公开(公告)号：US09438701B2

公开(公告)日：2016-09-06

申请号：US13887004

申请日：2013-05-03

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Ashok Kumar Jagadeeswaran ,  Rajesh Joshi

IPC: G06F15/16 ,  H04L29/06 ,  H04L29/08

CPC classification number: H04L69/08 ,  H04L67/02 ,  H04L69/26

Abstract: The present disclosure is directed towards a system and method for providing a SPDY to HTTP gateway via a device intermediary to a plurality of clients and a server. An NPN handshake by the intermediary device may establish SPDY support. The intermediary device may receive and process one or more control frames via SPDY session with the client. The intermediary device may generate and transmit HTTP communication to server corresponding to SPDY control frames. The intermediary device may receive and process one or more HTTP responses from server. The intermediary device may generate and transmit SPDY communication via SPDY session to client corresponding to HTTP response.

Abstract translation: 本公开涉及一种用于经由多个客户端和服务器的设备中介向HTTP网关提供SPDY的系统和方法。 中介设备的NPN握手可以建立SPDY支持。 中间设备可以经由与客户端的SPDY会话来接收和处理一个或多个控制帧。 中间设备可以生成并发送对应于SPDY控制帧的服务器的HTTP通信。 中间设备可以从服务器接收和处理一个或多个HTTP响应。 中间设备可以通过SPDY会话生成并发送与HTTP响应对应的客户端的SPDY通信。

公开(公告)号：US09432399B2

公开(公告)日：2016-08-30

申请号：US14721658

申请日：2015-05-26

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US09432269B2

公开(公告)日：2016-08-30

申请号：US13858009

申请日：2013-04-06

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Rajesh Joshi ,  Sovit Garg ,  Arvind Neergunda

IPC: G06F15/16 ,  H04L12/26 ,  G06F9/44 ,  H04L29/06 ,  H04L29/08 ,  G06F9/455

CPC classification number: H04L43/04 ,  G06F9/4445 ,  G06F9/45533 ,  G06F11/006 ,  G06F11/3433 ,  G06F11/3495 ,  G06F2201/80 ,  G06F2201/815 ,  G06F2201/87 ,  G06F2201/875 ,  G06F2201/88 ,  H04L43/026 ,  H04L43/028 ,  H04L63/102 ,  H04L63/168 ,  H04L67/146

Abstract: The present disclosure is directed towards systems and methods for lightweight identification of flow information by application. A flow monitor executed by a processor of a device may maintain a counter. The flow monitor may associate an application with the value of the counter and transmit, to a data collector executed by a second device, the counter value and a name of the application. The flow monitor may monitor a data flow associated with the application to generate a data record. The flow monitor may transmit the data record to the data collector, the data record including an identification of the application consisting of the counter value and not including the name of the application. The data collector may then re-associate the data record with the application name based on the previously received counter value.

Abstract translation: 本公开涉及用于通过应用轻量级识别流信息的系统和方法。 由设备的处理器执行的流量监视器可以维持计数器。 流量监视器可将应用程序与计数器的值相关联，并将其发送到由第二设备执行的数据收集器，计数器值和应用程序的名称。 流量监视器可以监视与应用相关联的数据流以生成数据记录。 流量监视器可以将数据记录传送到数据收集器，数据记录包括由计数器值组成的应用的标识，并且不包括应用的名称。 然后，数据收集器可以基于先前接收到的计数器值来重新将数据记录与应用程序名称相关联。

公开(公告)号：US20160057070A1

公开(公告)日：2016-02-25

申请号：US14464585

申请日：2014-08-20

Applicant: Citrix Systems, Inc.

Inventor： Mohit Prakash Saxena ,  Ramanjaneyulu Y. Talla ,  Saravana Annamalaisami ,  Ashwin Jagadish ,  Muthukumar Shunmugiah

IPC: H04L12/863 ,  H04L12/805

CPC classification number: H04L47/6295 ,  H04L47/365 ,  H04L47/628 ,  H04L49/3072

Abstract: This disclosure is directed generally to systems and methods for implementation of Jumbo frames in an existing network stack. In some embodiments, a connection handler of a device receives data having a size greater than an Ethernet frame size. That data includes header data and payload data. The device partitions the data into segments including a first segment and a second segment. The first segment includes the header data and a first portion of the payload data, while the second segment includes a second portion of the payload data. The device stores the first and second segments in first and second network buffers, respectively, of a pool of network buffers. The device forms a packet chain of the first and second network buffers having a size greater than the Ethernet frame size. The device transmits the packet chain via a network connection.

Abstract translation: 本公开一般涉及用于在现有网络堆栈中实现巨型帧的系统和方法。 在一些实施例中，设备的连接处理器接收尺寸大于以太网帧大小的数据。 该数据包括报头数据和有效载荷数据。 该设备将数据分割成包括第一段和第二段的段。 第一段包括报头数据和有效载荷数据的第一部分，而第二段包括有效载荷数据的第二部分。 该设备将第一和第二段分别存储在网络缓冲器池的第一和第二网络缓冲器中。 该设备形成具有大于以太网帧大小的大小的第一和第二网络缓冲器的分组链。 该设备通过网络连接传输分组链。

公开(公告)号：US09055100B2

公开(公告)日：2015-06-09

申请号：US13858008

申请日：2013-04-06

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20140365563A1

公开(公告)日：2014-12-11

申请号：US14469194

申请日：2014-08-26

Applicant: Citrix Systems, Inc.

