Resumes
Resumes
Ray Bejjani Phones & Addresses
-
Alexandria, VA
-
San Francisco, CA
-
Fairfax, VA
-
Sunnyvale, CA
-
Champaign, IL
Publications
Us Patents
Determining The Likelihood Of Traffic Being Legitimately Received At A Proxy Server In A Cloud-Based Proxy Service
View pageUS Patent:
8646064, Feb 4, 2014
Filed:
Oct 31, 2012
Appl. No.:
13/665807
Inventors:
Lee Hahn Holloway - Santa Cruz CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Assignee:
Cloudflare, Inc. - San Francisco CA
International Classification:
G06F 15/16
US Classification:
726 12, 726 14, 726 23, 726 25
Abstract:
Message(s) are received from each one of multiple proxy servers, which are anycasted to the same IP address, that indicate source IP addresses of packets that are received that are directed to that same IP address. These proxy servers receive the packets as result of domain(s) resolving to that same IP address, and a particular one of the proxy servers receives the packets as a result of an anycast protocol implementation selecting that proxy server. Based on these message(s) from each of the proxy servers, a determination of the likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers is determined A message is transmitted to each of the proxy servers that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server.
Mitigating A Denial-Of-Service Attack In A Cloud-Based Proxy Service
View pageUS Patent:
20140047542, Feb 13, 2014
Filed:
Oct 31, 2012
Appl. No.:
13/665811
Inventors:
Lee Hahn Holloway - Santa Cruz CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
International Classification:
G06F 21/00
US Classification:
726 23
Abstract:
A proxy server in a cloud-based proxy service receives a message that indicates that a domain, whose traffic passes through the proxy server, may be under a denial-of-service (DoS) attack. The proxy server enables a rule for the domain that specifies that future requests for resources at that domain are subject to at least initially passing a set of one or more challenges. In response to receiving a request for a resource of that domain from a visitor, the proxy server presents the set of challenges that, if not passed, are an indication that that the visitor is part of the DoS attack. If the set of challenges are passed, the request may be processed. If the set of challenges are not passed, the request may be dropped.
Identifying A Denial-Of-Service Attack In A Cloud-Based Proxy Service
View pageUS Patent:
8613089, Dec 17, 2013
Filed:
Oct 31, 2012
Appl. No.:
13/665802
Inventors:
Lee Hahn Holloway - Santa Cruz CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Assignee:
Cloudflare, Inc. - San Francisco CA
International Classification:
G06F 12/14
G06F 15/16
H04L 12/22
G06F 15/16
H04L 12/22
US Classification:
726 23, 726 12, 726 14, 726 22, 726 25, 709217, 709221, 709225, 709227, 709228, 709229
Abstract:
A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
Authoritative Domain Name System (Dns) Server Responding To Dns Requests With Ip Addresses Selected From A Larger Pool Of Ip Addresses
View pageUS Patent:
20220217176, Jul 7, 2022
Filed:
Oct 25, 2021
Appl. No.:
17/509829
Inventors:
- San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
International Classification:
H04L 9/40
G06F 21/55
G06F 21/57
G06F 21/55
G06F 21/57
Abstract:
An authoritative DNS server receives DNS requests for domains. The authoritative DNS server responds to the requests with address records that include IP addresses that are selected from a larger pool of IP addresses, where a first response to a DNS query for a domain can include IP addresses different from IP addresses included in a second response for the same domain. Also, the same IP addresses may be returned for a first domain and a different, second domain. The authoritative DNS server may randomly select the IP addresses to include in responses to the requests regardless of the domain.
