公开(公告)号：US20170374098A1

公开(公告)日：2017-12-28

申请号：US15192604

申请日：2016-06-24

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08

CPC classification number: H04L63/1458 ,  H04L43/0876 ,  H04L43/16 ,  H04L63/1425 ,  H04L67/02

Abstract: Systems and methods for an improved DDoS mitigation approach are provided. According to one embodiment, a current threshold for a network connection characteristic is established within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network and multiple client devices residing external to the private network. A number of connections between the client devices and the protected network resource are tracked. During a period of time in which the number of connections exceeds a connection count threshold: (i) for each of the connections, a measured value for the network connection characteristic is compared to the current threshold; (ii) responsive to a determination that the measured value exceeds the current threshold, the connection is dropped; and (iii) the current threshold is periodically reduced, such that only those connections complying with the current threshold are maintained.

公开(公告)号：US20170251052A1

公开(公告)日：2017-08-31

申请号：US15597051

申请日：2017-05-16

Applicant: Fortinet, Inc.

Inventor： William A. Kish

IPC: H04L29/08 ,  G06F9/54 ,  H04L29/06

CPC classification number: H04L67/10 ,  G06F9/54 ,  H04L63/02 ,  H04L63/04 ,  H04L63/166 ,  H04L69/162

Abstract: Methods and systems for efficient data transactions between applications running on devices associated with the same host. According to one embodiment, a host system includes an HTTP proxy and an SSL/TLS proxy operatively coupled with each other. The SSL/TLS proxy may be configured to perform SSL negotiation with a client and the HTTP proxy may be configured to communicate with a web server in clear text. Data can be transferred directly between the proxies through a pair of connected sockets using a handle of the other proxy's socket. The handle includes a pointer to an address within a memory of a first device upon which the other proxy is running. In this manner, data stored at the address may be processed by a proxy running on a second device without copying the data to the second device and without the overhead associated with the TCP/IP protocol stack.

公开(公告)号：US20160036943A1

公开(公告)日：2016-02-04

申请号：US14451106

申请日：2014-08-04

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/06 ,  H04L29/12 ,  G06F17/30

CPC classification number: H04L61/6013 ,  H04L61/1511 ,  H04L61/6059 ,  H04L61/6086

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

Abstract translation: 提供了DNS服务器IPv4-IPv6代理模式的方法和系统。 根据一个实施例，网络设备从双栈客户端接收DNS查询。 确定网络设备是否包含与该查询相关联的服务器的因特网协议（IP）地址的第一记录类型存在于网络设备的DNS数据库内。 如果服务器存在第一种记录类型，则基于第一种记录类型在客户机和服务器之间启用通信; 否则自动确定客户端是否存在可供服务器使用的第二种记录类型。 响应于存在第二记录类型的确定，与第二记录类型相关联的数据由网络设备与客户端共享，以实现客户端与服务器之间的通信。

公开(公告)号：US10171492B2

公开(公告)日：2019-01-01

申请号：US15192575

申请日：2016-06-24

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/06

Abstract: Systems and methods for improving the performance of DDoS mitigation by monitoring the health of a protected network resource are provided. According to one embodiment, health of a network device protected by DoS mitigation device can be evaluated and packet/traffic received on the DoS mitigation device can be selectively/conditionally forwarded to the protected network device or can be dropped based on the health of the protected network device. According to one embodiment, at-least a part of the traffic is blocked when the health of the protected network device is below a predetermined health threshold. In an exemplary implementation, a measure of volume of traffic originated by different computing devices and handled by the protected network device can be computed, and packet filtering or conditional forwarding can be enabled when the computed measure of volume of traffic exceeds a predetermined traffic volume threshold.

公开(公告)号：US10009419B2

公开(公告)日：2018-06-26

申请号：US15597051

申请日：2017-05-16

Applicant: Fortinet, Inc.

