-
1.发明申请METHOD AND APPARATUS FOR LIMITING DENIAL OF SERVICE ATTACK BY LIMITING TRAFFIC FOR HOSTS 有权通过限制交通运输来限制服务质量的方法和装置公开(公告)号:US20100122346A1
公开(公告)日:2010-05-13
申请号:US12611467
申请日:2009-11-03
申请人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
发明人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
CPC分类号: H04L63/1416 , H04L63/1458
摘要: A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.
摘要翻译: 用于控制拒绝服务攻击的方法包括从网络接收多个分组,基于来自网络的拒绝服务攻击的严重性级别识别攻击主机,其中攻击主机通过相关联的识别攻击特征来识别 与所述攻击主机相关联的所述多个分组中的一个分组,通过分类器分析所述多个分组中的每一个,以确定所述多个分组中的每一个被转发到多个临时数据结构中的哪一个,转发所述多个分组中的每个分组 与所述多个临时数据结构中的一个临时数据结构中的一个临时数据结构相关联,所述临时数据结构与由所述分类器确定的所述拒绝服务攻击的严重性级别匹配,请求从所述多个临时数据结构中的一个临时数据结构匹配严重性级别 通过虚拟序列化队列,并将数据包的数量转发到virtua l序列化队列
-
2.发明授权Method and apparatus for limiting denial of service attack by limiting traffic for hosts 有权通过限制主机流量来限制拒绝服务攻击的方法和装置公开(公告)号:US07640591B1
公开(公告)日:2009-12-29
申请号:US11112328
申请日:2005-04-22
申请人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
发明人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
CPC分类号: H04L63/1416 , H04L63/1458
摘要: A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.
摘要翻译: 用于控制拒绝服务攻击的方法包括从网络接收多个分组,基于来自网络的拒绝服务攻击的严重性级别识别攻击主机,其中攻击主机通过相关联的识别攻击特征来识别 与所述攻击主机相关联的所述多个分组中的一个分组,通过分类器分析所述多个分组中的每一个,以确定所述多个分组中的每一个被转发到多个临时数据结构中的哪一个,转发所述多个分组中的每个分组 与所述多个临时数据结构中的一个临时数据结构中的一个临时数据结构相关联,所述临时数据结构与由所述分类器确定的所述拒绝服务攻击的严重性级别匹配,请求从所述多个临时数据结构中的一个临时数据结构匹配严重性级别 通过虚拟序列化队列,并将数据包的数量转发到virtua l序列化队列
-
3.发明授权Method and apparatus for limiting denial of service attack by limiting traffic for hosts 有权通过限制主机流量来限制拒绝服务攻击的方法和装置公开(公告)号:US08312544B2
公开(公告)日:2012-11-13
申请号:US12611467
申请日:2009-11-03
申请人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
发明人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
CPC分类号: H04L63/1416 , H04L63/1458
摘要: A method for controlling a denial of service attack involves receiving a plurality of packets from a network, identifying an attacking host based on a severity level of the denial of service attack from the network, wherein the attacking host is identified by an identifying attack characteristic associated with one of the plurality of packets associated with the attacking host, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets associated with the identifying attack characteristic to one of the plurality of temporary data structures matching the severity level of the denial of service attack as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures matching the severity level by the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.
摘要翻译: 用于控制拒绝服务攻击的方法包括从网络接收多个分组,基于来自网络的拒绝服务攻击的严重性级别识别攻击主机,其中攻击主机通过相关联的识别攻击特征来识别 与所述攻击主机相关联的所述多个分组中的一个分组,通过分类器分析所述多个分组中的每一个,以确定所述多个分组中的每一个被转发到多个临时数据结构中的哪一个,转发所述多个分组中的每个分组 与所述多个临时数据结构中的一个临时数据结构中的一个临时数据结构相关联,所述临时数据结构与由所述分类器确定的所述拒绝服务攻击的严重性级别匹配,请求从所述多个临时数据结构中的一个临时数据结构匹配严重性级别 通过虚拟序列化队列,并将数据包的数量转发到virtua l序列化队列
-
4.发明授权公开(公告)号:US07593404B1
公开(公告)日:2009-09-22
申请号:US11112934
申请日:2005-04-22
申请人: Nicolas G. Droux , Sunay Tripathi , Yuzo Watanabe
发明人: Nicolas G. Droux , Sunay Tripathi , Yuzo Watanabe
IPC分类号: H04L12/28
CPC分类号: H04L49/9063 , H04L49/90
摘要: Incoming network data is processed according to a current hardware classification “engine” configuration. As data is propagated from a network interface to a host system, an activity of one or more components of the host system is monitored. If it is determined that a desired/optimal resource utilization of the host system and/or a desired/optimal network performance is not being achieved, the hardware classification “engine” configuration is dynamically modified.
