公开(公告)号：US07436770B2

公开(公告)日：2008-10-14

申请号：US10760277

申请日：2004-01-21

申请人： Jason Sterne ,  Adrian Grah ,  Shay Nahum ,  Predrag Kostic ,  Herman Ho Ming Liu

发明人： Jason Sterne ,  Adrian Grah ,  Shay Nahum ,  Predrag Kostic ,  Herman Ho Ming Liu

IPC分类号： H04J3/14

CPC分类号： H04L63/0227 ,  H04L63/101 ,  H04L63/1458

摘要： The packet rate limiting method and system is used for detecting and blocking the effects of DoS attacks on IP networks. The method uses an ACL counter that stores an action parameter in the first 3 most significant bits and uses 13 bits as a packet counter. A rate limit is enforced by setting the packet counter to an initial value, and resetting this value at given intervals of time. The action parameter enables the ACL to accept or deny packets based on this rate limit. If the number of packets in the incoming flow saturates the packet counter before the reset time, the packets are denied access to the network until the counter is next reset. The denied packets may be just discarded or may be extracted for further examination.

摘要翻译： 分组速率限制方法和系统用于检测和阻止DoS攻击对IP网络的影响。 该方法使用ACL计数器，其存储动作参数在前3个最高有效位中，并使用13位作为数据包计数器。 通过将分组计数器设置为初始值来实现速率限制，并在给定的时间间隔重置该值。 该操作参数使ACL能够根据此速率限制接受或拒绝数据包。 如果进入流中的数据包数量在复位时间之前使数据包计数器饱和，则数据包将被拒绝访问网络，直到下一次重置计数器为止。 被拒绝的数据包可能被丢弃或可能被提取用于进一步检查。

公开(公告)号：US20050157647A1

公开(公告)日：2005-07-21

申请号：US10760277

申请日：2004-01-21

申请人： Jason Sterne ,  Adrian Grah ,  Shay Nahum ,  Predrag Kostic ,  Herman Liu

发明人： Jason Sterne ,  Adrian Grah ,  Shay Nahum ,  Predrag Kostic ,  Herman Liu

IPC分类号： H04L1/00 ,  H04L29/06

CPC分类号： H04L63/0227 ,  H04L63/101 ,  H04L63/1458

摘要： The packet rate limiting method and system is used for detecting and blocking the effects of DoS attacks on IP networks. The method uses an ACL counter that stores an action parameter in the first 3 most significant bits and uses 13 bits as a packet counter. A rate limit is enforced by setting the packet counter to an initial value, and resetting this value at given intervals of time. The action parameter enables the ACL to accept or deny packets based on this rate limit. If the number of packets in the incoming flow saturates the packet counter before the reset time, the packets are denied access to the network until the counter is next reset. The denied packets may be just discarded or may be extracted for further examination.

摘要翻译： 分组速率限制方法和系统用于检测和阻止DoS攻击对IP网络的影响。 该方法使用ACL计数器，其存储动作参数在前3个最高有效位中，并使用13位作为数据包计数器。 通过将分组计数器设置为初始值来实现速率限制，并在给定的时间间隔重置该值。 该操作参数使ACL能够根据此速率限制接受或拒绝数据包。 如果传入流中的数据包数量在复位时间之前使数据包计数器饱和，则数据包将被拒绝访问网络，直到下一次重置计数器为止。 被拒绝的数据包可能被丢弃或可能被提取用于进一步检查。

