摘要:
A method for managing attacks in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of packets, which include a plurality of administrative packets. The method includes determining whether a congestion of the administrative packets exists. Congestion of the administrative packets indicates that a potential attack exists. The method also includes discarding a portion of the plurality of administrative packets if it is declared that the congestion of the administrative packets exists. The portion of the plurality of packets is sufficient to ensure that a remaining portion of the plurality of packets transmitted is not more than a maximum administrative packet bandwidth limit and, if the plurality of administrative packets present a sufficient offered load, not less than a minimum administrative packet bandwidth guarantee.
摘要:
Methods and apparatus are provided for metering data packets having a plurality of different packet lengths in a data communications network. A token count TC is incremented at a token increment rate CIR subject to an upper limit CBS on the token count. On arrival of a packet of length L tokens, it is determined if both TC>0 and TC+n≧L, where n is a defined number of tokens. If so, the data packet is categorized as in profile and L tokens are subtracted from the token count TC. Otherwise the data packet is categorized out of profile. In some embodiments, n is set to a value in the range 0
摘要翻译:提供了用于在数据通信网络中计量具有多个不同分组长度的数据分组的方法和装置。 令牌计数T C C以在令牌计数上受到上限CBS的令牌增量率CIR递增。 在长度为L个令牌的分组到达时,确定是否都有T个C 0和T C + n> = L,其中n是确定数量的令牌 。 如果是这样,则数据分组被归类为简档,并且从令牌计数T C C中减去L个令牌。 否则数据包将被分类出来。 在一些实施例中,将n设置为0
摘要:
A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.
摘要:
A process control method and system including partitioning transmit decisions and certain measurements into one logical entity (Data Plane) and partitioning algorithm computation to update transmit probabilities into a second logical entity (Control Plane), the two entities periodically communicating fresh measurements from Data Plane to Control Plane and adjusted transmit probabilities from Control Plane to Data Plane. The transmit probability may be used in transmit/discard decisions of packets or instructions exercised at every arrival of a packet or instruction. In an alternative embodiment, the transmit probability may be used in transmit/delay decisions of awaiting instructions or packets exercised at every service event.
摘要:
Methods and apparatus are provided for controlling flow rates of a plurality of data packet flows into a queue 4 corresponding to a resource 3 of a network device 1. The flows comprise a set 7 of non-responsive flows, and a set 8 of other flows which may comprise responsive flows and/or flows whose responsiveness is unknown. The flow rates are managed in accordance with a queue management scheme such that adjustments are made to each flow rate in dependence on excess bandwidth in the resource, the amounts of the adjustments being dependent on one or more adjustment parameters for each flow. An error signal is generated based on the deviation from a desired allocation ratio of the ratio of the total flow rates into the queue 4 for the sets of flows 7, 8. At least one adjustment parameter for at least one flow is then varied in dependence on the error signal in such a manner as to reduce the aforementioned deviation. A closed-loop control scheme thus operates in conjunction with the underlying queue management scheme to promote fair bandwidth allocation even in the presence of a mix of responsive and non-responsive flows.
摘要:
A method and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The method and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.
摘要:
A medium and system for managing asynchronous transfer mode (ATM) traffic in a computer system is disclosed. The computer system is used in sending, receiving, or sending and receiving a plurality of ATM flows. Each ATM flow has a plurality of ATM cells, a minimum ATM bandwidth guarantee, and a maximum ATM bandwidth. The medium and system include determining whether excess bandwidth exists for the ATM flows. The method and system also include gracefully increasing a portion of the ATM cells transmitted for each ATM flow during periods of excess bandwidth. The portion of the ATM cells transmitted is not more than the maximum ATM bandwidth limit. If an ATM flow presents a sufficient offered load, the portion of the ATM cells transmitted in the flow is not less than a minimum ATM bandwidth guarantee.
摘要:
Methods and apparatus are provided for managing a data packet queue corresponding to a resource of a network device. A token count TC is maintained for a predefined flow of data packets, and the transmission of packets in the flow into the queue is controlled in dependence on this token count. The token count is decremented when packets in the flow are transmitted into the queue, and the token count is incremented at a token increment rate C. A bandwidth indicator, indicative of bandwidth availability in the resource, is monitored, and the token increment rate C is varied in dependence on this bandwidth indicator. The bandwidth-dependent variation of the token increment rate C is such that, when available bandwidth is indicated, the increment rate C is increased, and when no available bandwidth is indicated the increment rate C is decreased.
摘要翻译:提供了用于管理对应于网络设备的资源的数据分组队列的方法和装置。 对于预定义的数据分组流维护令牌计数T C C,并且根据该令牌计数来控制流入队列的流中的分组传输。 当流中的分组被发送到队列中时,令牌计数递减,并且令牌计数以令牌递增率C递增。监视指示资源中的带宽可用性的带宽指示符,并且令牌递增率C 根据这个带宽指标而变化。 令牌递增率C的带宽相关变化使得当指示可用带宽时,增加速率C增加,并且当没有指示可用带宽时,增加速率C减小。
摘要:
An intrusion detection system (IDS) comprises a network processor (NP) coupled to a memory unit for storing programs and data. The NP is also coupled to one or more parallel pattern detection engines (PPDE) which provide high speed parallel detection of patterns in an input data stream. Each PPDE comprises many processing units (PUs) each designed to store intrusion signatures as a sequence of data with selected operation codes. The PUs have configuration registers for selecting modes of pattern recognition. Each PU compares a byte at each clock cycle. If a sequence of bytes from the input pattern match a stored pattern, the identification of the PU detecting the pattern is outputted with any applicable comparison data. By storing intrusion signatures in many parallel PUs, the IDS can process network data at the NP processing speed. PUs may be cascaded to increase intrusion coverage or to detect long intrusion signatures.
摘要:
The classification system of a network device includes a cache in which a mapping between predefined characteristics of TCP/IP packets and associated actions are stored in response to the first “Frequent Flyer” packet in of a session. Selected characteristics from subsequent received packets of that session are correlated with the predefined characteristics and the stored actions are applied to the received packets if the selected characteristics and the predefined characteristics match, thus reducing the processing required for subsequent packets. The packets selected for caching may be data packets. For mismatched characteristics, the full packet search of the classification system is used to determine the action to apply to the received packet.