摘要:
The present invention provides for protecting against denial of service attacks. A request is sent by a client, the request comprises client indicia. The request is received at a server. A request count is incremented by the server. A sequence number is assigned as a function of the client indicia. A problem is selected by the server. The problem is sent by the server to the client. A solution to the problem is sent to the server. It is determined if the solution by client is correct. If the solution is correct, a session is performed. If the solution is not correct, the request is discarded. This can substantially decrease the amount of attacks performed by a rogue client, as the session set-up time can be substantial.
摘要:
The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.
摘要:
The decision within a packet processing device to transmit a newly arriving packet into a queue to await further processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to a threshold. The outcome of the update is adjustment up or down of the transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.
摘要:
A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.
摘要:
A method and system for transmitting packets in a packet switching network. Packets received by a packet processor may be prioritized based on the urgency to process them. Packets that are urgent to be processed may be referred to as real-time packets. Packets that are not urgent to be processed may be referred to as non-real-time packets. Real-time packets have a higher priority to be processed than non-real-time packets. A real-time packet may either be discarded or transmitted into a real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time queue congestion conditions. A non-real-time packet may either be discarded or transmitted into a non-real-time queue based upon its value priority, the minimum and maximum rates for that value priority and the current real-time and non-real-time queue congestion conditions.
摘要:
The decision within a packet processing device to transmit a newly arriving packet into a queue to await processing or to discard the same packet is made by a flow control method and system. The flow control is updated with a constant period determined by storage and flow rate limits. The update includes comparing current queue occupancy to thresholds and also comparing present queue occupancy to previous queue occupancy. The outcome of the update is a new transmit probability value. The value is stored for the subsequent period of flow control and packets arriving during that period are subject to a transmit or discard decision that uses that value.
摘要:
A method and apparatus useful in network management which makes intelligent, high speed, connection allocation decisions, overcoming difficulties encountered heretofore and providing enhanced network services. During episodes of network congestion, some connection requests for a class of service of low value and with currently a high number of existing connections may be purposefully ignored (not acknowledged with an Acknowledge (ACK) packet) so that the processing capability of a device will not become overwhelmed, causing the dropping of new connection is to note the numbers of connections of different classes relative to their service-level contracts, to ignore abundant, low-value connection requests in accordance with value policies when and only when necessary, and to insure that valuable new connection requests that conform to their contract connection rates can be intelligently accommodated.
摘要:
A method and system for performing a pattern match search for a data string having a plurality of characters separated by delimiters. In accordance with the method of the present invention a search key is constructed by generating a full match search increment comprising the binary representation of a data string element, wherein the data string element comprises all characters between a pair of delimiters. The search key is completed by concatenating a pattern search prefix to the full match search increment, wherein the pattern search prefix is a cumulative pattern search result of each previous full match search increment. A full match search is then performed within a lookup table utilizing the search key. In response to finding a matching pattern within the lookup table, the process returns to constructing a next search key. In response to not finding a matching pattern, the previous full match search result is utilized to process the data string.
摘要:
A method and system for storing and searching for prefixes for rules, such as filter rules, in a computer system is disclosed. The method and system include providing a ternary content addressable memory (TCAM). The filter rules use range(s) of values in at least one dimension and correspond to prefix(es). The range(s) are described by prefix(es). Some filter rules may intersect. The method and system include providing priorities for the filter rules. The priorities include at least one different priority for the filter rules that intersect. The method and system also include storing the prefixes in the TCAM in block(s) in an order based upon the priorities of the filter rules. In another aspect, the method and system include searching the TCAM for a longest prefix match for a key and searching an additional storage for an almost exact match for the key in parallel with the TCAM. In this aspect, the method and system include returning the longest prefix match having a lowest or a highest location if the longest prefix match is found in the TCAM and the almost exact match is not found in the additional storage.
摘要:
The decision to discard or forward a packet is made by a flow control mechanism, upstream from the forwarding engine in the node of a communication network. The forwarding engine includes a switch with mechanism to detect congestion in the switch and return a binary signal B indicating congestion or no congestion. The flow control mechanism uses B and other network related information to generate a probability transmission table against which received packets are tested to determine proactively whether a packet is to be discarded or forwarded.