公开(公告)号：US20090119535A1

公开(公告)日：2009-05-07

申请号：US12283048

申请日：2008-09-09

申请人： Adrian Grah ,  Steven G. Driediger ,  John S. Gryba ,  Michel Rochon

发明人： Adrian Grah ,  Steven G. Driediger ,  John S. Gryba ,  Michel Rochon

IPC分类号： G06F1/04

CPC分类号： G06F1/10 ,  H04J3/0688 ,  H04Q2213/13003 ,  H04Q2213/13167 ,  H04Q2213/13214 ,  H04Q2213/1332 ,  H04Q2213/1336

摘要： A method and apparatus for handling, maintaining, and controlling network synchronization information emanating from a plurality of line card circuits is described. The technique described may be applied to a redundant pair of line card circuits, where one line card circuit is active, while the other is inactive. Line card activity latches are managed by means of hardware logic that may be configured at the time of line card commissioning. The activity latches are coupled to a logic element. An incoming clock signal is applied to the logic element. If an activity latch indicates that a line card circuit is active, the logic element provides the incoming clock signal as an outgoing clock signal to a control card circuit. If the activity latch indicates that the line card circuit is inactive, the logic element blocks the incoming clock signal from being passed and provides a static output level as the outgoing clock signal to the control card circuit. The control card circuit is provided with circuitry to receive the outgoing clock signals from multiple line card circuits. The circuitry is sensitive to whether or not the line card circuits are configured for redundant operation. One or more of these clock signals are then selected and used for network synchronization.

摘要翻译： 描述了一种用于处理，维护和控制从多个线路卡电路发出的网络同步信息的方法和装置。 所描述的技术可以应用于一对线路卡电路，其中一个线路卡电路是活动的，而另一个线路卡电路是不活动的。 线卡活动锁存器通过可在线路卡调试时配置的硬件逻辑来管理。 活动锁存器耦合到逻辑元件。 输入时钟信号被施加到逻辑元件。 如果活动锁存器指示线卡电路是有效的，则逻辑元件将输入时钟信号作为输出时钟信号提供给控制卡电路。 如果活动锁存器指示线路卡电路不活动，则逻辑元件阻止输入时钟信号被传递，并且将作为输出时钟信号的静态输出电平提供给控制卡电路。 控制卡电路设置有用于从多个线路卡电路接收输出时钟信号的电路。 电路对线卡电路是否配置为冗余操作非常敏感。 然后选择这些时钟信号中的一个或多个，并用于网络同步。

公开(公告)号：US20070294209A1

公开(公告)日：2007-12-20

申请号：US11460789

申请日：2006-07-28

申请人： Lyle Strub ,  Clifford Grossner ,  Adrian Grah

发明人： Lyle Strub ,  Clifford Grossner ,  Adrian Grah

IPC分类号： G06F17/30

CPC分类号： H04L63/102 ,  H04L63/08 ,  H04L67/22

摘要： Communication network application activity monitoring and control apparatus, methods, and data structures are disclosed. A communication network user that initiates access to an application provided in a communication network is identified. Records are dynamically created and maintained to reflect accesses by the user to the application and other applications that are provided in the communication network. The records track application activity by the user. Policies may be established and enforced to control application activity that the user may conduct in the communication network. Conformance with application access restrictions and regulations may be verified or demonstrated by reporting the records, and ensured through policy enforcement.

摘要翻译： 公开了通信网络应用活动监视和控制装置，方法和数据结构。 识别发起对通信网络中提供的应用的访问的通信网络用户。 动态创建和维护记录以反映用户对通信网络中提供的应用程序和其他应用程序的访问。 记录跟踪用户的应用程序活动。 可以建立和执行策略来控制用户可能在通信网络中进行的应用活动。 可以通过报告记录来验证或证明与应用程序访问限制和规定的一致性，并通过策略执行来确保。

公开(公告)号：US09049158B2

公开(公告)日：2015-06-02

申请号：US11288479

申请日：2005-11-29

申请人： Brian McBride ,  Peter Rabinovitch ,  Adrian Grah

发明人： Brian McBride ,  Peter Rabinovitch ,  Adrian Grah

IPC分类号： H04L12/26 ,  H04L12/927 ,  H04L12/54 ,  H04L12/801 ,  H04L12/911

CPC分类号： H04L47/801 ,  H04L43/00 ,  H04L47/15 ,  H04L47/70 ,  H04L47/783 ,  H04L47/822

摘要： Communication session admission control systems and methods are disclosed. A state of a communication system is monitored, and admission of a communication session into the communication system is controlled based on a random admission control procedure and a current state of the communication system. Monitoring of the current state of equipment in the communication system, connections in the communication system, communication sessions in progress in the communication system, special monitoring sessions established in the communication system, and/or an overall state of the communication system can have several benefits. These benefits may include improving utilization of resources in the system, and providing a session admission control scheme that is capable of reacting to actual observed conditions and adapting to changing system topologies following a fault, for instance. Random admission control further avoids all or nothing session blocking, which can have the undesirable effect of prompting a high number of session retries.

