公开(公告)号：US20150281272A1

公开(公告)日：2015-10-01

申请号：US14721658

申请日：2015-05-26

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20140351447A1

公开(公告)日：2014-11-27

申请号：US14282954

申请日：2014-05-20

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Krishna Khanal ,  Varun Taneja ,  Mahesh Mylarappa

IPC: H04L29/06 ,  H04L12/707

CPC classification number: H04L65/1069 ,  H04L45/24 ,  H04L65/4076 ,  H04L69/14 ,  H04L69/163 ,  H04L69/326

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device. The third device may receive the packets with the converted sequence identifiers in a single TCP connection.

Abstract translation: 本发明涉及用于多径传输控制协议连接（MPTCP）管理的系统和方法。 响应于建立第一设备和第二设备之间的MPTCP会话，第一设备，第二设备和第三设备之间的中介可以建立协议控制结构。 第一设备可以经由协议控制结构维护包括第一设备和第二设备之间的MPTCP会话中的传输控制协议（TCP）连接的多个子流的标识。 第一设备可以经由协议控制结构将经由多个子流中的每一个发送的分组的子流特定序列标识符转换或翻译成在多个子流中唯一的序列标识符，并且从每个子流识别相关分组以在 第三个设备。 第三设备可以在单个TCP连接中接收具有转换的序列标识符的分组。

公开(公告)号：US20140304810A1

公开(公告)日：2014-10-09

申请号：US14245533

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Saravana Annamalaisami ,  Mahesh Mylarappa

IPC: H04L29/06

CPC classification number: H04L63/1466 ,  H04L63/0428

Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.

Abstract translation: 本解决方案涉及用于在节点簇中的多个多核节点之间同步随机种子值以产生Cookie签名的系统和方法。 Cookie签名可用于防止SYN Flood攻击。 一组节点包括一个主节点和一个或多个其他节点。 每个节点包括一个主核和一个或多个其他核。 在主节点的主核心处生成随机数。 随机数在每隔一个核心上同步。 随机数用于产生附加在SYN-ACK分组的经编码的初始序列号中的秘密密钥值。 如果响应的ACK分组不包含密钥值，则ACK分组被丢弃。

公开(公告)号：US20140304393A1

公开(公告)日：2014-10-09

申请号：US13858009

申请日：2013-04-06

Applicant: CITRIX SYSTEMS, INC.

Inventor： Saravana Annamalaisami ,  Rajesh Joshi ,  Sovit Garg

IPC: H04L12/26

CPC classification number: H04L43/04 ,  G06F9/4445 ,  G06F9/45533 ,  G06F11/006 ,  G06F11/3433 ,  G06F11/3495 ,  G06F2201/80 ,  G06F2201/815 ,  G06F2201/87 ,  G06F2201/875 ,  G06F2201/88 ,  H04L43/026 ,  H04L43/028 ,  H04L63/102 ,  H04L63/168 ,  H04L67/146

Abstract: The present disclosure is directed towards systems and methods for lightweight identification of flow information by application. A flow monitor executed by a processor of a device may maintain a counter. The flow monitor may associate an application with the value of the counter and transmit, to a data collector executed by a second device, the counter value and a name of the application. The flow monitor may monitor a data flow associated with the application to generate a data record. The flow monitor may transmit the data record to the data collector, the data record including an identification of the application consisting of the counter value and not including the name of the application. The data collector may then re-associate the data record with the application name based on the previously received counter value.

Abstract translation: 本公开涉及用于通过应用轻量级识别流信息的系统和方法。 由设备的处理器执行的流量监视器可以维持计数器。 流量监视器可将应用程序与计数器的值相关联，并将其发送到由第二设备执行的数据收集器，计数器值和应用程序的名称。 流量监视器可以监视与应用相关联的数据流以生成数据记录。 流量监视器可以将数据记录传送到数据收集器，数据记录包括由计数器值组成的应用的标识，并且不包括应用的名称。 然后，数据收集器可以基于先前接收到的计数器值来重新将数据记录与应用程序名称相关联。

公开(公告)号：US20140304325A1

公开(公告)日：2014-10-09

申请号：US14245514

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Ashwin Jagadish ,  Saravana Annamalaisami

IPC: H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/0428 ,  H04L63/08

Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.

Abstract translation: 本解决方案的系统和方法旨在通过设备中介到客户端和多个服务器来提供实体标签持久性。 客户机和一个或多个后端服务器之间的中间设备可以从提供请求的内容的源服务器接收客户端请求的实体。 中间设备可以将后端服务器信息编码到实体的ETag上，用经编码的ETag缓存实体，并向编码的ETag服务实体给客户端。 以这种方式，当客户端尝试通过向中介设备发送包括经编码的ETag的请求来验证实体时，中介设备解码编码的ETag以提取后端服务器的身份，并发送请求以将该实体验证到 最初发送包含所请求内容的实体的服务器。

公开(公告)号：US20190394280A1

公开(公告)日：2019-12-26

申请号：US16012963

申请日：2018-06-20

Applicant: CITRIX SYSTEMS, INC.

Inventor： Jyotheesh Rao Kurma ,  Saravana Annamalaisami ,  Muthukumar Shunmugiah ,  Saravanan Jayaraman ,  Subash Dangol

IPC: H04L29/08 ,  H04L29/06

Abstract: A network appliance is provided for establishing sessions between client devices and a network server(s) for exchanging network traffic therebetween. The network appliance may include a memory and a processor cooperating with the memory, with the processor being operable in a normal traffic mode and a forwarding traffic mode. The processor may be configured to establish new sessions for network traffic based upon new session requests from the client devices, and forward network traffic associated with prior existing sessions from the client devices to the network server(s). When in the forwarding traffic mode, the processor may forward network traffic not associated with a prior existing session or a new session request to the network server(s). When in the normal traffic mode, the processor may block network traffic not associated with a prior existing session or a new session request from reaching the network server(s).

