DETAILED ACTION
This action is responsive to communications filed 28 September 2022.
Claim 16 has been added.
Claims 1-16 are subject to examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive. 
Applicant argues in substance:
Doron does not mention that a black hole will be enabled due to an attack, and thus is completely silent about detecting that the blackhole is enabled or closed. In other words, Doron fails to disclose “detecting that the EIP address corresponding to the target domain name enables a black hole” and/or “detecting that the EIP address corresponding to the target domain name closes the black hole.” Doron further fails to disclose “in response to detecting that the EIP address corresponding to the target domain name enables a black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to a preset high defense IP address and sending the access request to the preset high defense IP address”, and “in response to detecting that the EIP address corresponding to the target domain name closes the black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to the EIP address of the target domain name.” Holloway fails to remedy the above deficiencies of Doron. Further, Feyzibehnagh, Hashmi and Carney found none of the cited references remedy the above deficiencies of Doron and Holloway. Therefore, the combination of the cited references does not teach the claimed features "in response to detecting that the EIP address corresponding to the target domain name enables a black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to a preset high defense IP address and sending the access request to the preset high defense IP address", "in response to detecting that the EIP address corresponding to the target domain name closes the black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to the EIP address of the target domain name", and "wherein the EIP address corresponding to the target domain name enabling the black hole refers to blocking all traffic accessing the EIP address of the target domain name except a traffic cleaned by the preset high defense IP address." See Remarks pages 9-11.
In response to Applicant’s arguments (a), the Examiner respectfully disagrees. The art of record is not required for an identity of terminology, see at least “The elements must be arranged as required by the claim, but this is not an ipsissimis verbis test, i.e., identity of terminology is not required. In re Bond, 910 F.2d 831, 15 USPQ2d 1566 (Fed. Cir. 1990).” MPEP 2131. Further, upon review of Applicant’s specification, the specification denotes [3] “… black hole the attacked EIP, and all traffic accessing the EIP is blocked from entering the cloud machine room … However, for the user who uses the EIP, the service provided by the EIP is unavailable during the black hole.” [4] “To prevent the black hole from being triggered after the EIP is attacked and causing the service to be unavailable, the user may purchase a high defense IP and enjoy the capability of a higher protection against the attack to ensure that the service is available …” [18] “… This solution guarantees the availability of services when being attacked, and guarantees the best experience of user services under normal circumstances.” [40] “… black hole here may be a machine room black hole or an operator black hole … discards traffic at the operator side ….”. Therefore, no black-hole is triggered, e.g. to “prevent” the “black hole” from “being triggered”, as the embodiments of the invention appear directed towards mitigating an issue where if a black hole was triggered, all service is lost even to users that are not attackers/malicious. Furthermore, as apparent in the claim language “… enables the black hole refers to blocking all traffic accessing the EIP address … except a traffic cleaned by the preset high defense IP address”, one can infer that closing a black hole refers to not blocking all traffic. Therefore, the claim denotes two conditions, one where traffic is blocked and only cleaned traffic is permitted, and another where no traffic is blocked, as such, under broadest reasonable interpretation of the limitations above, the limitations denote that when in condition that would (traditionally) black hole a system, block all traffic except clean traffic by switching an EIP address of the target to a high defense IP, and when in condition that would (traditionally) not black hole a system, do not black traffic and use the EIP address of the target and not a high defense IP, wherein enabling a black hole refers to blocking traffic except cleaned traffic. Therefore, Doron at least discloses and/or teaches [0024] “… upon detection of a potential DDos attack, the traffic associated with the attack is mitigated, for example via redirection to a mitigation resource such as, e.g., on a the cloud scrubbing center. The clean traffic is returned to the origin application(s) at the original cloud computing platform.” [0031] “When a potential DDoS attack is detected, the traffic is redirected to the defense platform 140. In an example embodiment, the redirection is performed through a DNS configuration as discussed below in an automated fashion, i.e., without requiring a user to reconfigure the DNS entry. In some configurations, the redirection can be triggered by a user.” [0032] “In an optional embodiment, when an attack ends, following a predefined cool-down period set to eliminate attack diversion flipping, the traffic diversion is stopped, and traffic resumes being sent to the destination protected application 160 as it would regularly. This eliminates unnecessary latency and waste of mitigation resources throughout the solution lifecycle.” [0037] “… inject clean traffic provided by the mitigation resource 250 back to the cloud computing platform 110 … various IP address translations …” [0058] “… the DNS diversion may include updating a CNAME record of each protected application 160 to cause redirection of traffic to the defense platform 140. To this end, the controller 280 may be configured to dynamically, and automatically, change the DNS records of the protected application 160 at its authoritative DNS service, such that any DNS resolving operation, by any edge entity 231, to resolve the fully qualified domain name (FQDN) of the protected application 160 is replied with the IP addresses of the defense platform 140…” [0060] “The mitigation resource 250 is configured to clean the traffic by executing one or more mitigation actions, and to send the clean traffic directly to the servers 165 for