-
1.发明申请Distributed architecture for statistical overload control against distributed denial of service attacks 有权用于分布式拒绝服务攻击的统计过载控制的分布式架构公开(公告)号:US20050111367A1
公开(公告)日:2005-05-26
申请号:US10723450
申请日:2003-11-26
申请人: Hung-Hsiang Jonathan Chao , Mooi Chuah , Yoohwan Kim , Wing Lau
发明人: Hung-Hsiang Jonathan Chao , Mooi Chuah , Yoohwan Kim , Wing Lau
CPC分类号: H04L63/1408 , H04L63/1458
摘要: In a network including a centralized controller and a plurality of routers forming a security perimeter, a method for selectively discarding packets during a distributed denial-of-service (DDoS) attack over the network. The method includes aggregating victim destination prefix lists and attack statistics associated with incoming packets received from the plurality of routers to confirm a DDoS attack victim, and aggregating packet attribute distribution frequencies for incoming victim related packets received from the plurality of security perimeter routers. Common scorebooks are generated from the aggregated packet attribute distribution frequencies and nominal traffic profiles, and local cumulative distribution function (CDF) of the local scores derived from the plurality of security perimeter routers are aggregated. A common discarding threshold is derived from the CDF and sent to each of the plurality of security perimeter routers, where the discarding threshold defines a condition in which an incoming packet may be discarded at the security perimeter.
摘要翻译: 在包括集中控制器和形成安全边界的多个路由器的网络中,提供了一种在通过网络的分布式拒绝服务(DDoS)攻击中选择性地丢弃分组的方法。 该方法包括聚合受害目的地前缀列表和与从多个路由器接收的传入分组相关联的攻击统计信息,以确认DDoS攻击受害者,并且聚合从多个安全边界路由器接收到的传入的受害者相关分组的分组属性分布频率。 从聚合的分组属性分布频率和标称流量简档生成常用记分簿,并且聚合从多个安全边界路由器导出的局部分数的局部累积分布函数(CDF)。 从CDF导出常见的丢弃阈值,并将其发送到多个安全边界路由器中的每一个,其中丢弃阈值定义了可能在安全边界丢弃输入分组的状况。
-
2.发明授权Distributed architecture for statistical overload control against distributed denial of service attacks 有权用于分布式拒绝服务攻击的统计过载控制的分布式架构公开(公告)号:US07526807B2
公开(公告)日:2009-04-28
申请号:US10723450
申请日:2003-11-26
IPC分类号: G06F21/00
CPC分类号: H04L63/1408 , H04L63/1458
摘要: In a network including a centralized controller and a plurality of routers forming a security perimeter, a method for selectively discarding packets during a distributed denial-of-service (DDoS) attack over the network. The method includes aggregating victim destination prefix lists and attack statistics associated with incoming packets received from the plurality of routers to confirm a DDoS attack victim, and aggregating packet attribute distribution frequencies for incoming victim related packets received from the plurality of security perimeter routers. Common scorebooks are generated from the aggregated packet attribute distribution frequencies and nominal traffic profiles, and local cumulative distribution function (CDF) of the local scores derived from the plurality of security perimeter routers are aggregated. A common discarding threshold is derived from the CDF and sent to each of the plurality of security perimeter routers, where the discarding threshold defines a condition in which an incoming packet may be discarded at the security perimeter.
摘要翻译: 在包括集中控制器和形成安全边界的多个路由器的网络中,提供了一种在通过网络的分布式拒绝服务(DDoS)攻击中选择性地丢弃分组的方法。 该方法包括聚合受害目的地前缀列表和与从多个路由器接收的传入分组相关联的攻击统计信息,以确认DDoS攻击受害者,并且聚合从多个安全边界路由器接收到的传入的受害者相关分组的分组属性分布频率。 从聚合的分组属性分布频率和标称流量简档生成常用记分簿,并且聚合从多个安全边界路由器导出的局部分数的局部累积分布函数(CDF)。 从CDF导出常见的丢弃阈值,并将其发送到多个安全边界路由器中的每一个,其中丢弃阈值定义了可能在安全边界丢弃输入分组的状况。
-
3.再颁专利Scheduling the dispatch of cells in non-empty virtual output queues of multistage switches using a pipelined hierarchical arbitration scheme 有权使用流水线分层仲裁方案调度多级交换机的非空虚拟输出队列中的单元格调度公开(公告)号:USRE43466E1
公开(公告)日:2012-06-12
申请号:US12122066
申请日:2008-05-16
CPC分类号: H04L12/5601 , H04L49/1569 , H04L49/3081 , H04L2012/5651 , H04L2012/5679 , H04L2012/5681 , H04Q11/0478
摘要: A pipeline-based matching scheduling approach for input-buffered switches relaxes the timing constraint for arbitration with matching schemes, such as CRRD and CMSD. In the new approach, arbitration may operate in a pipelined manner. Each sub-scheduler is allowed to take more than one time slot for its matching. Every time slot, one of them provides a matching result(s). The sub-scheduler can use a matching scheme such as CRRD and CMSD.