摘要翻译： 公开了通信会话准入控制系统和方法。 监视通信系统的状态，并且基于通信系统的随机准入控制过程和当前状态来控制通信会话进入通信系统。 监测通信系统中设备的当前状态，通信系统中的连接，通信系统中正在进行的通信会话，在通信系统中建立的特殊监视会话和/或通信系统的整体状态可以具有若干好处 。 这些好处可能包括提高系统中资源的利用率，并提供会话准入控制方案，该方案能够对实际的观察条件作出反应，并适应故障后的变化中的系统拓扑。 随机接纳控制进一步避免了所有或没有会话阻塞，这可能会产生促进大量会话重试的不良影响。

公开(公告)号：US08239520B2

公开(公告)日：2012-08-07

申请号：US11696970

申请日：2007-04-05

申请人： Adrian Grah ,  George Papandreou ,  Lyle Strub

发明人： Adrian Grah ,  George Papandreou ,  Lyle Strub

IPC分类号： G06F15/173

CPC分类号： H04L41/5012 ,  H04L67/02

摘要： Network service operational status monitoring methods and apparatus are disclosed. Responsive to a service status request associated with a network service, an operational status of the network service is determined by an intermediary between a service status requester and the network service. The operational status is a service-specific operational status of the network service in some embodiments. Operational status may be determined through a multi-level procedure in which subsequent levels after a first level of the multi-level procedure are or are not performed depending on a result of a preceding level of the procedure. A multi-level procedure may involve a service connectivity check and a service operational check, for instance.

摘要翻译： 公开了网络服务运行状态监控方法和装置。 响应于与网络服务相关联的服务状态请求，网络服务的操作状态由服务状态请求者和网络服务之间的中介确定。 在一些实施例中，操作状态是网络服务的服务特定操作状态。 可以通过多级程序来确定操作状态，其中根据过程的先前水平的结果，执行多级过程的第一级别之后的后续级别是否被执行。 例如，多级过程可以涉及服务连接性检查和服务操作检查。

公开(公告)号：US20070121500A1

公开(公告)日：2007-05-31

申请号：US11288479

申请日：2005-11-29

申请人： Brian McBride ,  Peter Rabinovitch ,  Adrian Grah

发明人： Brian McBride ,  Peter Rabinovitch ,  Adrian Grah

IPC分类号： H04L12/26 ,  H04L12/56

CPC分类号： H04L47/801 ,  H04L43/00 ,  H04L47/15 ,  H04L47/70 ,  H04L47/783 ,  H04L47/822

摘要： Communication session admission control systems and methods are disclosed. A state of a communication system is monitored, and admission of a communication session into the communication system is controlled based on a random admission control procedure and a current state of the communication system. Monitoring of the current state of equipment in the communication system, connections in the communication system, communication sessions in progress in the communication system, special monitoring sessions established in the communication system, and/or an overall state of the communication system can have several benefits. These benefits may include improving utilization of resources in the system, and providing a session admission control scheme that is capable of reacting to actual observed conditions and adapting to changing system topologies following a fault, for instance. Random admission control further avoids all or nothing session blocking, which can have the undesirable effect of prompting a high number of session retries.