use by the protected application 160. Alternatively, the mitigation resource 250 forwards legitimate clean traffic back toward the protected application 160 through the ADC 270. That is, the ADC 270 is configured to send clean traffic to the servers 165 (FIG. 1). In some embodiments, the mitigation resource 250 may be, but is not limited to, an “on the cloud” scrubbing center.” [0061] “In some implementations, the IP addresses of assets in the cloud computing platform are not constant (for example, if the IP address is changed by a cloud provider during operation). To this end, in an embodiment, the controller 280 may be configured to configure the ADC 270 to issue periodic DNS queries to dynamically learn and update the IP address of the asset to which cleaned traffic should be returned, thereby ensuring that cleaned traffic is returned to an appropriate address. Alternatively, the controller 280 may be configured to perform other methods for dynamic DNS redirection.” [0062] “In an embodiment, traffic is diverted via DNS traffic redirection. The DNS traffic redirection includes automatically modifying an authoritative DNS record entry to point to a virtual IP (VIP), or other, address representing a mitigation resource in the defense platform 140 and not to an IP address of the requested domain hosted in the cloud computing platform 110 and use in peace, or no attack, times. For example, a request to a protected domain “www.mysite.com” would be replaced with “po.mysite.clouddetectorner, where such a fully qualified domain name (FQDN) is identified by a different domain name.” [0064] “In an embodiment, the mitigation resource 250 may be configured to determine when a previously detected DDoS attack is terminated. Upon such determination, the controller 280 returns to a peace mode of operation, i.e., DNS traffic redirection is terminated and the DNS operation is returned to its original operation such that traffic is directed from EUDs 210 directly to their original destination server 165 located at the cloud computing platform 110. In implementations in which the cloud computing platform 110 is configured with an ACL when the attack is detected, returning to the peace mode may include removing the ACL and releasing mitigation resources from traffic cleaning, thereby concluding traffic redirection.” [0074] “In an embodiment, S330 may include causing redirection of traffic from sources of the traffic to a mitigation resource, cleaning the traffic (e.g., by filtering malicious or otherwise illegitimate traffic), and sending cleaned traffic back to protected applications. To this end, in an embodiment, the mitigation resource is a scrubbing center that cleans the traffic by removing malicious traffic and sends the clean traffic to at least one server hosting the at least one protected application. The traffic redirection can be achieved using, for example, DNS redirection, BGP redirection, and the like.” Doron’s disclosure of the at least referred to sections above and throughout denote a DDOS defense technique (see abstract), wherein traffic is either directed towards a platform or redirected using various translation techniques (IP, etc.), further, the redirection is towards a scrubbing/cleaning/filtering center that only passes through clean traffic, and when in peace mode, all traffic is directed towards a platform (i.e. target). As such, when a DDOS attack is detected, it would enable a black hole such that all traffic is blocked except for clean traffic (i.e. dirty/uncleaned traffic not injected towards cloud platform, therefore it cannot reach the cloud platform, e.g. blocked/prohibited), and when a DDOS attack is terminated, it would close a black hole such that no traffic is blocked, e.g. traffic resumes normal operation and reaches the cloud platform. Doron; however, does not explicitly disclose use of an EIP, therefore Feyzibehnagh was brought in to at least disclose and/or teach [0091] “… network addresses that are less likely to be blocked by destinations (e.g., uses an elastic IP address) …” It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron in view of Feyzibehnagh to have utilized an EIP. One of ordinary skill in the art would have been motivated to do so to utilize network address(es) that are less likely to be blocked by destinations (Feyzibehnagh, [0091]). Therefore, the combination of Doron with Feyzibehnagh would have enabled the cloud platform to utilize network address(es) that are less likely to be blocked such as for routing premium traffic to suitable resources. Doron in view of Feyzibehnagh do not explicitly denote switching of IP addresses back and forth of the mapped domain; however, Doron does in fact denote modifying DNS records to different IP, therefore switching IP addresses in the DNS records for a target, such as a cloud platform, e.g. domain of cloud platform, see CNAME in [0058] above. Therefore, Holloway was brought in to at least disclose and/or teach [col. 16, ls. 21-35] “… performs one or more actions to mitigate the attack … changing the routing such that traffic for that IP address points to a particular data center or hardware device that is dedicated to handling attacks” [col. 17, ls. 15-col. 18, ls. 2] “… proxy server 120 automatically routes that traffic to the dedicated DoS device 190 … may also include an operating system that is designed to quickly filter out illegitimate packets …” It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh in view of Holloway to have switched addresses in address translation changes to redirect traffic. One of ordinary skill in the art would have been motivated to do so to change the routing such that traffic for that IP address points to a device that is dedicated to handling attacks (Holloway, [col. 16, ls. 21-35]). Therefore, the combination of Doron with Feizybehnagh and Holloway would have enabled the cloud platform to perform address resolution for redirecting traffic to DDOS/DOS mitigation services by switching addresses back and forth, such as during attack or in peace times. As such, the claim fails to be patentable over the cited arts.
Carney at least fails to disclose the combination of the features of “the preset high defense IP address being used for filtering malicious attack traffic included in the access request at the preset high defense IP address” and “recycling the high defense IP address to an available pool, so that the high defense IP address is used by another server that enables the black hole.” See Remarks page 12, regarding claims 5 and 16.