Inventor： William A. Kish

IPC: G06F15/16 ,  H04L29/08 ,  G06F9/54 ,  H04L29/06

CPC classification number: H04L67/10 ,  G06F9/54 ,  G06F9/544 ,  H04L63/02 ,  H04L63/04 ,  H04L63/166 ,  H04L69/162

Abstract: Methods and systems for efficient data transactions between applications running on devices associated with the same host. According to one embodiment, a host system includes an HTTP proxy and an SSL/TLS proxy operatively coupled with each other. The SSL/TLS proxy may be configured to perform SSL negotiation with a client and the HTTP proxy may be configured to communicate with a web server in clear text. Data can be transferred directly between the proxies through a pair of connected sockets using a handle of the other proxy's socket. The handle includes a pointer to an address within a memory of a first device upon which the other proxy is running. In this manner, data stored at the address may be processed by a proxy running on a second device without copying the data to the second device and without the overhead associated with the TCP/IP protocol stack.

公开(公告)号：US20200021559A1

公开(公告)日：2020-01-16

申请号：US16579521

申请日：2019-09-23

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/12

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

公开(公告)号：US10075468B2

公开(公告)日：2018-09-11

申请号：US15192604

申请日：2016-06-24

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/06 ,  H04L12/26 ,  H04L29/08

CPC classification number: H04L63/1458 ,  H04L43/0876 ,  H04L43/16 ,  H04L63/1425 ,  H04L67/02 ,  H04L2463/142

Abstract: Systems and methods for an improved DDoS mitigation approach are provided. According to one embodiment, a current threshold for a network connection characteristic is established within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network and multiple client devices residing external to the private network. A number of connections between the client devices and the protected network resource are tracked. During a period of time in which the number of connections exceeds a connection count threshold: (i) for each of the connections, a measured value for the network connection characteristic is compared to the current threshold; (ii) responsive to a determination that the measured value exceeds the current threshold, the connection is dropped; and (iii) the current threshold is periodically reduced, such that only those connections complying with the current threshold are maintained.

公开(公告)号：US20180167359A1

公开(公告)日：2018-06-14

申请号：US15894830

申请日：2018-02-12

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/12

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

公开(公告)号：US20170374097A1

公开(公告)日：2017-12-28

申请号：US15192575

申请日：2016-06-24

Applicant: Fortinet, Inc.

Inventor： William A. Kish ,  Sergey Katsev

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/14 ,  H04L63/1441

Abstract: Systems and methods for improving the performance of DoS mitigation by monitoring the health of a protected network resource are provided. According to one embodiment, health of a network device protected by DoS mitigation device can be evaluated and packet/traffic received on the DoS mitigation device can be selectively/conditionally forwarded to the protected network device or can be dropped based on the health of the protected network device. According to one embodiment, at-least a part of the traffic is blocked when the health of the protected network device is below a predetermined health threshold. In an exemplary implementation, a measure of volume of traffic originated by different computing devices and handled by the protected network device can be computed, and packet filtering or conditional forwarding can be enabled when the computed measure of volume of traffic exceeds a predetermined traffic volume threshold.

公开(公告)号：US09680918B2

公开(公告)日：2017-06-13

申请号：US14318940

申请日：2014-06-30

Applicant: Fortinet, Inc.

Inventor： William A. Kish

IPC: G06F15/16 ,  H04L29/08 ,  G06F9/54 ,  H04L29/06

CPC classification number: H04L67/10 ,  G06F9/54 ,  H04L63/02 ,  H04L63/04 ,  H04L63/166 ,  H04L69/162

Abstract: Methods and systems for efficient data transactions between applications running on devices associated with the same host. According to one embodiment, a host system includes an HTTP proxy and an SSL/TLS proxy operatively coupled with each other. The SSL/TLS proxy may be configured to perform SSL negotiation with a client and the HTTP proxy may be configured to communicate with a web server in clear text. Data can be transferred directly between the proxies through a pair of connected sockets using a handle of the other proxy's socket. The handle includes a pointer to an address within a memory of a first device upon which the other proxy is running. In this manner, data stored at the address may be processed by a proxy running on a second device without copying the data to the second device and without the overhead associated with the TCP/IP protocol stack.