公开(公告)号：US08788823B1

公开(公告)日：2014-07-22

申请号：US10971523

申请日：2004-10-22

申请人： Dehua Huang ,  Adam J. Sweeney ,  Pradeep S. Sudame ,  Silviu Dobrota ,  Premkumar Jonnala

发明人： Dehua Huang ,  Adam J. Sweeney ,  Pradeep S. Sudame ,  Silviu Dobrota ,  Premkumar Jonnala

IPC分类号： H04L9/32

CPC分类号： H04L63/10 ,  H04L63/0263

摘要： Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.

摘要翻译： 协议状态信息用于通过丢弃与协议状态信息不一致的消息来进行流量过滤。 在一个实施例中，一种方法包括比较消息信息和协议状态信息。 消息信息与第一消息相关联。 响应于根据用于向客户端分配网络地址的协议传送的一个或多个第二消息来获得协议状态信息。 该方法还包括基于消息信息和协议状态信息的比较的结果来确定是否丢弃第一消息。 例如，如果消息信息与协议状态信息不匹配，则可以确定第一消息应被丢弃。

公开(公告)号：US07551559B1

公开(公告)日：2009-06-23

申请号：US10971521

申请日：2004-10-22

申请人： Premkumar Jonnala ,  Adam J. Sweeney ,  Dehua Huang ,  Silviu Dobrota ,  Pradeep S. Sudame ,  Marco E. Foschiano

发明人： Premkumar Jonnala ,  Adam J. Sweeney ,  Dehua Huang ,  Silviu Dobrota ,  Pradeep S. Sudame ,  Marco E. Foschiano

IPC分类号： H04L5/12

CPC分类号： H04L63/1466 ,  H04L63/1416

摘要： Users are allowed to specify per-interface rate limits for inter-layer binding protocol traffic. If the user-specified rate limit is exceeded on a given interface, inter-layer binding protocol messages received via that interface are caused to be dropped (e.g., by selectively dropping ILBP messages, or by simply shutting down the interface). If the rate is not exceeded, inter-layer binding protocol messages received via that interface can be validated (e.g., by comparing an inter-layer binding included in the body of an inter-layer binding protocol message to protocol status information obtained by snooping protocol messages). If the inter-layer binding does not match the protocol status information, the inter-layer binding protocol message is dropped. If a match is found, the inter-layer binding protocol message is allowed to be forwarded normally. Such systems and methods may be used to inhibit various undesirable network behavior, such as man-in-the-middle attacks.

摘要翻译： 允许用户为层间绑定协议流量指定每接口速率限制。 如果在给定接口上超过用户指定的速率限制，则会导致通过该接口接收到的层间绑定协议消息（例如，通过选择性地删除ILBP消息，或简单地关闭接口）。 如果不超过该速率，则可以验证通过该接口接收的层间绑定协议消息（例如，通过将层间绑定协议消息正文中包含的层间绑定与通过侦听协议获得的协议状态信息进行比较 消息）。 如果层间绑定与协议状态信息不符，则删除层间绑定协议消息。 如果发现匹配，则允许层间绑定协议消息正常转发。 这样的系统和方法可以用于抑制各种不期望的网络行为，例如中间人攻击。

公开(公告)号：US09185129B2

公开(公告)日：2015-11-10

申请号：US13447360

申请日：2012-04-16

申请人： Premkumar Jonnala ,  Neha M. Shah ,  Sivakumar Narayanan ,  Adam J. Sweeney ,  Silviu Dobrota

发明人： Premkumar Jonnala ,  Neha M. Shah ,  Sivakumar Narayanan ,  Adam J. Sweeney ,  Silviu Dobrota

IPC分类号： H04L29/06

CPC分类号： H04L63/1458 ,  H04L63/0272 ,  H04L2463/141

摘要： A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.