In response to Applicant’s arguments (a), the Examiner respectfully disagrees. The limitations above, such as previously mentioned, under broadest reasonable interpretation, denote an IP address of a filtering component for clean traffic, and recycling the address to a pool so it can be reused in view of a condition that enables a black hole (i.e., block all traffic but clean traffic, such as defined in the claims and sections set forth above). Therefore, Doron at least discloses and/or teaches (as in the sections presented above) a DDOS defense technique (see abstract), wherein traffic is either directed towards a platform or redirected using various translation techniques (IP, etc.), further, the redirection is towards a scrubbing/cleaning/filtering center that only passes through clean traffic, and when in peace mode, all traffic is directed towards a platform (i.e. target). As such, when a DDOS attack is detected, it would enable a black hole such that all traffic is blocked except for clean traffic (i.e. dirty/uncleaned traffic not injected towards cloud platform, therefore it cannot reach the cloud platform, e.g. blocked/prohibited), and when a DDOS attack is terminated, it would close a black hole such that no traffic is blocked, e.g. traffic resumes normal operation and reaches the cloud platform. I.e., an IP address of the scrubbing/cleaning/filtering center is used to inject only clean traffic to the target when a DDOS attack is detected. Doron; however, does not explicitly disclose that the IP of said center is recycled, therefore Carney was brought in to at least disclose and/or teach [col. 8, ls. 35-54] “… addresses belonging to a retired set of temporary network addresses are returned to the pool of unused public addresses for reuse in succeeding intervals …” [col. 11, ls. 17-35] “… assign a hostname with a temporary network address from a special set of temporary network addresses if the requestor is suspected of being an attacker … all traffic from the requestor to be routed to a quarantined section of the service provider network … special pool …” [col. 13, ls. 37-53] “… retired after a configurable number of finite periods … returned to the pool of unused public addresses …” It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron (as well as Feyzibehnagh and Holloway) in view of Carney to utilize recyclable high defense IP addresses. One of ordinary skill in the art would have been motivated to do so to assign addresses if the requestor is suspected of being an attacker such that traffic is routed to a quarantined section of the service provider network (Carney, [col. 11, ls. 17-35]). Although Carney does denote in one example that the address belongs to a black hole system, a substitution of Carney’s embodiments with Doron-Feyzibehnagh-Holloway would have permitted the system to perform using temporary network addresses that are assigned/returned to a pool of unused public addresses in succeeding intervals, such that traffic is routed to a quarantined section, in this case, a scrubbing/cleaning/filtering center. One of ordinary skill in the art would have been motivated to do so to hide the actual network addresses of the customer networks (Carney, [col. 7, ls. 18-50]). Therefore, the combination of Doron-Feyzibehnagh-Holloway-Carney would have enabled the cloud platform to perform the DDOS mitigation service with temporarily allocable addresses such as to hide actual network addresses of the customer networks. As such, the claim fails to be patentable over the cited arts.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6 and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over DORON et al. (US-20180255095-A1) hereinafter Doron in view of Feyzibehnagh et al. (US-20190215308-A1) hereinafter Feyzibehnagh further in view of Holloway et al. (US-8613089-B1) hereinafter Holloway.
Regarding claim 6, Doron discloses:
An apparatus for processing data ([0026] defense platform [FIG. 1] 140), the apparatus comprising: 
at least one processor ([0089-0090] detector 260 comprising microprocessor [FIG. 2] 140 comprising 260); and 
a memory storing instructions ([0089-0090] detector comprising memory), wherein the instructions when executed by the at least one processor ([0092] instructions executed by one or more processors), cause the at least one processor to perform operations ([0092] to perform various processes), the operations comprising: 
Attorney Docket No: JSGTPO11US/19A12895US3 Serial No.: 16/676,935receiving an access request to access a target domain name ([0062] request to a protected domain (i.e. access request to access a target domain name)), wherein in a domain name system the target domain name corresponds to an IP address ([0061] IP addresses of assets in the cloud computing platform [0062] IP address of the requested domain hosted in the cloud computing platform); 
converting the target domain name into a preset high defense domain name ([0062] request to a protected domain would be replaced (i.e. converted) with a FQDN identified by a different domain name (i.e. preset high defense domain name)); 
querying an IP address corresponding to the preset high defense domain name in the domain name system ([0058] resolve the FQDN of the protected application replied with the IP addresses of the defense platform, e.g. DNS (i.e. DNS is for querying/requesting a domain name to IP address resolution)); and 
sending the access request according to the IP address corresponding to the preset high defense domain name ([0058] resolve the FQDN of the protected application replied with the IP addresses of the defense platform [0062] request to a protected domain replaced with a FQDN identified by a different domain, (i.e. where FQDN is resolved in a DNS system for traffic redirection is equated to a request to access the protected domain, which has been converted to a FQDN and resolved into an IP address of the defense platform, so that traffic is redirected, e.g. access to the defense platform and not the assets in the cloud computing platform)); 
