A method of providing infrastructure protection for a server of a network organization, the method including announcing, as an internet protocol (IP) address associated with a server of a plurality of servers, a first anycast IP address, the first anycast IP address being one of a plurality of anycast IP addresses that each serve as an anycast address for a network of edge servers. Each of the plurality of anycast IP addresses is allocated to a respective server of the plurality of servers by the network of edge servers. The network of edge servers may receive an incoming network packet intended for the server, the incoming network packet identified using the first anycast IP address. The network of edge servers may determine whether the incoming network packet is legitimate and if so, the incoming network packet may be routed to the server using a generic routing encapsulation (GRE) tunnel.

Techniques for using Network Address Translation (NAT), Mobile Internet Protocol (MIP), and/or other techniques in conjunction with Domain Name System (DNS) to anonymize server-side addresses in data communications. Rather than having DNS provide a client device with an IP address of an endpoint device, such as a server, the DNS instead returns a virtual IP (VIP) address that is mapped to the client device and the endpoint device. In this way, IP addresses of servers are obfuscated by a virtual network of VIP addresses. The client device may then communicate data packets to the server using the VIP address as the destination address, and a virtual network service that works in conjunction with DNS can convert the VIP address to the actual IP address of the server using NAT and forward the data packet onto the server.

A computing device may receive a plurality of scanning requests with at least one scanning request in the plurality identifying a target address of a target network. The computing device may for at least a subset of the plurality of scanning requests: generate a scanner instance and a virtual network interface card (VNIC) in response to the scanning request. The scanner instance and the VNIC communicating with a routing namespace that can communicate with two or more scanner instances simultaneously. Until the target address has been scanned: one or more packets can be sent from the scanner instance to the target address via the routing namespace and VNIC. The one or more packets can be wrapped in one or more packet wrappers identifying the target address and the target network. In response to the target address being scanned, the scanner instance and VNIC can be decommissioned.

A computing device may receive a plurality of scanning requests with at least one scanning request in the plurality identifying a target address of a target network. The computing device may for at least a subset of the plurality of scanning requests: generate a scanner instance and a virtual network interface card (VNIC) in response to the scanning request. The scanner instance and the VNIC communicating with a routing namespace that can communicate with two or more scanner instances simultaneously. Until the target address has been scanned: one or more packets can be sent from the scanner instance to the target address via the routing namespace and VNIC. The one or more packets can be wrapped in one or more packet wrappers identifying the target address and the target network. In response to the target address being scanned, the scanner instance and VNIC can be decommissioned.

Described systems and methods allow carrying out privacy-preserving DNS exchanges. In some embodiments, a client machine engages in a private information retrieval (PIR) exchange with a nameserver. In response to receiving an encrypted query from the client, the query formulated according to a domain name, the nameserver may extract a record (e.g., an IP address) from a domain name database without decrypting the respective query. Some embodiments achieve such information retrieval by the use of homomorphic encryption.

A node including processing circuitry configured to: generate anonymized data based at least in part on a first cryptographic key and network data, calculate a coordination vector, generate initialized data based at least in part on the anonymized data, a second cryptographic key and the coordination vector, transmit the initialized data, the random vector, a security policy and instructions to analyze n iterations of the initialized data and the security policy using the random vector and the second cryptographic key, and receive results of the analysis of the n iterations of the initialized data and the security policy using the random vector and the second cryptographic key. The analysis of an m iteration of the n iterations correspond to an analysis of the initialized data with prefix preservation where the analysis of the remaining iterations of the n iterations fail to be prefixed preserved.

Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

Some embodiments provide a method for a first data compute node (DCN) operating in a public datacenter. The method receives an encryption rule from a centralized network controller. The method determines that the network encryption rule requires encryption of packets between second and third DCNs operating in the public datacenter. The method requests a first key from a secure key storage. Upon receipt of the first key, the method uses the first key and additional parameters to generate second and third keys. The method distributes the second key to the second DCN and the third key to the third DCN in the public datacenter.

A request is received from a user device to establish a VPN tunnel. The VPN tunnel is established with a first private IP address of the VPN concentrator and a second private IP address of the user device as endpoints. An outbound packet for transmission to a target is received from the user device. A third private IP address associated with the tunnel is looked up based on a VPN session. A substitution of the first private IP address with the third private IP address in a header of the outbound packet is performed. NAT is performed on the outbound packet to replace the third private IP address with a third public IP address of the VPN concentrator. The outbound packet is then transmitted to the target.

A request is received from a user device to establish a VPN tunnel. The VPN tunnel is established with a first private IP address of the VPN concentrator and a second private IP address of the user device as endpoints. An outbound packet for transmission to a target is received from the user device. A third private IP address associated with the tunnel is looked up based on a VPN session. A substitution of the first private IP address with the third private IP address in a header of the outbound packet is performed. NAT is performed on the outbound packet to replace the third private IP address with a third public IP address of the VPN concentrator. The outbound packet is then transmitted to the target.