公开(公告)号：US20060282892A1

公开(公告)日：2006-12-14

申请号：US11152625

申请日：2005-06-14

申请人： Premkumar Jonnala ,  Neha Shah ,  Sivakumar Narayanan ,  Adam Sweeney ,  Silviu Dobrota

发明人： Premkumar Jonnala ,  Neha Shah ,  Sivakumar Narayanan ,  Adam Sweeney ,  Silviu Dobrota

IPC分类号： G06F12/14

CPC分类号： H04L63/1458 ,  H04L63/0272 ,  H04L2463/141

摘要： A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.

公开(公告)号：US20060221930A1

公开(公告)日：2006-10-05

申请号：US11099750

申请日：2005-04-05

申请人： Adam Sweeney ,  Fusun Ertemalp ,  Hugh Holbrook

发明人： Adam Sweeney ,  Fusun Ertemalp ,  Hugh Holbrook

IPC分类号： H04L12/28

CPC分类号： H04L45/00 ,  H04L45/24 ,  H04L45/60 ,  H04L45/745

摘要： Methods and systems for distributing packets across all available output paths within a network is provided. A distribution key is extracted from each packet and is hashed to generate a hash value. An output path for each packet is selected by using all N bits of the hash value to address a distribution table having at least 2N indications of the output paths available for that packet. Thus, the stream of packets is distributed, or split up, across the available output paths, thereby balancing the load. In some embodiments, the order of the output paths is randomized within each distribution table. Other embodiments include a forwarding table used to determine the available output paths for a particular packet. In yet other embodiments, the distribution key includes the packet's source and destination; thus preventing packets within the same stream having varying latencies due to traveling along varying paths.

摘要翻译： 提供了用于在网络内的所有可用输出路径上分发数据包的方法和系统。 从每个数据包中提取一个分配密钥，并进行散列以生成哈希值。 通过使用散列值的所有N个比特来选择每个分组的输出路径，以寻址具有可用于该分组的输出路径的至少2“N”个指示的分布表。 因此，分组流在可用的输出路径上分布或分离，从而平衡负载。 在一些实施例中，输出路径的顺序在每个分布表内被随机化。 其他实施例包括用于确定特定分组的可用输出路径的转发表。 在其他实施例中，分发密钥包括分组的源和目的地; 从而防止由于沿着变化的路径行进而具有变化的延迟的相同流内的分组。

公开(公告)号：US07424016B2

公开(公告)日：2008-09-09

申请号：US11099750

申请日：2005-04-05

申请人： Adam Sweeney ,  Fusun Ertemalp ,  Hugh Holbrook

发明人： Adam Sweeney ,  Fusun Ertemalp ,  Hugh Holbrook

IPC分类号： H04L12/28

CPC分类号： H04L45/00 ,  H04L45/24 ,  H04L45/60 ,  H04L45/745

摘要： Methods and systems for distributing packets across all available output paths within a network is provided. A distribution key is extracted from each packet and is hashed to generate a hash value. An output path for each packet is selected by using all N bits of the hash value to address a distribution table having at least 2N indications of the output paths available for that packet. Thus, the stream of packets is distributed, or split up, across the available output paths, thereby balancing the load. In some embodiments, the order of the output paths is randomized within each distribution table. Other embodiments include a forwarding table used to determine the available output paths for a particular packet. In yet other embodiments, the distribution key includes the packet's source and destination; thus preventing packets within the same stream having varying latencies due to traveling along varying paths.

摘要翻译： 提供了用于在网络内的所有可用输出路径上分发数据包的方法和系统。 从每个数据包中提取一个分配密钥，并进行散列以生成哈希值。 通过使用散列值的所有N个比特来选择每个分组的输出路径，以寻址具有可用于该分组的输出路径的至少2“N”个指示的分布表。 因此，分组流在可用的输出路径上分布或分离，从而平衡负载。 在一些实施例中，输出路径的顺序在每个分布表内被随机化。 其他实施例包括用于确定特定分组的可用输出路径的转发表。 在其他实施例中，分发密钥包括分组的源和目的地; 从而防止由于沿着变化的路径行进而具有变化的延迟的相同流内的分组。

公开(公告)号：US08107370B2

公开(公告)日：2012-01-31

申请号：US11100879

申请日：2005-04-06

申请人： Nagarani Chandika ,  Hugh Holbrook ,  Adam Sweeney

发明人： Nagarani Chandika ,  Hugh Holbrook ,  Adam Sweeney

IPC分类号： H04L12/26

CPC分类号： H04L41/08 ,  H04L41/0213 ,  H04L41/0816 ,  H04L63/0236 ,  H04L63/101 ,  H04L63/104 ,  H04L63/1458

摘要： Access devices and methods according to the invention interconnect digital devices and a network. Setting a parameter associated with each input port of an access device specifies whether the device connected with that port is restricted or unrestricted. When a particular input port is restricted, packet detectors examine the packets received on that port. In some embodiments, an exception handler handles restricted packets from restricted devices in an advantageously flexible manner. In other embodiments, a controller receives a configuration command and sets the restriction parameters accordingly. The invention provides a simple, abstract, easy to use, and flexible tool for network management, configuration, and reconfiguration.