摘要翻译： 公开了通信会话准入控制系统和方法。 监视通信系统的状态，并且基于通信系统的随机准入控制过程和当前状态来控制通信会话进入通信系统。 监测通信系统中设备的当前状态，通信系统中的连接，通信系统中正在进行的通信会话，在通信系统中建立的特殊监视会话和/或通信系统的整体状态可以具有若干好处 。 这些好处可能包括提高系统中资源的利用率，并提供会话准入控制方案，该方案能够对实际的观察条件作出反应，并适应故障后的变化中的系统拓扑。 随机接纳控制进一步避免了所有或没有会话阻塞，这可能会产生促进大量会话重试的不良影响。

公开(公告)号：US09794272B2

公开(公告)日：2017-10-17

申请号：US11324648

申请日：2006-01-03

申请人： Lyle Strub ,  Adrian Grah ,  Bashar Said Bou-Diab

发明人： Lyle Strub ,  Adrian Grah ,  Bashar Said Bou-Diab

IPC分类号： H04L12/26 ,  H04L29/06

CPC分类号： H04L63/1408 ,  H04L63/1441

摘要： A method and apparatus for monitoring data traffic in a communication network are provided. A router connected to the communication network monitors information contained in the data traffic, and based on the information determines whether data in the traffic is indicative of a malicious threat to one or more resources connected to the network. Parameters which control monitoring of traffic at the router, such as the sampling rate and what information is to be extracted from the data is varied according to the condition of the network so that the monitoring can be adapted to focus on traffic which relates to a particular suspected or detected threat.

公开(公告)号：US20100158016A1

公开(公告)日：2010-06-24

申请号：US12719967

申请日：2010-03-09

申请人： James Wisener ,  Adrian Grah

发明人： James Wisener ,  Adrian Grah

IPC分类号： H04L12/56

CPC分类号： H04L45/00 ,  H04L45/54 ,  H04L45/7457

摘要： A system and method are provided for sorting IP routing table entries in a TCAM for longest IP prefix matching LPM of destination IP addresses. The IP routing table is divided into logical blocks, for each block an associated routing entry IP prefix length. Each block is of a respective size whose proportion of the total size of the routing table is determined by the associated IP prefix length. The blocks are ordered so that the TCAM returns an LPM when queried. Starting block sizes can be initialized to proportions which reflect actual expected numbers by proportion of routing entries by IP prefix length. The blocks also grow and shrink as entries are added and deleted so as to more closely mirror real-world populations of expected entries having the IP prefix length in question.

摘要翻译： 提供了一种系统和方法，用于对目标IP地址的最长IP前缀匹配LPM的TCAM中的IP路由表条目进行排序。 IP路由表被划分为逻辑块，对于每个块，相关联的路由条目IP前缀长度。 每个块具有相应的大小，其路由表的总大小的比例由相关联的IP前缀长度确定。 这些块被排序，以便TCAM在查询时返回LPM。 起始块大小可以初始化为通过IP前缀长度的路由条目比例反映实际预期数的比例。 随着条目被添加和删除，这些块也增长和缩小，以便更紧密地反映具有所讨论的IP前缀长度的预期条目的真实世界群体。

公开(公告)号：US20060153071A1

公开(公告)日：2006-07-13

申请号：US11032074

申请日：2005-01-11

申请人： Adrian Grah ,  Bin Du

发明人： Adrian Grah ,  Bin Du

IPC分类号： H04L12/56 ,  H04J3/22 ,  H04L12/26 ,  H04L1/00 ,  H04L12/28 ,  H04J3/16

CPC分类号： H04L47/50

摘要： Systems and methods of reducing service jitter in WFQ scheduling schemes used in packet traffic management are described. Service jitter is the variance in time between when a queue should have been selected for servicing and when it was actually serviced. The service jitter is generally not a problem in lower speed applications but in a high speed implementation such as a OC192 device latency can lead to downstream service contract violations. According to the invention jitter is controlled by applying a dampening factor to a difference amount that is used by the WFQ process to adjust its timing of queue selection. The difference amount is queue-specific and is a running difference between calculated and actual queue servicing times.

摘要翻译： 描述了在分组流量管理中使用的WFQ调度方案中减少业务抖动的系统和方法。 服务抖动是当队列应被选择用于维修和实际服务时间之间的时间差异。 服务抖动在低速应用中通常不是问题，但是在诸如OC192设备延迟的高速实现中可能导致下游服务合同违规。 根据本发明，通过将阻尼因子应用于由WFQ处理使用的差值来调整其队列选择的时序来控制抖动。 差异量是队列特定的，并且是计算和实际队列服务时间之间的运行差异。