公开(公告)号：US10757146B2

公开(公告)日：2020-08-25

申请号：US15876847

申请日：2018-01-22

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Krishna Khanal ,  Varun Taneja ,  Mahesh Mylarappa

IPC: H04L12/707 ,  H04L29/06 ,  H04L29/08

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device. The third device may receive the packets with the converted sequence identifiers in a single TCP connection.

公开(公告)号：US11991177B2

公开(公告)日：2024-05-21

申请号：US17340494

申请日：2021-06-07

Applicant: Citrix Systems, Inc.

Inventor： Seth K. Keith ,  Saravanakumar Annamalaisami ,  Krishna Khanal ,  Ratnesh Singh Thakur

IPC: H04L29/06 ,  G06F9/54 ,  H04L9/40

CPC classification number: H04L63/10 ,  G06F9/547 ,  H04L63/1408

Abstract: Reducing vulnerability to a server is provided. A device intermediary to a client and a server can receive a RPC message from the RPC based client to the RPC based server, the RPC message having a plurality of fields to execute one or more routines on the server. The device can detect that one or more fields of the plurality of fields exploits a vulnerability of the RPC based server. The device can modify the RPC message to remove the one or more fields from the RPC message. The device can forward the modified RPC message to the RPC server.

公开(公告)号：US09866529B2

公开(公告)日：2018-01-09

申请号：US14245514

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Ashwin Jagadish ,  Saravana Annamalaisami

IPC: G06F15/16 ,  H04L29/06

CPC classification number: H04L63/0272 ,  H04L63/0428 ,  H04L63/08

Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.

公开(公告)号：US09497106B2

公开(公告)日：2016-11-15

申请号：US14245521

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Ashok Kumar Jagadeeswaran

IPC: H04L12/755 ,  H04L12/741

CPC classification number: H04L45/021 ,  H04L45/74

Abstract: Systems and methods of propagating maximum segment size and path maximum transmission unit of network paths between an intermediary device of a cluster with a plurality of destinations are described. A first core of a node including multiple cores and intermediary to a client and a plurality of servers may receive a response to a packet transmitted to a destination indicating that the packet has a size greater than a MTU of a network path between the node and a destination. The first core identifies the MTU of the network path and determines that the identified MTU is different than an MTU used by the first core. The first core replaces the MTU stored in an entry corresponding to the destination in a PMTU table maintained with the identified MTU. The first core transmits, to other cores of the node, the identified MTU to update each core's PMTU table.

Abstract translation: 描述了在具有多个目的地的集群的中间设备之间传播最大段大小和路径最大传输单元的网络路径的系统和方法。 包括多个核心并且中间到客户机和多个服务器的节点的第一核心可以接收对发送到目的地的分组的响应，指示分组具有大于节点和节点之间的网络路径的MTU的大小 目的地。 第一个核心标识网络路径的MTU，并确定所识别的MTU与第一个核心使用的MTU不同。 第一个核心替换存储在与所标识的MTU维护的PMTU表中的与目的地相对应的条目中的MTU。 第一个核心向节点的其他核心传输所识别的MTU来更新每个核心的PMTU表。

公开(公告)号：US09888042B2

公开(公告)日：2018-02-06

申请号：US14282954

申请日：2014-05-20

Applicant: Citrix Systems, Inc.

Inventor： Saravana Annamalaisami ,  Krishna Khanal ,  Varun Taneja ,  Mahesh Mylarappa

IPC: G06F15/16 ,  H04L29/06 ,  H04L12/707 ,  H04L29/08

CPC classification number: H04L65/1069 ,  H04L45/24 ,  H04L65/4076 ,  H04L69/14 ,  H04L69/163 ,  H04L69/326

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device. The third device may receive the packets with the converted sequence identifiers in a single TCP connection.

公开(公告)号：US09432399B2

公开(公告)日：2016-08-30

申请号：US14721658

申请日：2015-05-26

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US09055100B2

公开(公告)日：2015-06-09

申请号：US13858008

申请日：2013-04-06

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US11647083B2

公开(公告)日：2023-05-09

申请号：US17380326

申请日：2021-07-20

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal

IPC: H04L67/141 ,  H04L45/24

CPC classification number: H04L67/141 ,  H04L45/24

Abstract: Systems and methods for establishing a multipath connection include a first processor of a first cluster forwarding a first request from a client to establish a first connection with a server to a second processor of a second cluster. A third processor of the first cluster receives a second request to establish a multipath connection between the client and the server. The third processor forwards the second request to the second processor responsive to determining that the second request is to establish a multipath connection. The second processor establishes the multipath connection that includes the first connection and a second connection used as paths of the multipath connection.

公开(公告)号：US20140304798A1

公开(公告)日：2014-10-09

申请号：US13858008

申请日：2013-04-06

Applicant: CITRIX SYSTEMS, INC.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20140301395A1

公开(公告)日：2014-10-09

申请号：US14245521

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Krishna Khanal ,  Ashok Kumar Jagadeeswaran

IPC: H04L12/755 ,  H04L12/741

CPC classification number: H04L45/021 ,  H04L45/74

Abstract: Systems and methods of propagating maximum segment size and path maximum transmission unit of network paths between an intermediary device of a cluster with a plurality of destinations are described. A first core of a node including multiple cores and intermediary to a client and a plurality of servers may receive a response to a packet transmitted to a destination indicating that the packet has a size greater than a MTU of a network path between the node and a destination. The first core identifies the MTU of the network path and determines that the identified MTU is different than an MTU used by the first core. The first core replaces the MTU stored in an entry corresponding to the destination in a PMTU table maintained with the identified MTU. The first core transmits, to other cores of the node, the identified MTU to update each core's PMTU table.

Abstract translation: 描述了在具有多个目的地的集群的中间设备之间传播最大段大小和路径最大传输单元的网络路径的系统和方法。 包括多个核心并且中间到客户机和多个服务器的节点的第一核心可以接收对发送到目的地的分组的响应，指示分组具有大于节点和节点之间的网络路径的MTU的大小 目的地。 第一个核心标识网络路径的MTU，并确定所识别的MTU与第一个核心使用的MTU不同。 第一个核心替换存储在与所标识的MTU维护的PMTU表中的与目的地相对应的条目中的MTU。 第一个核心向节点的其他核心传输所识别的MTU来更新每个核心的PMTU表。