摘要翻译： 根据本发明的接入设备和方法互连数字设备和网络。 设置与访问设备的每个输入端口相关联的参数，指定与该端口连接的设备是受限还是不受限制。 当特定的输入端口被限制时，分组检测器检查在该端口上接收到的分组。 在一些实施例中，异常处理器以有利的灵活方式处理来自受限设备的受限制的分组。 在其他实施例中，控制器接收配置命令并相应地设置限制参数。 本发明为网络管理，配置和重新配置提供了一种简单，抽象，易于使用和灵活的工具。

公开(公告)号：US20060221835A1

公开(公告)日：2006-10-05

申请号：US11095477

申请日：2005-03-30

申请人： Adam Sweeney

发明人： Adam Sweeney

IPC分类号： H04J3/22 ,  H04L12/26 ,  H04L1/00 ,  H04J1/16 ,  H04J3/16

CPC分类号： H04L47/10 ,  H04L47/20 ,  H04L47/22

摘要： A network device that manages the flow rate of a stream of packets traveling within a network is converted from managing based on data rate to managing based on packet rate. In one embodiment, an interface receives from the device an actual length of a packet and provides to the device an effective length for the packet. A multiplexer generates the effective length by selecting the actual length during data rate mode and selecting a virtual length during packet rate mode. Various embodiments work with network devices that use various traffic management techniques. Such techniques include, but are not limited to: virtual time algorithms for determining excess packets; policing techniques that drop excess packets; and shaping techniques that buffer excess packets for possible later transmission.

摘要翻译： 管理在网络内行进的分组流的流量的网络设备从基于数据速率的管理转换为基于分组速率进行管理。 在一个实施例中，接口从设备接收分组的实际长度，并向该设备提供该分组的有效长度。 复用器通过在数据速率模式期间选择实际长度并在分组速率模式期间选择虚拟长度来生成有效长度。 各种实施例与使用各种流量管理技术的网络设备一起工作。 这样的技术包括但不限于：用于确定多余分组的虚拟时间算法; 丢弃多余数据包的监管技术; 以及缓冲多余分组以进行可能的传输的整形技术。

公开(公告)号：US07672244B2

公开(公告)日：2010-03-02

申请号：US11095477

申请日：2005-03-30

申请人： Adam Sweeney

发明人： Adam Sweeney

IPC分类号： G01R31/08 ,  H04J3/16 ,  G06F15/16

CPC分类号： H04L47/10 ,  H04L47/20 ,  H04L47/22

摘要： A network device that manages the flow rate of a stream of packets traveling within a network is converted from managing based on data rate to managing based on packet rate. In one embodiment, an interface receives from the device an actual length of a packet and provides to the device an effective length for the packet. A multiplexer generates the effective length by selecting the actual length during data rate mode and selecting a virtual length during packet rate mode. Various embodiments work with network devices that use various traffic management techniques. Such techniques include, but are not limited to: virtual time algorithms for determining excess packets; policing techniques that drop excess packets; and shaping techniques that buffer excess packets for possible later transmission.

摘要翻译： 管理在网络内行进的分组流的流量的网络设备从基于数据速率的管理转换为基于分组速率进行管理。 在一个实施例中，接口从设备接收分组的实际长度，并向该设备提供该分组的有效长度。 复用器通过在数据速率模式期间选择实际长度并在分组速率模式期间选择虚拟长度来生成有效长度。 各种实施例与使用各种流量管理技术的网络设备一起工作。 这样的技术包括但不限于：用于确定多余分组的虚拟时间算法; 丢弃多余数据包的监管技术; 以及缓冲多余分组以进行可能的传输的整形技术。

公开(公告)号：US20060227797A1

公开(公告)日：2006-10-12

申请号：US11100879

申请日：2005-04-06

申请人： Nagarani Chandika ,  Hugh Holbrook ,  Adam Sweeney

发明人： Nagarani Chandika ,  Hugh Holbrook ,  Adam Sweeney

IPC分类号： H04L12/56 ,  H04L12/66

CPC分类号： H04L41/08 ,  H04L41/0213 ,  H04L41/0816 ,  H04L63/0236 ,  H04L63/101 ,  H04L63/104 ,  H04L63/1458

摘要： Access devices and methods according to the invention interconnect digital devices and a network. Setting a parameter associated with each input port of an access device specifies whether the device connected with that port is restricted or unrestricted. When a particular input port is restricted, packet detectors examine the packets received on that port. In some embodiments, an exception handler handles restricted packets from restricted devices in an advantageously flexible manner. In other embodiments, a controller receives a configuration command and sets the restriction parameters accordingly. The invention provides a simple, abstract, easy to use, and flexible tool for network management, configuration, and reconfiguration.

摘要翻译： 根据本发明的接入设备和方法互连数字设备和网络。 设置与访问设备的每个输入端口相关联的参数，指定与该端口连接的设备是受限还是不受限制。 当特定的输入端口被限制时，分组检测器检查在该端口上接收到的分组。 在一些实施例中，异常处理器以有利的灵活方式处理来自受限设备的受限制的分组。 在其他实施例中，控制器接收配置命令并相应地设置限制参数。 本发明为网络管理，配置和重新配置提供了一种简单，抽象，易于使用和灵活的工具。