Minimize SYN-flood issues with flow cache while maintaining performance
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
H04L-012/801
H04L-012/803
H04W-028/02
H04W-028/10
출원번호
US-0802169
(2013-03-13)
등록번호
US-9154423
(2015-10-06)
발명자
/ 주소
Szabo, Paul Imre
Thornewell, Peter Michael
Michels, Timothy Scott
Cai, Hao
출원인 / 주소
F5 Networks, Inc.
대리인 / 주소
Branch, John W.
인용정보
피인용 횟수 :
2인용 특허 :
75
초록▼
Embodiments are directed towards minimizing the impact flood attacks may have on packet traffic management performance. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy e
Embodiments are directed towards minimizing the impact flood attacks may have on packet traffic management performance. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. The impact of flood attacks may be reduced by protecting the high-speed flow caches from being consumed by flow control data associated with malicious and/or in-operative non-genuine network connections. In at least one of the various embodiments, flood control filters may be adaptively activated based on the condition and quality of network traffic received at PTMD.
대표청구항▼
1. A method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to perform actions, comprising: employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated
1. A method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to perform actions, comprising: employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;employing at least one control segment (CS) component to perform actions, including: determining if each connection flow is genuine that is evicted from at least one high-speed flow cache;if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; andif a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; andemploying the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; andemploying the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache. 2. The method of claim 1, wherein determining if each connection flow is genuine that is evicted from at least one high-speed flow cache further comprises evaluating each connection flow based in part on the number of packets that have been exchanged over the connection flow. 3. The method of claim 1, wherein determining if each connection flow is genuine further comprises evaluating each connection flow based at least in part on the content of at least one packet that was communicated over each connection flow. 4. The method of claim 1, wherein enabling the at least one enabled flood control filter further comprises deferring the generation of flow control data for the new connection flow until a full open connection corresponding to the new connection flow is established. 5. The method of claim 1, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based on at least a ratio of the amount of genuine connection flows to non-genuine connection flows detected over a period of time. 6. The method of claim 1, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based at least on the amount of network traffic over the connection flow, or at least a portion of the at least one received network packet. 7. The method of claim 1, further comprising: dividing the new connection flow into an upload half connection flow and a download half connection flow;generating separate flow control data for each half connection flow; andstoring the flow control data for each half connection flow in the high-speed flow cache based on the at least one enabled flood control filter. 8. The method of claim 1, further comprising: employing the DFS component to identify each idle genuine connection flow that has associated flow control data stored in the high-speed flow cache that corresponds to the DFS component;employing the DFS component to remove the flow control data associated with each identified idle genuine connection flow from the high-speed flow cache that corresponds to the DFS component; andemploying the DFS component to store the removed flow control data if new network activity occurs on the idle genuine connection flow. 9. A traffic management device (TMD) that is operative to manage communication over a network, comprising: a transceiver that is operative to communicate over a network;a memory that is operative to store at least instructions for a plurality of components; anda processor device that is operative to execute instructions that enable actions, including: employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;employing at least one control segment (CS) component to perform actions, including: determining if each connection flow is genuine that is evicted from at last one high-speed flow cache;if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; andif a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; andemploying the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; andemploying the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache. 10. The TMD of claim 9, wherein determining if each connection flow is genuine that is evicted from at least one high-speed flow cache further comprises evaluating each connection flow based in part on the number of packets that have been exchanged over the connection flow. 11. The TMD of claim 9, wherein determining if each connection flow is genuine further comprises evaluating each connection flow based at least in part on the content of at least one packet that was communicated over each connection flow. 12. The TMD of claim 9, wherein enabling the at least one enabled flood control filter further comprises deferring the generation of flow control data for the new connection flow until a full open connection corresponding to the new connection flow is established. 13. The TMD of claim 9, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based on at least a ratio of the amount of genuine connection flows to non-genuine connection flows detected over a period of time. 14. The TMD of claim 9, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based at least on the amount of network traffic over the connection flow, or at least a portion of the at least one received network packet. 15. The TMD of claim 9, further comprising: dividing the new connection flow into an upload half connection flow and a download half connection flow;generating separate flow control data for each half connection flow; andstoring the flow control data for each half connection flow in the high-speed flow cache based on the at least one enabled flood control filter. 16. The TMD of claim 9, further comprising: employing the DFS component to identify each idle genuine connection flow that has associated flow control data stored in the high-speed flow cache that corresponds to the DFS component;employing the DFS component to remove the flow control data associated with each identified idle genuine connection flow from the high-speed flow cache that corresponds to the DFS component; andemploying the DFS component to store the removed flow control data if new network activity occurs on the idle genuine connection flow. 17. A processor readable non-transitive storage media that includes instructions for a method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to execute the instructions to perform actions, comprising: employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;employing at least one control segment (CS) component to perform actions, including: determining if each connection flow is genuine that is evicted from at last one high-speed flow cache;if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; andif a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; andemploying the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; andemploying the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache. 18. The media of claim 17, wherein determining if each connection flow is genuine that is evicted from at least one high-speed flow cache further comprises evaluating each connection flow based in part on the number of packets that have been exchanged over the connection flow. 19. The media of claim 17, wherein determining if each connection flow is genuine further comprises evaluating each connection flow based at least in part on the content of at least one packet that was communicated over each connection flow. 20. The media of claim 17, wherein enabling the at least one enabled flood control filter further comprises deferring the generation of flow control data for the new connection flow until a full open connection corresponding to the new connection flow is established. 21. The media of claim 17, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based on at least a ratio of the amount of genuine connection flows to non-genuine connection flows detected over a period of time. 22. The media of claim 17, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based at least on the amount of network traffic over the connection flow, or at least a portion of the at least one received network packet. 23. The media of claim 17, further comprising: dividing the new connection flow into an upload half connection flow and a download half connection flow;generating separate flow control data for each half connection flow; andstoring the flow control data for each half connection flow in the high-speed flow cache based on the at least one enabled flood control filter. 24. The media of claim 17, further comprising: employing the DFS component to identify each idle genuine connection flow that has associated flow control data stored in the high-speed flow cache that corresponds to the DFS component;employing the DFS component to remove the flow control data associated with each identified idle genuine connection flow from the high-speed flow cache that corresponds to the DFS component; andemploying the DFS component to store the removed flow control data if new network activity occurs on the idle genuine connection flow.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (75)
Maddalozzo ; Jr. John ; McBrearty Gerald Francis ; Shieh Johnny Meng-Han, Apparatus and method for selecting an optimum telecommunications link.