公开(公告)号：US09888042B2

公开(公告)日：2018-02-06

申请号：US14282954

申请日：2014-05-20

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Krishna Khanal ,  Varun Taneja ,  Mahesh Mylarappa

IPC: G06F15/16 ,  H04L29/06 ,  H04L12/707 ,  H04L29/08

CPC classification number: H04L65/1069 ,  H04L45/24 ,  H04L65/4076 ,  H04L69/14 ,  H04L69/163 ,  H04L69/326

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device. The third device may receive the packets with the converted sequence identifiers in a single TCP connection.

公开(公告)号：US09521088B2

公开(公告)日：2016-12-13

申请号：US13891089

申请日：2013-05-09

Applicant: Citrix Systems, Inc.

Inventor： Mohit Saxena ,  Ramanjaneyulu Y Talla ,  Saravana Annamalaisami

IPC: G06F15/173 ,  H04L12/923 ,  H04L12/801

CPC classification number: H04L47/762 ,  H04L47/10

Abstract: A packet quota value, which indicates a maximum number of network packets that a network appliance processes before switching to a different task, is modified. Log data, which includes multiple log entries spanning a time interval, is accessed. Each log entry includes a processing time that indicates how much time the network appliance spent performing network traffic tasks before switching to the different task. The log data is analyzed. Responsive to the analysis indicating that a current state of network traffic is heavier than a maximum state of network traffic that was observed during the time interval, the packet quota value is increased. Responsive to the analysis indicating that the current state of network traffic is lighter than a minimum state of network traffic that was observed during the time interval, the packet quota value is decreased.

Abstract translation: 指示网络设备在切换到不同任务之前进行的最大网络数据包数量的数据包配额值被修改。 访问日志数据，其中包括跨时间间隔的多个日志条目。 每个日志条目包括处理时间，指示网络设备在切换到不同任务之前花费多少时间执行网络流量任务。 分析日志数据。 响应于表示网络流量的当前状态比在时间间隔期间观察到的网络流量的最大状态更重的分析，分组配额值增加。 响应于分析，表明网络流量的当前状态比在时间间隔期间观察到的网络流量的最小状态更轻，分组配额值降低。

公开(公告)号：US09497281B2

公开(公告)日：2016-11-15

申请号：US14245505

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Ashwin Jagadish ,  Mahesh Mylarappa ,  Sandhya Gopinath ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L12/747 ,  H04L29/08 ,  H04L12/743

CPC classification number: H04L67/2814 ,  H04L45/7453

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.

Abstract translation: 本公开涉及用于缓存用于在客户机中间的多个中间设备的集群的中间设备和多个服务器之间指导数据分组的分组导向会话的方法和系统。 第一中间设备接收第一数据分组，并且从第一分组的元组的散列中确定第二中介设备来引导第一分组。 第一设备存储分组转向信息的会话，第二设备和元组的身份。 第一设备接收具有与第一分组的元组匹配的对应元组的第二分组，并且基于对使用第二分组的元组的会话的查找确定第二设备是引导其的中间设备 第二个包。 第一设备将第二分组转向第二设备。

公开(公告)号：US09491218B2

公开(公告)日：2016-11-08

申请号：US14198314

申请日：2014-03-05

Applicant: Citrix Systems Inc.

Inventor： Ashok Kumar Jagadeeswaran ,  Saravana Annamalaisami

IPC: H04L12/805 ,  H04L29/06 ,  H04L12/26 ,  H04L29/08

CPC classification number: H04L65/605 ,  H04L43/04 ,  H04L43/08 ,  H04L47/36 ,  H04L67/1008 ,  H04L67/1023 ,  H04L69/166

Abstract: The virtual Server (vServer) of an intermediary device deployed between a plurality of clients and services supports parameters for setting maximum segment size (MSS) on a per vServer/service basis and for automatically learning the MSS among the back-end services. In case of vServer/service setting, all vServers will use the MSS value set through the parameter for the MSS value set in TCP SYN+ACK to clients. In the case of learning mode, the backend service MSS will be learnt through monitor probing. The vServer will monitor and learn the MSS that is being frequently used by the services. When the learning is active, the intermediary device may keep statistics of the MSS of backend services picked up during load balancing decisions and once an interval timer expires, the MSS value may be picked by a majority and set on the vServer. If there is no majority, then the highest MSS is picked up to be set on the vServer.

Abstract translation: 部署在多个客户端和服务之间的中间设备的虚拟服务器（vServer）支持用于在每个vServer /服务基础上设置最大段大小（MSS）的参数，并用于在后端服务中自动学习MSS。 在vServer /服务设置的情况下，所有vServer将使用通过该参数设置的MSS值，以将TCP SYN + ACK中设置的MSS值设置为客户端。 在学习模式的情况下，后端服务MSS将通过监视器探测来学习。 vServer将监视和学习服务频繁使用的MSS。 当学习活动时，中介设备可以保持负载均衡决策期间所接收的后台服务的MSS的统计信息，并且一旦间隔定时器到期，则MSS值可以通过多数被选择并设置在vServer上。 如果没有多数，那么最高的MSS被拾取在vServer上设置。