摘要翻译: 根据当前硬件分类“引擎”配置处理进入的网络数据。 随着数据从网络接口传播到主机系统,监视主机系统的一个或多个组件的活动。 如果确定没有实现主机系统的期望/最佳资源利用和/或期望/最佳网络性能,则动态地修改硬件分类“引擎”配置。
-
5.发明授权Method and apparatus for dynamically isolating affected services under denial of service attack 有权在拒绝服务攻击下动态隔离受影响的服务的方法和装置公开(公告)号:US07739736B1
公开(公告)日:2010-06-15
申请号:US11112158
申请日:2005-04-22
申请人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
发明人: Sunay Tripathi , Nicolas G. Droux , Yuzo Watanabe
CPC分类号: H04L63/1458
摘要: A method for controlling consumption of resources by a packet destination involves receiving a plurality of packets from a network, identifying the packet destination consuming greater than a pre-determined amount of resources to process the plurality of packets, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is forwarded, forwarding each of the plurality of packets to one of the plurality of temporary data structures as determined by the classifier, requesting a number of packets from the one of the plurality of temporary data structures associated with the packet destination by the virtual serialization queue, wherein the number of packets is limited by an attack control parameter associated with the virtual serialization queue, and forwarding the number of packets to the virtual serialization queue.
摘要翻译: 用于控制分组目的地的资源消耗的方法包括从网络接收多个分组,识别分组目的地消耗大于预定量的资源以处理多个分组,通过以下方式分析多个分组中的每一个: 分类器,用于确定多个分组中的每一个被转发到多个临时数据结构中的哪一个,将所述多个分组中的每一个转发到由所述分类器确定的所述多个临时数据结构中的一个,请求数量的分组 所述虚拟序列化队列与所述分组目的地相关联的所述多个临时数据结构中的所述多个临时数据结构中的一个,其中所述分组的数量受与所述虚拟序列化队列相关联的攻击控制参数的限制,并且将所述分组的数目转发到所述虚拟序列化队列 。
-
6.发明授权公开(公告)号:US08886838B2
公开(公告)日:2014-11-11
申请号:US12040101
申请日:2008-02-29
申请人: Sunay Tripathi , Nicolas G. Droux
发明人: Sunay Tripathi , Nicolas G. Droux
CPC分类号: H04L12/4641
摘要: In general, the invention relates to a method for transferring a packet. The method includes receiving the packet by a physical network interface, determining a virtual network interface card (VNIC) using a virtual switching table, where the VNIC is located on a computer operatively connected to the network express manager (NEM) via a chassis interconnect, and the VNIC is executing on a host operating system (OS) in the computer. The method further includes transferring the packet to a receive ring (RR) associated with the VNIC, wherein the RR is located on the NEM, providing the network express manager with a receive descriptor, transferring the packet to the guest OS memory using the receive descriptor, and notifying the guest OS that the packet is in the guest OS memory.
摘要翻译: 通常,本发明涉及一种用于传送分组的方法。 该方法包括:通过物理网络接口接收分组,使用虚拟交换表确定虚拟网络接口卡(VNIC),其中VNIC位于经由机箱互连可操作地连接到网络快速管理器(NEM)的计算机上, 并且VNIC正在计算机中的主机操作系统(OS)上执行。 该方法还包括将分组传送到与VNIC相关联的接收环(RR),其中RR位于NEM上,向网络快速管理器提供接收描述符,使用接收描述符将分组传送到客户OS存储器 ,并通知客户机该数据包在客户机OS存储器中。
-
公开(公告)号:US08635284B1
公开(公告)日:2014-01-21
申请号:US11255366
申请日:2005-10-21
CPC分类号: H04L69/22 , H04L49/9047 , H04L63/1458 , H04L69/161
摘要: A method for processing packets that includes receiving a packet from a network, analyzing the packet to obtain packet information used to determine to which temporary data structure to forward the packet, if a first list includes the packet information forwarding the packet to a first temporary data structure, and processing the packet from the first temporary data structure, and if the first list does not include the packet information forwarding the packet to a second temporary data structure, processing the packet, wherein processing the packet comprises: sending a first test to a source of the packet using the packet information, placing the packet information on the first list, if a successful response to the first test is received, and placing the packet information on a second list, if an unsuccessful response to the first test is received.
