公开(公告)号：US08250650B2

公开(公告)日：2012-08-21

申请号：US10937695

申请日：2004-09-09

申请人： Clark Debs Jeffries ,  Mohammad Peyravian

发明人： Clark Debs Jeffries ,  Mohammad Peyravian

IPC分类号： G06F21/00

CPC分类号： H04L63/1458

摘要： The present invention provides for protecting against denial of service attacks. A request is sent by a client, the request comprises client indicia. The request is received at a server. A request count is incremented by the server. A sequence number is assigned as a function of the client indicia. A problem is selected by the server. The problem is sent by the server to the client. A solution to the problem is sent to the server. It is determined if the solution by client is correct. If the solution is correct, a session is performed. If the solution is not correct, the request is discarded. This can substantially decrease the amount of attacks performed by a rogue client, as the session set-up time can be substantial.

摘要翻译： 本发明提供了防止拒绝服务攻击的保护。 请求由客户端发送，请求包括客户端标记。 服务器收到请求。 请求计数由服务器递增。 作为客户端标记的函数分配序列号。 服务器选择了一个问题。 该问题由服务器发送给客户端。 将问题的解决方案发送到服务器。 确定客户端的解决方案是否正确。 如果解决方案是正确的，则执行会话。 如果解决方案不正确，请求将被丢弃。 这可以显着减少流氓客户端执行的攻击的数量，因为会话建立时间可能很大。

公开(公告)号：US07957372B2

公开(公告)日：2011-06-07

申请号：US10896733

申请日：2004-07-22

申请人： Alan David Boulanger ,  Robert William Danford ,  Kevin David Himberger ,  Clark Debs Jeffries

发明人： Alan David Boulanger ,  Robert William Danford ,  Kevin David Himberger ,  Clark Debs Jeffries

IPC分类号： H04L12/28 ,  G06F9/00 ,  G06F11/00

CPC分类号： H04L63/1416 ,  H04L63/1466

摘要： A detection and response system including a set of algorithms for detecting within a stream of normal computer traffic a subset of (should focus on network traffic eliciting a response) TCP or UDP packets with one IP Source Address (SA) value, one or a few Destination Address (DA) values, and a number exceeding a threshold of distinct Destination Port (DP) values. A lookup mechanism such as a Direct Table and Patricia search tree record and trace sets of packets with one SA and one DA as well as the set of DP values observed for the given SA, DA combination. The detection and response system reports the existence of such a subset and the header values including SA, DA, and multiple DPs of the subset. The detection and response system also includes various administrative responses to reports.

摘要翻译： 一种检测和响应系统，包括一组用于在正常计算机业务流内检测的一组算法（应该侧重于引发响应的网络业务）具有一个IP源地址（SA）值的TCP或UDP分组，一个或几个 目标地址（DA）值和超过不同目标端口（DP）值阈值的数字。 一个查找机制，如直接表和帕特里夏搜索树记录，跟踪一组SA和一个DA的数据包以及给定SA，DA组合观察到的一组DP值。 检测和响应系统报告这样的子集的存在以及包括SA，DA和子集的多个DP的标题值。 检测和响应系统还包括对报告的各种管理响应。

公开(公告)号：US20080273464A1

公开(公告)日：2008-11-06

申请号：US12174999

申请日：2008-07-17

申请人： James Johnson Allen ,  Brian Mitchell Bass ,  Gordon Taylor Davis ,  Clark Debs Jeffries ,  Jitesh Ramachandran Nair ,  Ravinder Kumar Sabhikhi ,  Michael Steven Siegel ,  Rama Mohan Yedavalli

发明人： James Johnson Allen ,  Brian Mitchell Bass ,  Gordon Taylor Davis ,  Clark Debs Jeffries ,  Jitesh Ramachandran Nair ,  Ravinder Kumar Sabhikhi ,  Michael Steven Siegel ,  Rama Mohan Yedavalli

IPC分类号： H04L12/24

CPC分类号： H04L47/32 ,  H04L47/12 ,  H04L47/24 ,  H04L47/30 ,  H04L49/90

摘要： The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.

摘要翻译： 通过流控制方法和系统，在分组处理设备内决定将新到达的分组发送到队列中等待进一步处理或丢弃相同的分组。 流量控制以由存储和流量限制确定的恒定周期进行更新。 该更新包括将当前队列占用率与阈值进行比较。 更新的结果是传输概率值的上调或下调。 该值存储在随后的流量控制周期中，并且在该时间段期间到达的分组经受使用该值的发送或丢弃决定。

公开(公告)号：US07430169B2

公开(公告)日：2008-09-30

申请号：US10161000

申请日：2002-06-03

申请人： James Johnson Allen, Jr. ,  Brian Mitchell Bass ,  Gordon Taylor Davis ,  Clark Debs Jeffries ,  Jitesh Ramachandran Nair ,  Ravinder Kumar Sabhikhi ,  Michael Steven Siegel ,  Rama Mohan Yedavalli

发明人： James Johnson Allen, Jr. ,  Brian Mitchell Bass ,  Gordon Taylor Davis ,  Clark Debs Jeffries ,  Jitesh Ramachandran Nair ,  Ravinder Kumar Sabhikhi ,  Michael Steven Siegel ,  Rama Mohan Yedavalli

IPC分类号： H04L12/54

CPC分类号： H04L47/32 ,  H04L47/12 ,  H04L47/24 ,  H04L47/30 ,  H04L49/90

摘要： The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.

