公开(公告)号：US09497281B2

公开(公告)日：2016-11-15

申请号：US14245505

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Ashwin Jagadish ,  Mahesh Mylarappa ,  Sandhya Gopinath ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L12/747 ,  H04L29/08 ,  H04L12/743

CPC classification number: H04L67/2814 ,  H04L45/7453

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.

Abstract translation: 本公开涉及用于缓存用于在客户机中间的多个中间设备的集群的中间设备和多个服务器之间指导数据分组的分组导向会话的方法和系统。 第一中间设备接收第一数据分组，并且从第一分组的元组的散列中确定第二中介设备来引导第一分组。 第一设备存储分组转向信息的会话，第二设备和元组的身份。 第一设备接收具有与第一分组的元组匹配的对应元组的第二分组，并且基于对使用第二分组的元组的会话的查找确定第二设备是引导其的中间设备 第二个包。 第一设备将第二分组转向第二设备。

公开(公告)号：US09432399B2

公开(公告)日：2016-08-30

申请号：US14721658

申请日：2015-05-26

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US09055100B2

公开(公告)日：2015-06-09

申请号：US13858008

申请日：2013-04-06

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20150281272A1

公开(公告)日：2015-10-01

申请号：US14721658

申请日：2015-05-26

Applicant: Citrix Systems, Inc.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20140304798A1

公开(公告)日：2014-10-09

申请号：US13858008

申请日：2013-04-06

Applicant: CITRIX SYSTEMS, INC.

Inventor： Meghashree Iyengar ,  Krishna Khanal ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/02 ,  H04L63/102 ,  H04L63/168

Abstract: The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold.

Abstract translation: 本公开一般涉及用于改变应用层事务超时以防止拒绝服务攻击的系统和方法。 客户机和服务器的设备中介可以经由设备和客户端之间的传输层连接来接收应用层事务的分组。 响应于分组的大小小于传输层连接的最大分段大小的预定分数，设备可以将用于传输层连接的攻击计数器增加第一预定量。 响应于分组与先前分组之间的分组间延迟多于往返时间的预定乘数，设备可以使攻击计数器增加第二预定量。 响应于将攻击计数器与预定阈值进行比较，设备可以改变应用层事务的超时。

公开(公告)号：US20140301388A1

公开(公告)日：2014-10-09

申请号：US14245505

申请日：2014-04-04

Applicant: Citrix Systems, Inc.

Inventor： Ashwin Jagadish ,  Mahesh Mylarappa ,  Sandhya Gopinath ,  Saravana Annamalaisami ,  Shashidhara Nanjundaswamy

IPC: H04L12/747

CPC classification number: H04L67/2814 ,  H04L45/7453

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.

Abstract translation: 本公开涉及用于缓存用于在客户机中间的多个中间设备的集群的中间设备和多个服务器之间指导数据分组的分组导向会话的方法和系统。 第一中间设备接收第一数据分组，并且从第一分组的元组的散列中确定第二中介设备来引导第一分组。 第一设备存储分组转向信息的会话，第二设备和元组的身份。 第一设备接收具有与第一分组的元组匹配的对应元组的第二分组，并且基于对使用第二分组的元组的会话的查找确定第二设备是引导其的中间设备 第二个包。 第一设备将第二分组转向第二设备。