wherein, in response to detecting that the IP address corresponding to the target domain name enables a black hole ([0031] DDoS attack is detected, the traffic is redirected to the defense platform (i.e. wherein it would trigger mitigation resources, enabling the black hole)), resolving the IP address corresponding to the preset high defense domain name in the domain name system to a preset high defense IP address ([0058] resolve the FQDN of the protected application replied with the IP addresses of the defense platform) and sending the access request to the preset high defense IP address ([0062] request to a protected domain replaced with a FQDN identified by a different domain, (i.e. where FQDN is resolved in a DNS system for traffic redirection is equated to a request to access the protected domain, which has been converted to a FQDN and resolved into an IP address of the defense platform, so that traffic is redirected, e.g. access to the defense platform and not the assets in the cloud computing platform)), the preset high defense IP address being used for filtering malicious attack traffic included in the access request at the preset high defense IP address ([0060] clean the traffic by executing one or more mitigation actions, and to send the clean traffic directly to servers for use by the protected application (i.e. filtering unclean, e.g. malicious, traffic)), and returning the filtered access request filtered by the preset high defense IP address to the IP address of the target domain name ([0037] defense platform is configured to inject clean traffic provided by the mitigation resource back to cloud computing platform [0061] IP addresses of assets in the cloud computing platform [0062] IP address of the requested domain hosted in the cloud computing platform, request to a protected domain (i.e. access request to access a target domain name)); and 
in response to detecting that the IP address corresponding to the target domain name closes the black hole ([0062] peace/no attack times (i.e. wherein it would not trigger mitigation resources, closing the black hole), see also [0064] previously detected DDoS attack is terminated, e.g. peace mode, [0032]), resolving the IP address corresponding to the target domain name in the domain name system to the IP address of the target domain name ([0064] DNS traffic redirection is terminated and the DNS operation is returned to its original operation such that traffic is directed from EUDs directly to their original destination server located at the cloud computing platform), and sending the access request to the IP address of the target domain name ([0061] IP addresses of assets in the cloud computing platform [0062] IP address of the requested domain hosted in the cloud computing platform, request to a protected domain (i.e. access request to access a target domain name) [0064] EUDs directly to their original destination server),
wherein the IP address corresponding to the target domain name enabling the black hole refers to blocking all traffic accessing the IP address of the target domain name except a traffic cleaned by the preset high defense IP address ([0074] causing redirection of traffic from sources of the traffic to a mitigation resource (i.e. all traffic redirected from target to a mitigation resource), cleaning the traffic, e.g. by filtering, and sending cleaned traffic back to protected applications (i.e. only cleaned traffic returned to the target, not illegitimate, e.g. illegitimate traffic blocked, and only cleaned traffic passed through), see also [0024], [0060], [0061] traffic associated with the attack is mitigated, e.g. redirection to a cloud scrubbing center, and clean traffic is returned to origin application(s)).
Doron does not explicitly disclose:
wherein in a domain name system the target domain name corresponds to an Elastic IP (EIP) address;
wherein, in response to detecting that the EIP address corresponding to the target domain name enables a black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to a preset high defense IP address;
in response to detecting that the EIP address corresponding to the target domain name closes the black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to the EIP address of the target domain name;
However, Feyzibehnagh discloses:
wherein in a domain name system the target domain name corresponds to an Elastic IP (EIP) address ([0091] premium VPN may be used to route premium traffic to suitable sources, e.g. network addresses that are less likely to be blocked by destinations (e.g. uses an elastic IP address) [0045] VPN device may route traffic based on the domain name and the associated IP address returned from the request, e.g. DNS);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron in view of Feyzibehnagh to have the target domain name correspond to an Elastic IP in a domain name system. One of ordinary skill in the art would have been motivated to do so to use addresses that are less likely to be blocked by destinations (Feyzibehnagh, [0091]).
Doron-Feyzibehnagh do not explicitly disclose:
wherein, in response to detecting that the IP address corresponding to the target domain name enables a black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to a preset high defense IP address;
in response to detecting that the IP address corresponding to the target domain name closes the black hole, switching the IP address corresponding to the preset high defense domain name in the domain name system to the IP address of the target domain name;
However, Holloway discloses:
wherein, in response to detecting that the IP address corresponding to the target domain name enables a black hole ([col. 16, ls. 15-35] e.g. domain that is being attacked), switching the IP address corresponding to the preset high defense domain name in the domain name system to a preset high defense IP address ([col. 16, ls. 21-35] proxy service node performs one or more actions to mitigate the attack, e.g. changing (i.e. switching) the routing such that traffic for that IP address points to a particular data center or hardware device that is dedicated to handling attacks (i.e. IP address of mitigation resource, e.g. preset high defense IP));
in response to detecting that the IP address corresponding to the target domain name closes the black hole ([col. 3, ls. 56-col. 4, ls. 7] proxy server analyze the incoming traffic and take one or more actions on the incoming traffic, e.g. there is not a threat or DOS attack), switching the IP address corresponding to the preset high defense domain name in the domain name system to the IP address of the target domain name ([col. 3, ls. 56-col. 4, ls. 7] proxy server may transit the outgoing traffic to the appropriate origin server [col. 5, ls. 4-26] e.g. IP addresses that resolve to their origin servers);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh in view of Holloway to have switched the IP address corresponding to the preset high defense domain name between the high defense IP address and EIP address of the target domain name in response to detecting whether the EIP address corresponding to the target domain name enables or closes a black hole. One of ordinary skill in the art would have been motivated to do so to analyze incoming traffic and take one or more actions on the incoming traffic, e.g. based on a threat/attack and to do so to change the routing such that traffic for that IP address points to a device that is dedicated to handling attacks (Holloway, [col. 3, ls. 56-col. 4, ls. 7] [col. 16, ls. 21-35]). 