Secure Session Capability Using Public-Key Cryptography Without Access To The Private Key
View pageUS Patent:
20210014204, Jan 14, 2021
Filed:
Sep 29, 2020
Appl. No.:
17/036988
Inventors:
- San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Piotr Sikora - San Francisco CA, US
Ray Raymond Bejjani - San Francisco CA, US
Dane Orion Knecht - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
John Graham-Cumming - London, GB
Lee Hahn Holloway - Santa Cruz CA, US
Albertus Strasheim - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Piotr Sikora - San Francisco CA, US
Ray Raymond Bejjani - San Francisco CA, US
Dane Orion Knecht - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
John Graham-Cumming - London, GB
Lee Hahn Holloway - Santa Cruz CA, US
Albertus Strasheim - San Francisco CA, US
International Classification:
H04L 29/06
G06F 21/33
H04L 9/08
H04L 9/32
G06F 21/33
H04L 9/08
H04L 9/32
Abstract:
A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.
Identifying A Denial-Of-Service Attack In A Cloud-Based Proxy Service
View pageUS Patent:
20200322374, Oct 8, 2020
Filed:
Feb 25, 2020
Appl. No.:
16/800175
Inventors:
- San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
Srikanth N. Rao - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Ian Gerald Pye - Santa Cruz CA, US
Ray Raymond Bejjani - San Francisco CA, US
International Classification:
H04L 29/06
G06F 21/55
G06F 21/57
G06F 21/55
G06F 21/57
Abstract:
A cloud-based proxy service identifies a denial-of-service (DoS) attack including determining that there is a potential DoS attack being directed to an IP address of the cloud-based proxy service; and responsive to determining that there are a plurality of domains that resolve to that IP address, identifying the one of the plurality of domains that is the target of the DoS attack. The domain that is under attack is identified by scattering the plurality of domains to resolve to different IP addresses, where a result of the scattering is that each of those domains resolves to a different IP address, and identifying one of those plurality of domains as the target of the DoS attack by determining that there is an abnormally high amount of traffic being directed to the IP address in which that domain resolves.
Secure Session Capability Using Public-Key Cryptography Without Access To The Private Key
View pageUS Patent:
20200280452, Sep 3, 2020
Filed:
Mar 16, 2020
Appl. No.:
16/820489
Inventors:
- SAN FRANCISCO CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Piotr Sikora - San Francisco CA, US
Ray Raymond Bejjani - San Francisco CA, US
Dane Orion Knecht - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
John Graham-Cumming - London, GB
Lee Hahn Holloway - Santa Cruz CA, US
Nicholas Thomas Sullivan - San Francisco CA, US
Albertus Strasheim - San Francisco CA, US
Matthieu Philippe François Tourne - San Francisco CA, US
Piotr Sikora - San Francisco CA, US
Ray Raymond Bejjani - San Francisco CA, US
Dane Orion Knecht - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
John Graham-Cumming - London, GB
Lee Hahn Holloway - Santa Cruz CA, US
Nicholas Thomas Sullivan - San Francisco CA, US
Albertus Strasheim - San Francisco CA, US
International Classification:
H04L 9/32
H04L 29/06
G06F 21/33
H04L 9/08
H04L 29/08
H04L 9/14
H04L 9/30
H04L 29/06
G06F 21/33
H04L 9/08
H04L 29/08
H04L 9/14
H04L 9/30
Abstract:
A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.
Domain Name System Cname Record Management
View pageUS Patent:
20190334855, Oct 31, 2019
Filed:
Jul 8, 2019
Appl. No.:
16/505433
Inventors:
- San Francisco CA, US
Ray Raymond Bejjani - San Francisco CA, US
Dane Orion Knecht - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
John Graham-Cumming - London, GB
Ray Raymond Bejjani - San Francisco CA, US
Dane Orion Knecht - San Francisco CA, US
Matthew Browning Prince - San Francisco CA, US
John Graham-Cumming - London, GB
International Classification:
H04L 29/12
Abstract:
A DNS name server manages CNAME records. The server receives a query for a first Address record for a fully qualified domain name from a requester. The server determines that the fully qualified domain name has a CNAME record, where the fully qualified domain name is a root domain. The server traverses a chain according to the CNAME record to locate a second Address record that includes an IP address. The server generates a response to the query that includes a third Address record for the fully qualified domain name that includes at least the IP address of the located second Address record. The server transmits the generated response to the requester.