摘要翻译： 通过流控制方法和系统，在分组处理设备内决定将新到达的分组发送到队列中等待进一步处理或丢弃相同的分组。 流量控制以由存储和流量限制确定的恒定周期进行更新。 该更新包括将当前队列占用率与阈值进行比较。 更新的结果是传输概率值的上调或下调。 该值存储在随后的流量控制周期中，并且在该时间段期间到达的分组经受使用该值的发送或丢弃决定。

公开(公告)号：US20080232386A1

公开(公告)日：2008-09-25

申请号：US12114767

申请日：2008-05-03

申请人： Brahmanand Kumar Gorti ,  Marco Heddes ,  Clark Debs Jeffries ,  Andreas Kind ,  Michael Steven Siegel

发明人： Brahmanand Kumar Gorti ,  Marco Heddes ,  Clark Debs Jeffries ,  Andreas Kind ,  Michael Steven Siegel

IPC分类号： H04L12/28

CPC分类号： H04L47/6215 ,  H04L47/10 ,  H04L47/2416 ,  H04L47/2433 ,  H04L47/30 ,  H04L47/32 ,  H04L47/50 ,  H04L47/52 ,  H04L47/56

摘要： A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

摘要翻译： 一种用于在分组交换网络中传送分组的方法和系统。 可以基于处理它们的紧急性来优先考虑由分组处理器接收的分组。 紧急处理的数据包可以称为实时数据包。 不紧急处理的数据包可能被称为非实时数据包。 实时数据包的优先级要高于非实时数据包。 可以根据其值优先级，该值优先级的最小和最大速率以及当前实时队列拥塞条件，将实时分组丢弃或传输到实时队列中。 可以基于其值优先级，该值优先级的最小和最大速率以及当前的实时和非实时队列拥塞将非实时分组丢弃或发送到非实时队列 条件。

公开(公告)号：US07385997B2

公开(公告)日：2008-06-10

申请号：US10118493

申请日：2002-04-08

申请人： Brahmanand Kumar Gorti ,  Marco Heddes ,  Clark Debs Jeffries ,  Andreas Kind ,  Michael Steven Siegel

发明人： Brahmanand Kumar Gorti ,  Marco Heddes ,  Clark Debs Jeffries ,  Andreas Kind ,  Michael Steven Siegel

IPC分类号： H04L12/28 ,  H04L12/56

CPC分类号： H04L47/6215 ,  H04L47/10 ,  H04L47/2416 ,  H04L47/2433 ,  H04L47/30 ,  H04L47/32 ,  H04L47/50 ,  H04L47/52 ,  H04L47/56

摘要： A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.

摘要翻译： 一种用于在分组交换网络中传送分组的方法和系统。 可以基于处理它们的紧急性来优先考虑由分组处理器接收的分组。 紧急处理的数据包可以称为实时数据包。 不紧急处理的数据包可能被称为非实时数据包。 实时数据包的优先级要高于非实时数据包。 可以根据其值优先级，该值优先级的最小和最大速率以及当前实时队列拥塞条件，将实时分组丢弃或传输到实时队列中。 可以基于其值优先级，该值优先级的最小和最大速率以及当前的实时和非实时队列拥塞将非实时分组丢弃或发送到非实时队列 条件。

公开(公告)号：US07224670B2

公开(公告)日：2007-05-29

申请号：US10160507

申请日：2002-06-03

申请人： Clark Debs Jeffries ,  Jitesh Ramachandran Nair ,  Michael Steven Siegel ,  Rama Mohan Yedavalli

发明人： Clark Debs Jeffries ,  Jitesh Ramachandran Nair ,  Michael Steven Siegel ,  Rama Mohan Yedavalli

IPC分类号： H04L12/26

CPC分类号： H04L47/30 ,  H04L47/10 ,  H04L47/29 ,  H04L47/32

摘要： The decision within a packet processing device to transmit a newly arriving packet into a queue to await processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to thresholds and also comparing present queue occupancy to previous queue occupancy. The outcome of the update is a new transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.