摘要翻译： 描述了一种保护数据网络免受拒绝服务（DOS）攻击的方法。 该方法可以使用各种网络工具来选择性地阻止或禁用经历DOS攻击的数据中继部分，从而防止DOS攻击到达网络上的至少一些资源。 在一个实施例中，网络交换机识别在数据中继线上携带可疑数据的虚拟LAN（VLAN）。 然后，网络交换机调整网络的生成树，以便受保护的VLAN上的一个或多个端口被阻止或禁用，而不受影响的VLAN可以继续携带数据。 还提出了其他方法，用于在网络阻塞响应DOS攻击或其他入侵的网络的一个或多个VLAN或其他部分时避免有效数据丢失。

公开(公告)号：US08181240B2

公开(公告)日：2012-05-15

申请号：US11152625

申请日：2005-06-14

申请人： Premkumar Jonnala ,  Neha M. Shah ,  Sivakumar Narayanan ,  Adam J. Sweeney ,  Silviu Dobrota

发明人： Premkumar Jonnala ,  Neha M. Shah ,  Sivakumar Narayanan ,  Adam J. Sweeney ,  Silviu Dobrota

IPC分类号： G06F17/00

CPC分类号： H04L63/1458 ,  H04L63/0272 ,  H04L2463/141

摘要： A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.

摘要翻译： 描述了一种保护数据网络免受拒绝服务（DOS）攻击的方法。 该方法可以使用各种网络工具来选择性地阻止或禁用经历DOS攻击的数据中继部分，从而防止DOS攻击到达网络上的至少一些资源。 在一个实施例中，网络交换机识别在数据中继线上携带可疑数据的虚拟LAN（VLAN）。 然后，网络交换机调整网络的生成树，以便受保护的VLAN上的一个或多个端口被阻止或禁用，而不受影响的VLAN可以继续携带数据。 还提出了其他方法，用于在网络阻塞响应DOS攻击或其他入侵的网络的一个或多个VLAN或其他部分时避免有效数据丢失。

公开(公告)号：US20120204263A1

公开(公告)日：2012-08-09

申请号：US13447360

申请日：2012-04-16

申请人： Premkumar Jonnala ,  Neha M. Shah ,  Sivakumar Narayanan ,  Adam J. Sweeney ,  Silviu Dobrota

发明人： Premkumar Jonnala ,  Neha M. Shah ,  Sivakumar Narayanan ,  Adam J. Sweeney ,  Silviu Dobrota

IPC分类号： G06F21/00

CPC分类号： H04L63/1458 ,  H04L63/0272 ,  H04L2463/141

摘要： A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.

摘要翻译： 描述了一种保护数据网络免受拒绝服务（DOS）攻击的方法。 该方法可以使用各种网络工具来选择性地阻止或禁用经历DOS攻击的数据中继部分，从而防止DOS攻击到达网络上的至少一些资源。 在一个实施例中，网络交换机识别在数据中继线上携带可疑数据的虚拟LAN（VLAN）。 然后，网络交换机调整网络的生成树，以便受保护的VLAN上的一个或多个端口被阻止或禁用，而不受影响的VLAN可以继续携带数据。 还提出了其他方法，用于在网络阻塞响应DOS攻击或其他入侵的网络的一个或多个VLAN或其他部分时避免有效数据丢失。

公开(公告)号：US20060282892A1

公开(公告)日：2006-12-14

申请号：US11152625

申请日：2005-06-14

申请人： Premkumar Jonnala ,  Neha Shah ,  Sivakumar Narayanan ,  Adam Sweeney ,  Silviu Dobrota

发明人： Premkumar Jonnala ,  Neha Shah ,  Sivakumar Narayanan ,  Adam Sweeney ,  Silviu Dobrota

IPC分类号： G06F12/14

CPC分类号： H04L63/1458 ,  H04L63/0272 ,  H04L2463/141

摘要： A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.

公开(公告)号：US08082333B2

公开(公告)日：2011-12-20

申请号：US12267774

申请日：2008-11-10

申请人： Dehua Huang ,  Premkumar Jonnala ,  Nagarani Chandika ,  Kyle Gordon Haight ,  Feng Zhu ,  Dan Mihai Florea ,  Bimohit Bawa

发明人： Dehua Huang ,  Premkumar Jonnala ,  Nagarani Chandika ,  Kyle Gordon Haight ,  Feng Zhu ,  Dan Mihai Florea ,  Bimohit Bawa

IPC分类号： G06F15/177

CPC分类号： H04L63/101 ,  H04L61/2015

摘要： A DHCP proxy agent is provided to send on behalf of a static host a DHCP request so that an access layer security feature such as DHCP snooping/IPSG can be applied to the static host and/or in a mixed static IP and DHCP environment.