Regarding claims 1 and 11, they do not further define nor teach over the limitations of claim 6, therefore, claims 1 and 11 are rejected for at least the same reasons set forth above as in claim 6.
Claims 2-4, 7-9 and 12-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron-Feyzibehnagh-Holloway in view of Hashmi (US-11025483-B1).
Regarding claim 107, Doron-Feyzibehnagh-Holloway disclose:
The apparatus according to claim 6, set forth above, wherein, before converting the target domain name into a preset high defense domain name, the operations further comprise: 
Doron discloses:
generating a high defense domain name before converting the target domain name into a preset high defense domain 15name ([0062] e.g. po.mysite.clouddetectorner (i.e. required to be generated prior to use, e.g. to replace a protected domain with the FQDN identified by a different domain name as above, if not generated then there would be no domain name to redirect to));
creating a record that the target domain name resolves to the IP address  ([0064] DNS traffic redirection is terminated and the DNS operation is returned to its original operation such that traffic is directed from EUDs directly to their original destination server located at the cloud computing platform (i.e. DNS requires DNS records, e.g. for name resolution) [0061] IP addresses of assets in the cloud computing platform [0062] IP address of the requested domain hosted in the cloud computing platform, request to a protected domain (i.e. access request to access a target domain name for IP address of the requested domain, e.g. address domain resolves to)); and
creating a record that the target domain name resolves to the high defense domain name ([0062] request to a protected domain would be replaced (i.e. converted) with a FQDN identified by a different domain name (i.e. preset high defense domain name), e.g. automatically modifying an authoritative DNS record (i.e. to create a record that points to a different domain name, e.g. high defense domain name, e.g. DNS redirect) entry to point to other address representing a mitigation resource, e.g. FQDN identified by a different domain name).
Doron does not explicitly disclose:
configuring the EIP address corresponding to the target domain name, an area to which the EIP address belongs, and health checking a port based on a Transmission Control Protocol (TCP) service; 
creating a record that the high defense domain name resolves to the EIP address; 
However, Feyzibehnagh discloses:
configuring the EIP address ([0091] premium VPN may be used to route premium traffic to suitable sources, e.g. network addresses that are less likely to be blocked by destinations (e.g. uses an elastic IP address, e.g. configured to use an address less likely to be blocked by destinations) [0045] VPN device may route traffic based on the domain name and the associated IP address returned from the request, e.g. DNS);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway to have the target domain name correspond to an Elastic IP in a domain name system. One of ordinary skill in the art would have been motivated to do so to use addresses that are less likely to be blocked by destinations (Feyzibehnagh, [0091]).
Doron-Feyzibehnagh do not explicitly disclose:
configuring the EIP address corresponding to the target domain name, an area to which the EIP address belongs, and health checking a port based on a Transmission Control Protocol (TCP) service;
creating a record that the high defense domain name resolves to the IP address;
However, Holloway discloses:
creating a record that the high defense domain name resolves to the IP address ([col. 3, ls. 56-col. 4, ls. 7] proxy server may transit the outgoing traffic to the appropriate origin server [col. 5, ls. 4-26] e.g. IP addresses that resolve to their origin servers, via DNS records (i.e. must be created so as to resolve the IP addresses to the domain names of the servers));
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway to have created a record that the high defense name resolves to the EIP address. One of ordinary skill in the art would have been motivated to do so to have IP addresses resolve to their origin servers (Holloway, [col. 4, ls. 4-26]).
Doron-Feyzibehnagh-Holloway do not explicitly disclose:
configuring the EIP address corresponding to the target domain name, an area to which the EIP address belongs, and health checking a port based on a Transmission Control Protocol (TCP) service;
However, Hashmi discloses:
configuring the EIP address corresponding to the target domain name ([col. 14, ls. 4-29] IP address assigned to VPN endpoint virtual machine, e.g. elastic IP address), an area to which the EIP address belongs ([col. 14, ls. 4-29] IP address, e.g. elastic IP, remains associated with the customer’s service provider account), and health checking a port based on a Transmission Control Protocol (TCP) service ([col. 14, ls. 4-40] health and status of the VPN endpoint virtual machines are monitored, e.g. via heartbeats [col. 9, ls. 32-63] e.g. network port timeouts, e.g. within heartbeat messages [col. 23, ls. 32-43] network interface may support communication via any other suitable type of network and/or protocol (i.e. TCP/IP));
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway in view of Hashmi to have configured the EIP corresponding to the target domain name, an area to which the EIP address belongs, and health checking a port based on TCP service. One of ordinary skill in the art would have been motivated to do so to assign an elastic IP address that remains associated with the customer’s service provider account and monitor the health and status of the VPN endpoint virtual machines (Hashmi, [col. 14, ls. 4-40] [col. 9, ls. 32-63] [col. 23, ls. 32-43]).