摘要翻译： 通过流控制方法和系统来进行分组处理装置中将新到达的分组发送到队列中等待处理或丢弃相同分组的决定。 流量控制以由存储和流量限制确定的恒定周期进行更新。 该更新包括将当前队列占用率与阈值进行比较，还将当前队列占用率与先前队列占用率进行比较。 更新的结果是新的传输概率值。 该值存储在随后的流量控制周期中，并且在该时间段期间到达的分组经受使用该值的发送或丢弃决定。

公开(公告)号：US07107344B2

公开(公告)日：2006-09-12

申请号：US09931540

申请日：2001-08-16

申请人： Gordon Taylor Davis ,  Clark Debs Jeffries ,  Mark Anthony Rinaldi

发明人： Gordon Taylor Davis ,  Clark Debs Jeffries ,  Mark Anthony Rinaldi

IPC分类号： G06F15/16

CPC分类号： H04L69/16 ,  H04L67/14 ,  H04L69/163

摘要： A method and apparatus useful in network management which makes intelligent, high speed, connection allocation decisions, overcoming difficulties encountered heretofore and providing enhanced network services. During episodes of network congestion, some connection requests for a class of service of low value and with currently a high number of existing connections may be purposefully ignored (not acknowledged with an Acknowledge (ACK) packet) so that the processing capability of a device will not become overwhelmed, causing the dropping of new connection is to note the numbers of connections of different classes relative to their service-level contracts, to ignore abundant, low-value connection requests in accordance with value policies when and only when necessary, and to insure that valuable new connection requests that conform to their contract connection rates can be intelligently accommodated.

摘要翻译： 一种在网络管理中有用的方法和装置，其实现智能，高速，连接分配决策，克服迄今遇到的困难并提供增强的网络服务。 在网络拥塞发生期间，可以有目的地忽略一些低价值服务和当前具有大量现有连接的连接请求（未被确认（ACK）分组确认），使得设备的处理能力将 不会变得不堪重负，导致新连接的下降是注意到不同类别与其服务级别合同的连接数量，当且仅在必要时根据价值政策忽略丰富的低价值连接请求，并且 确保符合其合同连接率的有价值的新连接请求可以被智能地适应。

公开(公告)号：US07054855B2

公开(公告)日：2006-05-30

申请号：US09898253

申请日：2001-07-03

申请人： Claude Basso ,  Jean Louis Calvignac ,  Philippe Damon ,  Gordon Taylor Davis ,  Marco C. Heddes ,  Clark Debs Jeffries

发明人： Claude Basso ,  Jean Louis Calvignac ,  Philippe Damon ,  Gordon Taylor Davis ,  Marco C. Heddes ,  Clark Debs Jeffries

IPC分类号： G06F17/30

CPC分类号： G06F17/30985 ,  H04L29/12132 ,  H04L29/12594 ,  H04L61/1552 ,  H04L61/30 ,  Y10S707/99933 ,  Y10S707/99942

摘要： A method and system for performing a pattern match search for a data string having a plurality of characters separated by delimiters. In accordance with the method of the present invention a search key is constructed by generating a full match search increment comprising the binary representation of a data string element, wherein the data string element comprises all characters between a pair of delimiters. The search key is completed by concatenating a pattern search prefix to the full match search increment, wherein the pattern search prefix is a cumulative pattern search result of each previous full match search increment. A full match search is then performed within a lookup table utilizing the search key. In response to finding a matching pattern within the lookup table, the process returns to constructing a next search key. In response to not finding a matching pattern, the previous full match search result is utilized to process the data string.

公开(公告)号：US06886073B2

公开(公告)日：2005-04-26

申请号：US10173994

申请日：2002-06-18

申请人： Gordon Taylor Davis ,  Clark Debs Jeffries ,  Jan Van Lunteren

发明人： Gordon Taylor Davis ,  Clark Debs Jeffries ,  Jan Van Lunteren

IPC分类号： G06F12/00 ,  G06F17/30 ,  H04L29/06

CPC分类号： H04L69/22 ,  H04L69/12

摘要： A method and system for storing and searching for prefixes for rules, such as filter rules, in a computer system is disclosed. The method and system include providing a ternary content addressable memory (TCAM). The filter rules use range(s) of values in at least one dimension and correspond to prefix(es). The range(s) are described by prefix(es). Some filter rules may intersect. The method and system include providing priorities for the filter rules. The priorities include at least one different priority for the filter rules that intersect. The method and system also include storing the prefixes in the TCAM in block(s) in an order based upon the priorities of the filter rules. In another aspect, the method and system include searching the TCAM for a longest prefix match for a key and searching an additional storage for an almost exact match for the key in parallel with the TCAM. In this aspect, the method and system include returning the longest prefix match having a lowest or a highest location if the longest prefix match is found in the TCAM and the almost exact match is not found in the additional storage.

摘要翻译： 公开了一种用于在计算机系统中存储和搜索诸如过滤规则的规则的前缀的方法和系统。 该方法和系统包括提供三元内容可寻址存储器（TCAM）。 过滤器规则使用至少一个维度中的值的范围，并对应于前缀（es）。 范围由前缀（es）描述。 一些过滤规则可能会相交。 该方法和系统包括为过滤规则提供优先级。 优先级至少包含与交叉的过滤规则的一个不同的优先级。 该方法和系统还包括基于过滤器规则的优先级按顺序将块中的前缀存储在块中。 在另一方面，所述方法和系统包括搜索TCAM对于密钥的最长前缀匹配，并且搜索附加存储器以与所述TCM并行的所述密钥几乎精确匹配。 在这方面，如果在TCAM中找到最长前缀匹配并且在附加存储器中找不到几乎精确的匹配，则该方法和系统包括返回具有最低或最高位置的最长前缀匹配。