摘要翻译： 提供DHCP代理，代表静态主机发送DHCP请求，以便将访问层安全功能（如DHCP Snooping / IPSG）应用于静态主机和/或混合静态IP和DHCP环境。

公开(公告)号：US20100121944A1

公开(公告)日：2010-05-13

申请号：US12267774

申请日：2008-11-10

申请人： DEHUA HUANG ,  Premkumar Jonnala ,  Nagarani Chandika ,  Kyle Gordon Haight ,  Feng Zhu ,  Dan Mihai Florea ,  Bimohit Bawa

发明人： DEHUA HUANG ,  Premkumar Jonnala ,  Nagarani Chandika ,  Kyle Gordon Haight ,  Feng Zhu ,  Dan Mihai Florea ,  Bimohit Bawa

IPC分类号： G06F15/177

CPC分类号： H04L63/101 ,  H04L61/2015

摘要： A DHCP proxy agent is provided to send on behalf of a static host a DHCP request so that an access layer security feature such as DHCP snooping/IPSG can be applied to the static host and/or in a mixed static IP and DHCP environment.

摘要翻译： 提供DHCP代理，代表静态主机发送DHCP请求，以便将访问层安全功能（如DHCP Snooping / IPSG）应用于静态主机和/或混合静态IP和DHCP环境。

公开(公告)号：US09075594B2

公开(公告)日：2015-07-07

申请号：US13292259

申请日：2011-11-09

申请人： Vaibhav S. Katkade ,  Premkumar Jonnala ,  Anoop Vetteth

发明人： Vaibhav S. Katkade ,  Premkumar Jonnala ,  Anoop Vetteth

IPC分类号： G06F1/26 ,  H04L12/10

CPC分类号： G06F1/266 ,  H04L12/10

摘要： In one embodiment, a method includes a first device providing a first power to a second device using a first set of conductors out of a plurality of conductors. The method includes the first device providing, in response to receiving a notification, a second power to the second device using the first and a second set of conductors out of a plurality of conductors. The notification indicates that the second device can be supplied with a second power using the first set of conductors and a second set of conductors out of the plurality of conductors, and can also specify the configuration for enabling the second power.

摘要翻译： 在一个实施例中，一种方法包括使用多个导体中的第一组导体向第二装置提供第一功率的第一装置。 所述方法包括：第一装置响应于接收通知而提供使用多个导体中的第一和第二组导体的第二装置的第二功率。 该通知指示可以使用第一组导体和多个导体中的第二组导体向第二装置提供第二装置，并且还可以指定用于启用第二功率的配置。

公开(公告)号：US20050283627A1

公开(公告)日：2005-12-22

申请号：US11211205

申请日：2005-08-25

申请人： Wael Diab ,  Roger Karam ,  Premkumar Jonnala

发明人： Wael Diab ,  Roger Karam ,  Premkumar Jonnala

IPC分类号： G05B15/02 ,  G06F1/26 ,  G08B1/08

CPC分类号： G06F1/26

摘要： A data communications device includes a supervisory circuit, a power supply, and a power circuit. The power circuit includes a data communications port, a power supply connection coupled to the power supply, and a power controller coupled to the data communications port and the power supply connection. The power controller is configured to provide a power signal from the power supply connection to the data communications port in response to communication with the supervisory circuit. Upon loss of communication with the supervisory circuit, the power controller is configured to selectively continue to provide the power signal from the power supply connection to the data communications port when a local parameter has a first value, and discontinue providing the power signal from the power supply connection to the data communications port when the local parameter has a second value.

摘要翻译： 数据通信设备包括监控电路，电源和电源电路。 电源电路包括数据通信端口，耦合到电源的电源连接以及耦合到数据通信端口和电源连接的功率控制器。 功率控制器被配置为响应于与监控电路的通信，从电源连接向数据通信端口提供电力信号。 在丢失与监控电路的通信时，功率控制器被配置为当本地参数具有第一值时，选择性地继续将电力信号从电源连接提供给数据通信端口，并且停止从功率提供功率信号 当本地参数具有第二个值时，提供与数据通信端口的连接。