Regarding claim 8, Doron-Feyzibehnagh-Holloway-Hashmi disclose:
The apparatus according to claim 7, set forth above, wherein the operations 25further comprise: 
Doron discloses:
creating a high defense IP address in response to detecting that the IP address is attacked and the black hole is enabled ([0031] DDoS attack is detected, the traffic is redirected to the defense platform (i.e. wherein it would trigger mitigation resources, enabling the black hole) [0058] resolve the FQDN of the protected application replied with the IP addresses of the defense platform (i.e. must be created so as to be resolved to, otherwise there would be no IP address to resolve to)); and 
creating a forwarding rule of returning from the high defense IP address back to the IP address ([0060-0061] mitigation resource is configured to clean the traffic, and forwards legitimate clean traffic back toward the protected application (i.e. forwarding rule from the mitigation resource back to protected application, e.g. IP address of mitigation resource a high defense IP, and IP address of protected application the target IP));
30calling the domain name system to resolve the high defense domain name to switch to the high defense IP address ([0058] resolve the FQDN of the protected application replied with the IP addresses of the defense platform [0062] request to a protected domain replaced with a FQDN identified by a different domain, (i.e. where FQDN is resolved in a DNS system for traffic redirection is equated to a request to access the protected domain, which has been converted to a FQDN and resolved into an IP address of the defense platform, so that traffic is redirected, e.g. access to the defense platform and not the assets in the cloud computing platform)).  
Doron does not explicitly disclose:
configuring the EIP address;
However, Feyzibehnagh discloses:
configuring the EIP address ([0091] premium VPN may be used to route premium traffic to suitable sources, e.g. network addresses that are less likely to be blocked by destinations (e.g. uses an elastic IP address, e.g. configured to use an address less likely to be blocked by destinations) [0045] VPN device may route traffic based on the domain name and the associated IP address returned from the request, e.g. DNS);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway-Hashmi to have the target domain name correspond to an Elastic IP in a domain name system. One of ordinary skill in the art would have been motivated to do so to use addresses that are less likely to be blocked by destinations (Feyzibehnagh, [0091]).
Regarding claim 9, Doron-Feyzibehnagh-Holloway-Hashmi disclose:
The apparatus according to claim 8, set forth above, wherein the operations further comprise: 
Doron discloses:
calling the domain name system to resolve the target domain name to resolve to the IP address ([0064] DNS traffic redirection is terminated and the DNS operation is returned to its original operation such that traffic is directed from EUDs directly to their original destination server located at the cloud computing platform [0061] IP addresses of assets in the cloud computing platform [0062] IP address of the requested domain hosted in the cloud computing platform, request to a protected domain (i.e. access request to access a target domain name)), in response to 5detecting that the IP address ends the black hole ([0062] peace/no attack times (i.e. wherein it would not trigger mitigation resources, closing the black hole), see also [0064] previously detected DDoS attack is terminated, e.g. peace mode).
Doron does not explicitly disclose:
calling the domain name system to resolve the high defense domain name to switch to the EIP address, in response to 5detecting that the EIP address ends the black hole.
However, Feyzibehnagh discloses:
configuring the EIP address ([0091] premium VPN may be used to route premium traffic to suitable sources, e.g. network addresses that are less likely to be blocked by destinations (e.g. uses an elastic IP address, e.g. configured to use an address less likely to be blocked by destinations) [0045] VPN device may route traffic based on the domain name and the associated IP address returned from the request, e.g. DNS);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway-Hashmi to have the target domain name correspond to an Elastic IP in a domain name system. One of ordinary skill in the art would have been motivated to do so to use addresses that are less likely to be blocked by destinations (Feyzibehnagh, [0091]).
Doron-Feyzibehnagh do not explicitly disclose:
calling the domain name system to resolve the high defense domain name to switch to the IP address, in response to 5detecting that the IP address ends the black hole.
However, Holloway discloses:
calling the domain name system to resolve the high defense domain name to switch to the IP address ([col. 3, ls. 56-col. 4, ls. 7] proxy server may transit the outgoing traffic to the appropriate origin server [col. 5, ls. 4-26] e.g. IP addresses that resolve to their origin servers), in response to 5detecting that the IP address ends the black hole ([col. 3, ls. 56-col. 4, ls. 7] proxy server analyze the incoming traffic and take one or more actions on the incoming traffic, e.g. there is not a threat or DOS attack).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway-Hashmi to have switched the IP address corresponding to the preset high defense domain name between the high defense IP address and EIP address of the target domain name in response to detecting whether the EIP address corresponding to the target domain name enables or closes a black hole. One of ordinary skill in the art would have been motivated to do so to analyze incoming traffic and take one or more actions on the incoming traffic, e.g. based on a threat/attack and to do so to change the routing such that traffic for that IP address points to a device that is dedicated to handling attacks (Holloway, [col. 3, ls. 56-col. 4, ls. 7] [col. 16, ls. 21-35]).
Regarding claims 2-4 and 12-14, they do not further define nor teach over the limitations of claim 7-9, therefore, claims 2-4 and 12-14 are rejected for at least the same reasons set forth above as in claim 7-9.
Claim 5, 10 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron-Feyzibehnagh-Holloway-Hashmi in view of Carney et al. (US-9197666-B2) hereinafter Carney.
