodes to provide the requested content. The central control node serves as a centralized distribution point for content requests. The central control node may distribute requests based on the load at the point-of-presences (POPs) and/or the load on cache nodes regardless of their geographic location. Each point-of-presence may also have a control node to distribute requests sent to the point-of-presence. These POP control nodes distribute the requests received from a global control node to the cache nodes at that POP.

Abstract: A privatized link between an origin server and a content delivery network is provided. A privatized link can be direct connection that does not route over the internet. Another privatized link is one that rotates IP addresses. An origin server may be assigned to use a set of multiple IP addresses for communication with the content delivery network. However, at any given time, the origin server is only using a small number of IP addresses. When one of the IP addresses being used to communicate with the content delivery network comes under attack, the origin server switches to another IP address in the set in order to continue serving content to the content delivery network via an IP address that is not under attack.

Abstract: A content delivery network is configured to receive information about wireless network conditions from a wireless device. The wireless device is configured to provide information about the conditions of the wireless device and/or the conditions of the network the wireless device is being served by. These conditions can then be used to help optimize content delivery to the wireless device or similarly situated wireless devices.

Abstract: Systems, methods, apparatus and software for customized record handling in a content delivery network are disclosed. In one implementation, a user request received by the content delivery network is analyzed and classified. Records relating to the received user request are customized based on the request classification. Record customization is implemented in some examples to reduce data storage and/or processing requirements in the content delivery network. Moreover, request-based records can be used to implement specified functions, such as billing content providers only for bona fide user requests.