Inventor： Jagannath Raghu ,  Saravana Annamalaisami ,  Roy Rajan

IPC: H04L29/08 ,  H04L29/06

CPC classification number: H04L67/2823 ,  H04L67/02 ,  H04L67/2804 ,  H04L67/2819 ,  H04L67/42

Abstract: The present solution is directed towards a policy-based intermediary that dynamically and flexibly injects content in responses between a client and a server based on one or more policies. The present solution addresses the challenges of injecting content in a client-server transaction. The intermediary determines when and what content to inject into a response of a client-server transaction based on a request and/or response policy. The injected content may include timestamp and/or variable tracking of different events in a client-server transaction. For example, when an intermediary appliance is deployed in a system to accelerate system performance and improve user experience, the appliance may inject content based on policy to monitor the acceleration performance of the deployed appliance.

Abstract translation: 本解决方案针对基于策略的中介，其基于一个或多个策略来动态地和灵活地在客户端和服务器之间的响应中注入内容。 本解决方案解决了在客户端 - 服务器事务中注入内容的挑战。 中介确定根据请求和/或响应策略注入到客户机 - 服务器事务的响应中的何时和什么内容。 注入的内容可以包括客户端 - 服务器事务中的不同事件的时间戳和/或可变跟踪。 例如，当中间设备部署在系统中以加速系统性能并改善用户体验时，设备可以基于策略来注入内容以监视所部署的设备的加速性能。

公开(公告)号：US20140247737A1

公开(公告)日：2014-09-04

申请号：US14198314

申请日：2014-03-05

Applicant: Citrix Systems Inc.

Inventor： Ashok Kumar Jagadeeswaran ,  Saravana Annamalaisami

IPC: H04L29/06 ,  H04L12/26

CPC classification number: H04L65/605 ,  H04L43/04 ,  H04L43/08 ,  H04L47/36 ,  H04L67/1008 ,  H04L67/1023 ,  H04L69/166

Abstract: The virtual Server (vServer) of an intermediary device deployed between a plurality of clients and services supports parameters for setting maximum segment size (MSS) on a per vServer/service basis and for automatically learning the MSS among the back-end services. In case of vServer/service setting, all vServers will use the MSS value set through the parameter for the MSS value set in TCP SYN+ACK to clients. In the case of learning mode, the backend service MSS will be learnt through monitor probing. The vServer will monitor and learn the MSS that is being frequently used by the services. When the learning is active, the intermediary device may keep statistics of the MSS of backend services picked up during load balancing decisions and once an interval timer expires, the MSS value may be picked by a majority and set on the vServer. If there is no majority, then the highest MSS is picked up to be set on the vServer.

Abstract translation: 部署在多个客户端和服务之间的中间设备的虚拟服务器（vServer）支持用于在每个vServer /服务基础上设置最大段大小（MSS）的参数，并用于在后端服务中自动学习MSS。 在vServer /服务设置的情况下，所有vServer将使用通过该参数设置的MSS值，以将TCP SYN + ACK中设置的MSS值设置为客户端。 在学习模式的情况下，后端服务MSS将通过监视器探测来学习。 vServer将监视和学习服务频繁使用的MSS。 当学习活动时，中介设备可以保持负载均衡决策期间所接收的后台服务的MSS的统计信息，并且一旦间隔定时器到期，则MSS值可以通过多数被选择并设置在vServer上。 如果没有多数，那么最高的MSS被拾取在vServer上设置。

公开(公告)号：US20130304907A1

公开(公告)日：2013-11-14

申请号：US13891089

申请日：2013-05-09

Applicant: CITRIX SYSTEMS, INC.

Inventor： Mohit Saxena ,  Ramanjaneyulu Y. Talla ,  Saravana Annamalaisami

IPC: H04L12/70

CPC classification number: H04L47/762 ,  H04L47/10

Abstract: A packet quota value, which indicates a maximum number of network packets that a network appliance processes before switching to a different task, is modified. Log data, which includes multiple log entries spanning a time interval, is accessed. Each log entry includes a processing time that indicates how much time the network appliance spent performing network traffic tasks before switching to the different task. The log data is analyzed. Responsive to the analysis indicating that a current state of network traffic is heavier than a maximum state of network traffic that was observed during the time interval, the packet quota value is increased. Responsive to the analysis indicating that the current state of network traffic is lighter than a minimum state of network traffic that was observed during the time interval, the packet quota value is decreased.

Abstract translation: 指示网络设备在切换到不同任务之前进行的最大网络数据包数量的数据包配额值被修改。 访问日志数据，其中包括跨时间间隔的多个日志条目。 每个日志条目包括处理时间，指示网络设备在切换到不同任务之前花费多少时间执行网络流量任务。 分析日志数据。 响应于表示网络流量的当前状态比在时间间隔期间观察到的网络流量的最大状态更重的分析，分组配额值增加。 响应于分析，表明网络流量的当前状态比在时间间隔期间观察到的网络流量的最小状态更轻，分组配额值降低。