Regarding claim 10, Doron-Feyzibehnagh-Holloway-Hashmi disclose: 
The apparatus according to claim 9, set forth above, wherein the operations further comprise: 
Doron discloses:
deleting the high defense IP address and the forwarding rule ([0064] DNS traffic redirection is terminated and the DNS operation is returned to its original operation such that traffic is directed from EUDs directly to their original destination server located at the cloud computing platform (i.e. traffic no longer forwarded to defense platform, e.g. forwarding rule deleted, and using original IP, e.g. high defense IP address deleted) [0061] IP addresses of assets in the cloud computing platform [0062] IP address of the requested domain hosted in the cloud computing platform, request to a protected domain (i.e. access request to access a target domain name)); and 
Doron does not explicitly disclose:
10recycling the high defense IP address to an available pool, so that the high defense IP address is used by another server that enables the black hole.
However, Carney discloses:
recycling the high defense IP address to an available pool ([col. 11, ls. 17-35] receive a network address out of this special pool, e.g. assign a hostname with a temporary network address if the requestor is suspected of being an attacker, e.g. to route traffic to a black hole system that includes various traffic analysis tools to further analyze the traffic originating from the requestor [col. 13, ls. 37-53] address assignment module may cause the name servers to retire all records associated with a set of temporary network addresses after a serving and supporting stage of an address allocation scheme, where each set of temporary network addresses is retired and the retired addresses may be returned to the pool of unused public addresses), so that the high defense IP address is used by another server that enables the black hole ([col. 8, ls. 35-54] addresses belonging to a retired set of temporary network addresses are returned to the pool of unused public addresses for reuse in succeeding intervals [col. 11, ls. 17-35] receive a network address out of this special pool, e.g. assign a hostname with a temporary network address if the requestor is suspected of being an attacker, e.g. to route traffic to a black hole system that includes various traffic analysis tools to further analyze the traffic originating from the requestor [col. 13, ls. 37-53] address assignment module may cause the name servers to retire all records associated with a set of temporary network addresses after a serving and supporting stage of an address allocation scheme, where each set of temporary network addresses is retired and the retired addresses may be returned to the pool of unused public addresses (i.e. using addresses from a pool and retiring addresses to a pool is equated to as recycling for future use, e.g. only used when necessary)).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway-Hashmi in view of Carney to have deleted the high defense IP and recycled it to a pool. One of ordinary skill in the art would have been motivated to do so to allow for reuse of addresses and to hide the actual network addresses of the customer networks (Carney, [col. 7, ls. 18-50] [col. 8, ls. 35-54]).
Regarding claims 5 and 15, they do not further define nor teach over the limitations of claim 10, therefore, claims 5 and 15 are rejected for at least the same reasons set forth above as in claim 10.
Claim 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron-Feyzibehnagh-Holloway-Carney.
Regarding claim 16, Doron-Feyzibehnagh-Holloway disclose: 
The method according to claim 1, wherein after switching the IP address corresponding to the preset high defense domain name in the domain name system to the EIP address of the target domain name, set forth above, the method further comprises: 
Doron-Feyzibehnagh-Holloway do not explicitly disclose:
recycling the high defense IP address to an available pool, so that the high defense IP address is used by another server that enables the black hole.
However, Carney discloses:
recycling the high defense IP address to an available pool ([col. 11, ls. 17-35] receive a network address out of this special pool, e.g. assign a hostname with a temporary network address if the requestor is suspected of being an attacker, e.g. to route traffic to a black hole system that includes various traffic analysis tools to further analyze the traffic originating from the requestor [col. 13, ls. 37-53] address assignment module may cause the name servers to retire all records associated with a set of temporary network addresses after a serving and supporting stage of an address allocation scheme, where each set of temporary network addresses is retired and the retired addresses may be returned to the pool of unused public addresses), so that the high defense IP address is used by another server that enables the black hole ([col. 8, ls. 35-54] addresses belonging to a retired set of temporary network addresses are returned to the pool of unused public addresses for reuse in succeeding intervals [col. 11, ls. 17-35] receive a network address out of this special pool, e.g. assign a hostname with a temporary network address if the requestor is suspected of being an attacker, e.g. to route traffic to a black hole system that includes various traffic analysis tools to further analyze the traffic originating from the requestor [col. 13, ls. 37-53] address assignment module may cause the name servers to retire all records associated with a set of temporary network addresses after a serving and supporting stage of an address allocation scheme, where each set of temporary network addresses is retired and the retired addresses may be returned to the pool of unused public addresses (i.e. using addresses from a pool and retiring addresses to a pool is equated to as recycling for future use, e.g. only used when necessary)).