Sathaye Shirish S. (North Chelmsford MA) Hannigan Brendan (West Newton MA) Hawe William R. (Pepperell MA), Automatic assignment of addresses in a computer communications network.
Yang Henry S. (Andover MA) Sathaye Shirish S. (North Chelmsford MA) Ben-Nun Michael (Jerusalem ILX) De-Leon Moshe (Jerusalem ILX) Ben-Michael Simoni (Givaat Zeev ILX), Buffer descriptor prefetch in network and I/O design.
Fitzgerald Albion J. (Ridgewood NJ) Fitzgerald Joseph J. (New Paltz NY), Distributed computer network including hierarchical resource information structure and related method of distributing re.
Shi Shaw-Ben ; Ault Michael Bradford ; Plassmann Ernst Robert ; Rich Bruce Arland ; Rosiles Mickella Ann ; Shrader Theodore Jack London, Distributed file system web server user authentication with cookies.
Couland Ghislaine,FRX ; Hunt Guerney Douglass Holloway ; Levy-Abegnoli Eric Michel,FRX ; Jean-Marie Mauduit Daniel Georges,FRX, Distributed scalable device for selecting a server from a server cluster and a switched path to the selected server.
Albert, Mark; Howes, Richard A.; Jordan, James A.; Kersey, Edward A.; LeBlanc, William M.; Menditto, Louis F.; O'Rourke, Chris; Tiwari, Pranav Kumar; Tsang, Tzu-Ming, Handling packet fragments in a distributed network service environment.
Daniel Arthur A. (Rochester MN) Moore Robert E. (Durham NC) Anderson Catherine J. (Raleigh NC) Gelm Thomas J. (Raleigh NC) Kiter Raymond F. (Poughkeepsie NY) Meeham John P. (Raleigh NC) Stevenson Joh, Method and apparatus for communication network alert message construction.
Attanasio Clement R. (Peekskill NY) Smith Stephen E. (Mahopac NY), Method and apparatus for making a cluster of computers appear as a single host on a network.
Colby Steven ; Krawczyk John J. ; Nair Raj Krishnan ; Royce Katherine ; Siegel Kenneth P. ; Stevens Richard C. ; Wasson Scott, Method and system for directing a flow between a client and a server.
Leighton Frank T. (459 Chestnut Hill Ave. Newtonville MA) Micali Silvio (459 Chestnut Hill Ave. Brookline MA 02146), Method for enabling users of a cryptosystem to generate and use a private pair key for enciphering communications betwee.
Choquier Philippe,FRX ; Peyroux Jean-Francios ; Griffin William J., Method of redirecting a client service session to a second application server without interrupting the session by forwa.
Albert, Mark; Howes, Richard A.; Jordan, James A.; Kersey, Edward A.; LeBlanc, William M.; McGuire, Jacob Mark; Menditto, Louis F.; O'Rourke, Chris; Tiwari, Pranav Kumar; Tsang, Tzu-Ming, Network address translation using a forwarding agent.
Allen, Jr., James Johnson; Bass, Brian Mitchell; Calvignac, Jean Louis; Gaur, Santosh Prasad; Heddes, Marco C.; Siegel, Michael Steven; Verplanken, Fabrice Jean, Network processor interface for building scalable switching systems.
Cummings Kevin D. (Phoenix AZ) Johnson William A. (Paradise Valley AZ) Laird Daniel L. (Madison WI), Pattern writing method during X-ray mask fabrication.
Arora Sanjeev (Berkeley CA) Knight ; Jr. Thomas F. (Belmont MA) Leighton Frank T. (Newton Center MA) Maggs Bruce M. (Princeton NJ) Upfal Eliezer (Palo Alto CA), Switching networks with expansive and/or dispersive logical clusters for message routing.
Bommareddy, Satish; Kale, Makarand; Chaganty, Srinivas, System and method for routing message traffic using a cluster of routers sharing a single logical IP address distinct from unique IP addresses of the routers.
Pitts William M. (780 Mora Dr. Los Altos CA 94024), System for accessing distributed data cache channel at each network node to pass requests and data.
Short, Joel E.; Delley, Frederic; Logan, Mark F.; Pagan, Florence C. I., Systems and methods for redirecting users having transparent computer access to a network using a gateway device having redirection capability.
Brown Charles Allan ; Burns John Martin ; Nagaraj Holavanahally Seshachar ; O'Neill James Joseph ; Ullah Muhammad Inayet ; Volpe Leo ; Wendt Herman Russell, Vacuum baking process.
Brendel Juergen ; Kring Charles J. ; Liu Zaide ; Marino Christopher C., World-wide-web server with delayed resource-binding for resource-based load balancing on a distributed resource multi-n.
Choi, Kang-Il; Lee, Bhum-Cheol; Lee, Jung-Hee; Park, Young-Ho; Lee, Sang-Min; Lee, Seung-Woo, Apparatus and method for managing flow in server virtualization environment, and method for applying QOS.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.