摘要翻译: 一种处理分组的方法,包括从网络接收分组,如果第一列表包括将分组转发到第一临时数据的分组信息,则分析分组以获得用于确定哪个临时数据结构转发分组的分组信息 结构,并且处理来自第一临时数据结构的分组,并且如果第一列表不包括将分组转发到第二临时数据结构的分组信息,则处理分组,其中处理分组包括:向第一临时数据结构发送第一测试 如果接收到对第一测试的成功响应,则将分组信息放置在第一列表上,并且如果接收到对第一测试的不成功的响应,则将分组信息放置在第二列表上。
-
8.发明授权公开(公告)号:US08005022B2
公开(公告)日:2011-08-23
申请号:US11489943
申请日:2006-07-20
IPC分类号: H04L12/28
CPC分类号: H04L12/4641
摘要: A method for processing packets that includes receiving a first packet for a first virtual machine by a network interface card (NIC), classifying the first packet using a hardware classifier, where the hardware classifier is located on the NIC, sending the first packet to a first one of a plurality of receive rings based on the classification, sending the first packet from the first one of the plurality of receive rings to a first virtual network interface card (VNIC), sending the first packet from the first VNIC to a first interface, and sending the first packet from the first interface to the first virtual machine, where the first virtual machine is associated with the first interface, where the first VNIC and the first virtual machine are executing on a host.
摘要翻译: 一种处理分组的方法,包括通过网络接口卡(NIC)接收第一虚拟机的第一分组,使用硬件分类器对硬件分类器进行分类,其中硬件分类器位于NIC上,将第一分组发送到 将第一分组从多个接收环中的第一个发送到第一虚拟网络接口卡(VNIC),将第一分组从第一VNIC发送到第一接口 以及将所述第一分组从所述第一接口发送到所述第一虚拟机,其中所述第一虚拟机与所述第一接口相关联,其中所述第一VNIC和所述第一虚拟机在主机上执行。
-
公开(公告)号:US20100329259A1
公开(公告)日:2010-12-30
申请号:US12495386
申请日:2009-06-30
IPC分类号: H04L12/56
CPC分类号: H04L47/10 , G06F9/45533
摘要: In general, the invention relates to reclaiming transmit descriptors by configuring a media access control (MAC) to execute a first MAC layer thread to reclaim a first number of transmit descriptors (TDs) from a first hardware transmit ring (HTR) using a first reclaim algorithm, where the first reclaim algorithm is associated with a first transmission pattern and a first TDR status. The invention further includes receiving, by a virtual NIC (VNIC) executing within the MAC layer, a first number of packets, forwarding the first number of packets to a device driver on the host associated with the physical NIC, and forwarding the first number of packets from the device driver to the physical NIC using the first number of TDs, where the first plurality of TDs are reclaimed by the first MAC layer thread according to the first reclaim algorithm.
摘要翻译: 通常,本发明涉及通过配置媒体访问控制(MAC)来执行第一MAC层线程以从第一硬件传送环(HTR)使用第一回收来回收第一数量的发送描述符(TD)来回收传输描述符 算法,其中第一回收算法与第一传输模式和第一TDR状态相关联。 本发明还包括通过在MAC层内执行的虚拟NIC(VNIC)接收第一数量的分组,将第一数量的分组转发到与物理NIC相关联的主机上的设备驱动器,并且转发第一数量的 使用第一数量的TD从设备驱动程序到物理NIC的数据包,其中根据第一回收算法由第一MAC层线程回收第一多个TD。
-
公开(公告)号:US20100306358A1
公开(公告)日:2010-12-02
申请号:US12474664
申请日:2009-05-29
申请人: Nicolas G. Droux , Sunay Tripathi
发明人: Nicolas G. Droux , Sunay Tripathi
IPC分类号: G06F15/173 , G06F9/455
CPC分类号: H04L61/6022 , G06F9/45537 , H04L29/12839 , H04L49/90 , H04L69/32
摘要: A method for managing a guest OS executing on a host. The method includes receiving, from the guest OS associated with a first MAC address, a second MAC address, wherein the first MAC address is associated with a first guest VNIC, wherein the second MAC address is associated with a second guest VNIC; configuring an intermediate VNIC executing on the host OS to forward packets associated with the second MAC address to the guest OS, wherein packets associated with the first MAC address and received by the intermediate VNIC are forwarded to the guest OS; and forwarding the second MAC address from the intermediate VNIC to a device driver associated with a physical NIC, wherein the device driver configures a classifier on the physical NIC to forward packets associated with the second MAC address to a first HRR located on the physical NIC associated with the intermediate VNIC.
摘要翻译: 一种用于管理在主机上执行的访客操作系统的方法。 该方法包括从与第一MAC地址相关联的客户OS接收第二MAC地址,其中第一MAC地址与第一客户端VNIC相关联,其中第二MAC地址与第二客户端VNIC相关联; 配置在所述主机OS上执行的中间VNIC以将与所述第二MAC地址相关联的分组转发到所述客户OS,其中与所述第一MAC地址相关联并由所述中间VNIC接收的分组被转发到所述客户OS; 以及将所述第二MAC地址从所述中间VNIC转发到与物理NIC相关联的设备驱动器,其中所述设备驱动程序在所述物理NIC上配置分类器以将与所述第二MAC地址相关联的分组转发到位于所述物理NIC相关联的第一HRR 与中间VNIC。
-
-
-
-
-
-
-
-
-
搜索结果
126 条记录 (耗时 0.023 秒)