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Doron-Feyzibehnagh-Holloway in view of Carney to have deleted the high defense IP and recycled it to a pool. One of ordinary skill in the art would have been motivated to do so to allow for reuse of addresses and to hide the actual network addresses of the customer networks (Carney, [col. 7, ls. 18-50] [col. 8, ls. 35-54]). 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
E. Kline, A. Afanasyev and P. Reiher, "Shield: DoS filtering using traffic deflecting," 2011 19th IEEE International Conference on Network Protocols, 2011, pp. 37-42, doi: 10.1109/ICNP.2011.6089077.;
T. Alharbi, A. Aljuhani and Hang Liu, "Holistic DDoS mitigation using NFV," 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), 2017, pp. 1-4, doi: 10.1109/CCWC.2017.7868480.; 
A. L. Tao, "How traffic scrubbing can guard against DDoS attacks," 2019, retrieved: https://www.computerweekly.com/news/252456702/How-traffic-scrubbing-can-guard-against-DDoS-attacks;
Y. Cao, Y. Gao, R. Tan, Q. Han and Z. Liu, "Understanding Internet DDoS Mitigation from Academic and Industrial Perspectives," in IEEE Access, vol. 6, pp. 66641-66648, 2018, doi: 10.1109/ACCESS.2018.2877710.;
L. Serodio, "Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec," 2013, retrieved: https://archive.nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf;
Smith et al. (US-10091234-B2) COMBINATION OF REMOTE TRIGGERED SOURCE AND DESTINATION BLACKHOLE FILTERING;
Hajduczenia (US-11012410-B2) DISTRIBUTED DENIAL-OF-SERVICE PREVENTION USING FLOATING INTERNET PROTOCOL GATEWAY;
Smith et al. (US-11095680-B2) NETWORK TRAFFIC DATA SCRUBBING WITH SERVICES OFFERED VIA ANYCASTED ADDRESSES;
Fleischman (US-10003611-B2) SYSTEMS AND METHODS FOR PROTECTING AN ONLINE SERVICE AGAINST A NETWORK-BASED ATTACK;
Nordstrom et al. (US-9548961-B2) DETECTING ADVERSE NETWORK CONDITIONS FOR A THIRD-PARTY NETWORK SITE;
Andriani (US-10509909-B2) NON-DISRUPTIVE DDOS TESTING;
Kustarz et al. (US-9432385-B2) SYSTEM AND METHOD FOR DENIAL OF SERVICE ATTACK MITIGATION USING CLOUD SERVICES
Devarajan et al. (US-20130007882-A1) METHODS OF DETECTING AND REMOVING BIDIRECTIONAL NETWORK TRAFFIC MALWARE;
Tong (CN-107493272-A) FLOW RATE CLEANING METHOD INVOLVES PERFORMING SECOND ADDRESS TRANSLATION ON NORMAL TRAFFIC RETAINED AFTER COMPLETION OF CLEANING, AND SENDING BACK NORMAL TRAFFIC TO TARGET TERMINAL DEVICE;
Hu et al. (CN-101902456-A) WEB SITE SAFE DEFENSIVE SYSTEM, HAS FLOW RETRACTOR CONNECTED WITH DOMAIN NAME SYSTEM SERVER, AND WEB SAFE DETECTOR SENDING HTTP REQUEST MESSAGE TO WEB SITE WHEN HTTP REQUEST MESSAGE IS IN ABNORMAL CONDITION;
Varner (US-20140173111-A1) DATA USAGE MANAGEMENT SYSTEMS AND METHODS;
Hunt et al. (US-9578048-B1) IDENTIFYING PHISHING WEBSITES USING DOM CHARACTERISTICS;
Radlein et al. (US-9794281-B1) IDENTIFYING SOURCES OF NETWORK ATTACKS;
Yu et al. (US-10798060-B2) NETWORK ATTACK DEFENSE POLICY SENDING METHOD AND APPARATUS, AND NETWORK ATTACK DEFENDING METHOD AND APPARATUS;
Duca et al. (US-20180020002-A1) SYSTEM AND METHOD FOR FILTERING INTERNET TRAFFIC AND OPTIMIZING SAME;
Yang et al. (WO-2017041656-A1) METHOD FOR FACILITATING USER TRAFFIC PROCESSING BY ELEMENTARY DEFENSE DEVICE IN DOMAIN NAME SYSTEM, INVOLVES CONTROLLING TRANSFER OF TRAFFIC, WHICH IS CLEANED TO SERVICE PROCESSING DEVICE FOR PROCESSING BY MANAGEMENT AND CONTROL DEVICE;
Haiyang et al. (CN-107404496-A) DDOS ATTACK DEFENDING AND TRACING METHOD BASED ON HTTP DNS;
Chen et al. (US-11057404-B2) METHOD AND APPARATUS FOR DEFENDING AGAINST DNS ATTACK, AND STORAGE MEDIUM;
ZHANG (US-20180324209-A1) NETWORK ATTACK DEFENSE METHOD, APPARATUS, AND SYSTEM;
Yu et al. (US-20180337888-A1) NETWORK ATTACK DEFENSE POLICY SENDING METHOD AND APPARATUS, AND NETWORK ATTACK DEFENDING METHOD AND APPARATUS;
Ma et al. (US-20180367566-A1) PREVENTION AND CONTROL METHOD, APPARATUS AND SYSTEM FOR NETWORK ATTACK.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alex H. Tran whose telephone number is (571)272-8173.  The examiner can normally be reached on Monday-Friday 11AM-6PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Divecha B. Kamal can be reached on (571)272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Alex H. Tran/Examiner, Art Unit 2453                                                                                                                                                                                         
/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453