公开(公告)号：US20140301213A1

公开(公告)日：2014-10-09

申请号：US14244315

申请日：2014-04-03

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Shekhar Chandra ,  Saravana Annamalaisami

IPC: H04L12/26

CPC classification number: H04L43/12 ,  H04L43/02 ,  H04L43/04

Abstract: The present solution relates to systems and methods for capturing and consolidating packet tracing in a cluster system. A multi-nodal cluster processing network traffic contains multiple nodes each handling some of the processing. A node may initially receive a flow and transfer processing of the flow to another node for processing. A flow may therefore pass from one node to another, from two nodes to many nodes. In some instances, it is helpful to generate a trace of a flow. For example, in debugging a network communication flow, a trace of the flow through the cluster can be helpful. Each node has a packet engine (“PE”) which processes data packets and can, when trace is enabled, generate a trace file for the packets processed at the respective node. A trace aggregator merges these distinct trace files into an aggregate trace for the cluster

Abstract translation: 本解决方案涉及在集群系统中捕获和合并数据包跟踪的系统和方法。 多节点群集处理网络流量包含多个节点，每个节点处理一些处理。 节点可以初始地接收流并且将流的传送处理转移到另一个节点进行处理。 因此，流可以从一个节点传递到另一个节点，从两个节点到多个节点。 在某些情况下，生成流的踪迹是有帮助的。 例如，在调试网络通信流程中，通过集群的流程的跟踪可能是有帮助的。 每个节点具有处理数据分组的分组引擎（“PE”），并且当启用跟踪时，可以为在相应节点处理的分组生成跟踪文件。 跟踪聚合器将这些不同的跟踪文件合并到集群的聚合跟踪中

公开(公告)号：US20230027642A1

公开(公告)日：2023-01-26

申请号：US17380326

申请日：2021-07-20

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal

IPC: H04L29/08 ,  H04L12/707

Abstract: Systems and methods for establishing a multipath connection include a first processor of a first cluster forwarding a first request from a client to establish a first connection with a server to a second processor of a second cluster. A third processor of the first cluster receives a second request to establish a multipath connection between the client and the server. The third processor forwards the second request to the second processor responsive to determining that the second request is to establish a multipath connection. The second processor establishes the multipath connection that includes the first connection and a second connection used as paths of the multipath connection.

公开(公告)号：US20220394034A1

公开(公告)日：2022-12-08

申请号：US17340494

申请日：2021-06-07

Applicant: Citrix Systems, Inc.

Inventor： Seth K. Keith ,  Saravanakumar Annamalaisami ,  Krishna Khanal ,  Ratnesh Singh Thakur

IPC: H04L29/06 ,  G06F9/54

Abstract: Reducing vulnerability to a server is provided. A device intermediary to a client and a server can receive a RPC message from the RPC based client to the RPC based server, the RPC message having a plurality of fields to execute one or more routines on the server. The device can detect that one or more fields of the plurality of fields exploits a vulnerability of the RPC based server. The device can modify the RPC message to remove the one or more fields from the RPC message. The device can forward the modified RPC message to the RPC server.

公开(公告)号：US20180146015A1

公开(公告)日：2018-05-24

申请号：US15876847

申请日：2018-01-22

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Krishna Khanal ,  Varun Taneja ,  Mahesh Mylarappa

IPC: H04L29/06 ,  H04L12/707 ,  H04L29/08

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device. The third device may receive the packets with the converted sequence identifiers in a single TCP connection.

公开(公告)号：US09369368B2

公开(公告)日：2016-06-14

申请号：US14244315

申请日：2014-04-03

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Shekhar Chandra ,  Saravana Annamalaisami

IPC: H04L1/00 ,  H04L12/26

CPC classification number: H04L43/12 ,  H04L43/02 ,  H04L43/04

Abstract: The present solution relates to systems and methods for capturing and consolidating packet tracing in a cluster system. A multi-nodal cluster processing network traffic contains multiple nodes each handling some of the processing. A node may initially receive a flow and transfer processing of the flow to another node for processing. A flow may therefore pass from one node to another, from two nodes to many nodes. In some instances, it is helpful to generate a trace of a flow. For example, in debugging a network communication flow, a trace of the flow through the cluster can be helpful. Each node has a packet engine (“PE”) which processes data packets and can, when trace is enabled, generate a trace file for the packets processed at the respective node. A trace aggregator merges these distinct trace files into an aggregate trace for the cluster.

