Generally described, computing devices utilize a communication network, or a series of communication networks, to exchange data. Companies and organizations operate computer networks that interconnect a number of computing devices to support operations or provide services to third parties. The computing systems can be located in a single geographic location or located in multiple, distinct geographic locations (e.g., interconnected via private or public communication networks). Specifically, data centers or data processing centers, herein generally referred to as “data centers,” may include a number of interconnected computing systems to provide computing resources to users of the data center. The data centers may be private data centers operated on behalf of an organization or public data centers operated on behalf, or for the benefit of, the general public.
Content providers (such as businesses, artists, media distribution services, etc.) can employ a series of interconnected data centers to deliver content in the form of data objects (e.g., representing web sites, web content, or other digital data) to users or clients. These interconnected data centers are sometimes referred to as “content delivery networks” (CDNs) or content delivery systems. Existing routing and addressing technologies can enable multiple data centers associated with a content delivery system to provide similar or identical data objects to client computing devices. In some instances, each data center providing a set of data objects may be referred to as a point-of-presence (“POP”). Alternative configurations of a device or devices may also service as a POP to provide a set of data objects. For example, a POP may correspond to a single computing device, or to a collection of computing devices (e.g., physically collocated within a “rack” or distributed in different locations). A content delivery system can maintain POPs over a wide area (or worldwide) to enable the system to efficiently service requests from clients in a variety of locations.
One common difficulty in providing data over a communication network is a disparity between the number of requests for content and the computing resources available to devices serving content. If the number of requests for content overwhelms those computing resources, the content often because unavailable to many or all requesting users. In some instances, the number of requests can increase rapidly, causing a “traffic spike” that provides little opportunity for manual intervention to increase the computing resources available to devices serving content. While such traffic spikes are sometimes legitimate, the effects of a traffic spike have also been exploited to create “network attacks,” which seek to render content unavailable on a computing network. One mechanism for doing so is a “denial of service” (DoS) attack. These attacks generally attempt to make a target computing device or network resource, such as a web site, unavailable to legitimate clients. One common instance of a DoS attack involves saturating the target device or network with external communications requests, such that it cannot respond to legitimate traffic, or it responds so slowly as to be rendered effectively unavailable. Because of the number of requests required to mount such an attack, responsibility for implementing the attack is often distributed across many computing devices. These distributed attacks are therefore known as “distributed denial of service” (DDoS) attacks.
Various techniques have been proposed for mitigating the effects of traffic spikes. Often, techniques focus on attempting to identify and isolate malicious and illegitimate traffic, such as by identifying patterns in malicious traffic that do not exist in legitimate traffic. However, perpetrators of network attacks continue to increase the sophistication of network attacks, making identification of network attacks difficult. Moreover, prior techniques are often responsive in nature, seeking to identify a presently occurring traffic spike, and to increase the amount of computing resources available to service that traffic. Due to this responsive nature, these techniques often fail to prevent at least some disruption in the availability of content.