摘要翻译: 用于输入缓冲交换机的基于流水线的匹配调度方法放松了使用匹配方案进行仲裁的时序约束,如CRRD和CMSD。 在新方法中,仲裁可以以流水线方式运行。 每个子调度器被允许占用多于一个时隙进行匹配。 每个时隙,其中一个提供匹配的结果。 子调度器可以使用诸如CRRD和CMSD的匹配方案。
-
公开(公告)号:US20110128959A1
公开(公告)日:2011-06-02
申请号:US12957995
申请日:2010-12-01
IPC分类号: H04L12/56
CPC分类号: H04L45/745 , H04L45/7457
摘要: A method and apparatus for performing an Internet Protocol (IP) network lookup in a forwarding device including an internal processor memory storing a first next hop information table and membership query information, and an external processor memory storing a plurality of prefix-compressed trees and a second next hop information table is described. In another embodiment consistent with present invention, a method (and apparatus) for creating stored data structures representing network forwarding information used for network route lookup is described.
摘要翻译: 一种用于在包括存储第一下一跳信息表和成员查询信息的内部处理器存储器的转发设备中执行因特网协议(IP)网络查找的方法和装置,以及存储多个前缀压缩树的外部处理器存储器和 描述第二下一跳信息表。 在与本发明一致的另一实施例中,描述了一种用于创建表示用于网络路由查找的网络转发信息的存储数据结构的方法(和装置)。
-
5.发明授权Packet sequence maintenance with load balancing, and head-of-line blocking avoidance in a switch 有权带有负载平衡的数据包序列维护,交换机中的线路头阻塞避免公开(公告)号:US07894343B2
公开(公告)日:2011-02-22
申请号:US10776574
申请日:2004-02-11
IPC分类号: G01R31/08
CPC分类号: H04L49/3045 , H04L49/253 , H04L49/3018
摘要: To avoid packet out-of-sequence problems, while providing good load balancing, each input port of a switch monitors the outstanding number of packets for each flow group. If there is an outstanding packet in the switch fabric, the following packets of the same flow group should follow the same path. If there is no outstanding packet of the same flow group in the switch fabric, the (first, and therefore subsequent) packets of the flow can choose a less congested path to improve load balancing performance without causing an out-of-sequence problem. To avoid HOL blocking without requiring too many queues, an input module may include two stages of buffers. The first buffer stage may be a virtual output queue (VOQ) and second buffer stage may be a virtual path queue (VPQ). At the first stage, the packets may be stored at the VOQs, and the HOL packet of each VOQ may be sent to the VPQ. By allowing each VOQ to send at most one packet to VPQ, HOL blocking can be mitigated dramatically.
摘要翻译: 为了避免数据包失序问题,在提供良好的负载均衡的情况下,交换机的每个输入端口都会监视每个流组的未知数量。 如果交换机结构中存在未完成的报文,则同一流程组的以下报文应遵循相同的路径。 如果交换机结构中没有相同流组的未完成报文,则流的(第一个,后续的)报文可以选择较少拥塞的路径,以提高负载均衡性能,而不会导致失序问题。 为了避免HOL阻塞而不需要太多的队列,输入模块可以包括两级缓冲器。 第一缓冲级可以是虚拟输出队列(VOQ),第二缓冲级可以是虚拟路径队列(VPQ)。 在第一阶段,分组可以存储在VOQ中,并且每个VOQ的HOL分组可以被发送到VPQ。 通过允许每个VOQ最多发送一个数据包到VPQ,HOL阻塞可以大大减轻。
-
6.发明授权Switch module memory structure and per-destination queue flow control for use in a switch 有权切换模块存储器结构和每个目标队列流控制,用于交换机公开(公告)号:US07792118B2
公开(公告)日:2010-09-07
申请号:US10776575
申请日:2004-02-11
IPC分类号: H04L12/28
CPC分类号: H04L49/1523 , H04L49/506
摘要: To use the memory space more effectively, cell memory can be shared by an input link and all output links. To prevent one flow from occupying the entire memory space, a threshold may be provided for the queue. The queue threshold may accommodate the RTT delay of the link. Queue length information about a downstream switch module may be sent to an upstream switch module via cell headers in every credit update period per link. Cell and/or credit loss may be recovered from. Increasing the credit update period reduces the cell header bandwidth but doesn't degrade performance significantly. Sending a credit per link simplifies implementation and eliminates interference between other links.