Abstract translation: 本解决方案涉及在集群系统中捕获和合并数据包跟踪的系统和方法。 多节点群集处理网络流量包含多个节点，每个节点处理一些处理。 节点可以初始地接收流并且将流的传送处理转移到另一个节点进行处理。 因此，流可以从一个节点传递到另一个节点，从两个节点到多个节点。 在某些情况下，生成流的踪迹是有帮助的。 例如，在调试网络通信流程中，通过集群的流程的跟踪可能是有帮助的。 每个节点具有处理数据分组的分组引擎（“PE”），并且当启用跟踪时，可以为在相应节点处理的分组生成跟踪文件。 跟踪聚合器将这些不同的跟踪文件合并到集群的聚合跟踪中。

公开(公告)号：US09246940B2

公开(公告)日：2016-01-26

申请号：US14245533

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Saravana Annamalaisami ,  Mahesh Mylarappa

IPC: G06F12/14 ,  H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/0428

Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.

Abstract translation: 本解决方案涉及用于在节点簇中的多个多核节点之间同步随机种子值以产生Cookie签名的系统和方法。 Cookie签名可用于防止SYN Flood攻击。 一组节点包括一个主节点和一个或多个其他节点。 每个节点包括一个主核和一个或多个其他核。 在主节点的主核心处生成随机数。 随机数在每隔一个核心上同步。 随机数用于产生附加在SYN-ACK分组的经编码的初始序列号中的秘密密钥值。 如果响应的ACK分组不包含密钥值，则ACK分组被丢弃。

公开(公告)号：US20150281272A1

公开(公告)日：2015-10-01

申请号：US14721658

申请日：2015-05-26

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20140351447A1

公开(公告)日：2014-11-27

申请号：US14282954

申请日：2014-05-20

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Krishna Khanal ,  Varun Taneja ,  Mahesh Mylarappa

IPC: H04L29/06 ,  H04L12/707

CPC classification number: H04L65/1069 ,  H04L45/24 ,  H04L65/4076 ,  H04L69/14 ,  H04L69/163 ,  H04L69/326

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device. The third device may receive the packets with the converted sequence identifiers in a single TCP connection.

Abstract translation: 本发明涉及用于多径传输控制协议连接（MPTCP）管理的系统和方法。 响应于建立第一设备和第二设备之间的MPTCP会话，第一设备，第二设备和第三设备之间的中介可以建立协议控制结构。 第一设备可以经由协议控制结构维护包括第一设备和第二设备之间的MPTCP会话中的传输控制协议（TCP）连接的多个子流的标识。 第一设备可以经由协议控制结构将经由多个子流中的每一个发送的分组的子流特定序列标识符转换或翻译成在多个子流中唯一的序列标识符，并且从每个子流识别相关分组以在 第三个设备。 第三设备可以在单个TCP连接中接收具有转换的序列标识符的分组。

公开(公告)号：US20140304810A1

公开(公告)日：2014-10-09

申请号：US14245533

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Saravana Annamalaisami ,  Mahesh Mylarappa

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/0428

Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.

Abstract translation: 本解决方案涉及用于在节点簇中的多个多核节点之间同步随机种子值以产生Cookie签名的系统和方法。 Cookie签名可用于防止SYN Flood攻击。 一组节点包括一个主节点和一个或多个其他节点。 每个节点包括一个主核和一个或多个其他核。 在主节点的主核心处生成随机数。 随机数在每隔一个核心上同步。 随机数用于产生附加在SYN-ACK分组的经编码的初始序列号中的秘密密钥值。 如果响应的ACK分组不包含密钥值，则ACK分组被丢弃。

公开(公告)号：US20140304325A1

公开(公告)日：2014-10-09

申请号：US14245514

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Ashwin Jagadish ,  Saravana Annamalaisami

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/0428 ,  H04L63/08

Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.

Abstract translation: 本解决方案的系统和方法旨在通过设备中介到客户端和多个服务器来提供实体标签持久性。 客户机和一个或多个后端服务器之间的中间设备可以从提供请求的内容的源服务器接收客户端请求的实体。 中间设备可以将后端服务器信息编码到实体的ETag上，用经编码的ETag缓存实体，并向编码的ETag服务实体给客户端。 以这种方式，当客户端尝试通过向中介设备发送包括经编码的ETag的请求来验证实体时，中介设备解码编码的ETag以提取后端服务器的身份，并发送请求以将该实体验证到 最初发送包含所请求内容的实体的服务器。