摘要翻译: 为了更有效地使用存储器空间,单元存储器可以由输入链路和所有输出链路共享。 为了防止一个流占用整个存储器空间,可以为队列提供阈值。 队列阈值可以适应链路的RTT延迟。 关于下游交换机模块的队列长度信息可以在每个链路的每个信用更新周期中通过小区头发送到上游交换机模块。 可以从中回收信元和/或信用损失。 增加信用更新周期会降低单元头带宽,但不会显着降低性能。 每个链接发送信用简化了实现,消除了其他链接之间的干扰。
-
公开(公告)号:US07173931B2
公开(公告)日:2007-02-06
申请号:US09851461
申请日:2001-05-08
IPC分类号: H04Q11/00
CPC分类号: H04L49/1569 , H04L12/5601 , H04L49/3081 , H04L2012/5651 , H04L2012/5679 , H04L2012/5681 , H04Q11/0478
摘要: A multiple phase cell dispatch scheme, in which each phase uses a simple and fair (e.g., round robin) arbitration methods, is described. VOQs of an input module and outgoing links of the input module are matched in a first phase. An outgoing link of an input module is matched with an outgoing link of a central module in a second phase. The arbiters become desynchronized under stable conditions which contributes to the switch's high throughput characteristic. Using this dispatch scheme, a scalable multiple-stage switch able to operate at high throughput, without needing to resort to speeding up the switching fabric and without needing to use buffers in the second stage, is possible. The cost of speed-up and the cell out-of-sequence problems that may occur when buffers are used in the second stage are therefore avoided.
摘要翻译: 描述了多相单元调度方案,其中每个阶段使用简单和公平(例如,循环)仲裁方法。 输入模块的VOQ和输入模块的输出链路在第一阶段匹配。 输入模块的输出链路与第二阶段的中央模块的输出链路相匹配。 仲裁器在稳定的条件下变得不同步,这有助于开关的高吞吐量特性。 使用这种调度方案,能够以高吞吐量运行的可扩展多级交换机是可能的,而不需要诉诸于加速交换结构,而不需要在第二阶段中使用缓冲器。 因此,避免了在第二阶段使用缓冲器时可能发生的加速成本和单元格不合格问题。
-
公开(公告)号:US08625604B2
公开(公告)日:2014-01-07
申请号:US12957995
申请日:2010-12-01
IPC分类号: H04L12/28
CPC分类号: H04L45/745 , H04L45/7457
摘要: A method and apparatus for performing an Internet Protocol (IP) network lookup in a forwarding device including an internal processor memory storing a first next hop information table and membership query information, and an external processor memory storing a plurality of prefix-compressed trees and a second next hop information table is described. In another embodiment consistent with present invention, a method (and apparatus) for creating stored data structures representing network forwarding information used for network route lookup is described.
摘要翻译: 一种用于在包括存储第一下一跳信息表和成员查询信息的内部处理器存储器的转发设备中执行因特网协议(IP)网络查找的方法和装置,以及存储多个前缀压缩树的外部处理器存储器和 描述第二下一跳信息表。 在与本发明一致的另一实施例中,描述了一种用于创建表示用于网络路由查找的网络转发信息的存储数据结构的方法(和装置)。
-
9.再颁专利Scheduling the dispatch of cells in non-empty virtual output queues of multistage switches using a pipelined arbitration scheme 失效使用流水线仲裁方案调度多级交换机的非空虚拟输出队列中的单元格调度公开(公告)号:USRE42600E1
公开(公告)日:2011-08-09
申请号:US11851242
申请日:2007-09-06
CPC分类号: H04L49/1569 , H04L12/5601 , H04L47/50 , H04L49/1515 , H04L49/1553 , H04L49/3045 , H04L49/3081 , H04L2012/5651 , H04L2012/5679 , H04L2012/5681 , H04Q11/0478
摘要: A pipeline-based matching scheduling approach for input-buffered switches relaxes the timing constraint for arbitration with matching schemes, such as CRRD and CMSD. In the new approach, arbitration may operate in a pipelined manner. Each sub-scheduler is allowed to take more than one time slot for its matching. Every time slot, one of them provides a matching result(s). The sub-scheduler can use a matching scheme such as CRRD and CMSD.
摘要翻译: 用于输入缓冲交换机的基于流水线的匹配调度方法放松了使用匹配方案进行仲裁的时序约束,如CRRD和CMSD。 在新方法中,仲裁可以以流水线方式运行。 每个子调度器被允许占用多于一个时隙进行匹配。 每个时隙,其中一个提供匹配的结果。 子调度器可以使用诸如CRRD和CMSD的匹配方案。
-
公开(公告)号:US20110128960A1
公开(公告)日:2011-06-02
申请号:US12958030
申请日:2010-12-01
IPC分类号: H04L12/56
CPC分类号: H04L45/745 , H04L45/7457
摘要: A method and apparatus for updating stored data structures representing network forwarding information used for network route lookup is described. By making sure there is only one level of dependency between data structures storing forwarding information, these data structures may be updated quickly and with minimal overhead
摘要翻译: 描述用于更新表示用于网络路由查找的网络转发信息的存储的数据结构的方法和装置。 通过确保存储转发信息的数据结构之间只有一个依赖关系,这些数据结构可以以最小的开销快速更新
-
-
-
-
-
-
-
-
-
搜索结果
43 条记录 (耗时 0.03 秒)
