公开(公告)号：US07317686B2

公开(公告)日：2008-01-08

申请号：US10242051

申请日：2002-09-12

申请人： Sneha Kasera ,  Ramachandran Ramjee ,  Danny Raz ,  Yuval Shavitt ,  Prasun Sinha

发明人： Sneha Kasera ,  Ramachandran Ramjee ,  Danny Raz ,  Yuval Shavitt ,  Prasun Sinha

IPC分类号： H04J1/16

CPC分类号： H04L47/10 ,  H04L47/20

摘要： A network node computes a fair share data rate for the sharing of a shared communication channel in a local area network. The network node determines the required information for computing the fair share by snooping the network, by receiving the required information from other network nodes, or a combination of the two techniques. Alternatively, instead of computing the fair share data rate, the network node may receive the fair share data rate which was computed by another network node. The fair share data rate is enforced by the network node in a network protocol stack layer above the media access control layer. In one embodiment, the network protocol stack layer above the media access control layer is the link layer.

摘要翻译： 网络节点计算用于在局域网中共享共享通信信道的公平共享数据速率。 网络节点通过窥探网络，通过从其他网络节点接收所需信息或两种技术的组合来确定计算公平共享所需的信息。 或者，代替计算公平共享数据速率，网络节点可以接收由另一个网络节点计算的公平共享数据速率。 公平共享数据速率由媒体访问控制层上方的网络协议栈层中的网络节点实施。 在一个实施例中，媒体访问控制层之上的网络协议栈层是链路层。

公开(公告)号：US06529515B1

公开(公告)日：2003-03-04

申请号：US09409153

申请日：1999-09-30

申请人： Danny Raz ,  Yuval Shavitt

发明人： Danny Raz ,  Yuval Shavitt

IPC分类号： H04L1228

CPC分类号： H04L69/165 ,  H04L29/06 ,  H04L41/00 ,  H04L41/0213 ,  H04L69/16 ,  H04L69/161 ,  H04L69/164

摘要： A distributed network management function is implemented in a computer network using a set of active nodes. Each of the active nodes comprises a router and a logically-separate active engine. The router in a given one of the active nodes diverts active packets associated with the network management function to the corresponding active engine for processing. The active engine supports one or more sessions, based at least in part on the active packets, for implementing at least a portion of the network management function. Each of the sessions supported by the active engine corresponds to a particular distributed task to be performed in the network, and has associated therewith a unique network identifier, such that different programs on different network nodes can belong to the same session. The router and active engine at a given one of the nodes may reside on the same machine, or on physically-separate machines.

摘要翻译： 在计算机网络中使用一组主动节点实现分布式网络管理功能。 每个活动节点包括路由器和逻辑上分离的活动引擎。 给定一个活动节点中的路由器将与网络管理功能相关联的活动分组转移到相应的主动引擎进行处理。 至少部分地基于活动分组，活动引擎支持一个或多个会话，用于实现网络管理功能的至少一部分。 活动引擎支持的每个会话对应于要在网络中执行的特定分布式任务，并且与其相关联的唯一网络标识符，使得不同网络节点上的不同程序可以属于相同的会话。 给定一个节点上的路由器和主动引擎可以驻留在同一台机器上，或者在物理上分开的机器上。

公开(公告)号：US06502175B1

公开(公告)日：2002-12-31

申请号：US09282760

申请日：1999-03-31

申请人： P. Krishnan ,  Danny Raz ,  Yuval Shavitt

发明人： P. Krishnan ,  Danny Raz ,  Yuval Shavitt

IPC分类号： G06F1200

CPC分类号： H04L41/5025 ,  H04L29/06 ,  H04L41/12 ,  H04L67/1002 ,  H04L67/2842

摘要： A method and apparatus for determining locations for and placing k caches in a network for optimizing performance of a network parameter. The method includes the steps of selecting a placement parameter l that is greater than 0, assigning l caches to l arbitrary nodes in the network. selecting l caches to remove from the network, assigning l+1 caches to every possible location in the network, computing and recording network performance data on the network cost parameter for each location and for each selection of l caches, determining a location where the network performance data on the network cost parameter computed and recorded is optimized, assigning l+1 caches to the determined location, and repeating the above steps of selecting l caches, assigning l+1 caches, computing and recording network performance, determining a location, and assigning l+1 caches for k−1 iterations.

摘要翻译： 一种用于确定网络中的k个高速缓存的位置并将其置于网络中以优化网络参数的性能的方法和装置。 该方法包括以下步骤：选择大于0的放置参数l，将l个高速缓存分配给网络中的任意节点。 选择l个高速缓存以从网络中移除，将l + 1个高速缓存分配给网络中的每个可能的位置，计算和记录网络性能数据对每个位置的网络成本参数和每个选择的l个高速缓存，确定网络的位置 优化计算和记录的网络成本参数的性能数据，将l + 1个高速缓存分配给确定的位置，并重复上述步骤，选择l个高速缓存，分配l + 1个高速缓存，计算和记录网络性能，确定位置，以及 为k-1迭代分配l + 1个高速缓存。

公开(公告)号：US20080016566A1

公开(公告)日：2008-01-17

申请号：US11774060

申请日：2007-07-06

申请人： Danny Raz

发明人： Danny Raz

IPC分类号： G06F11/00

CPC分类号： H04L63/1458

摘要： Coordinated SYN denial of service (CSDoS) attacks are reduced or eliminated by a process that instructs a layer 4-7 switch to divert a small fraction of SYN packets destined to a server S to a web guard processor. The web guard processor acts as a termination point in the connection with the one or more clients from which the packets originated, and upon the establishment of a first TCP connection with a legitimate client, opens a new TCP connection to the server and transfers the data between these two connections. It also monitors the number of timed-out connections to each client. When a CSDoS attack is in progress, the number of the forged attack packets and hence the number of timed-out connections increases significantly. If this number exceeds a predetermined threshold amount, the web guard processor declares that this server is under attack. It then reprograms the switch to divert all traffic (i.e. SYN packets) destined to this server to the web guard processor, or to delete all SYN packets to the server in question. If the number of timed-out connections increases, it can also inform other web guard processor arrangements, and/or try to find the real originating hosts for the forged packets. In either event, the server is thus shielded from, and does not feel the effects of, the DoS attack. Alternatively, a simpler approach is to arrange layer 4-7 switches to forward SYN packets to respective “null-cache” TCP proxies that each are arranged to operate without an associated cache, and therefore be inexpensive to install and operate. These null-cache TCP proxies, when subject to a CSDoS attack, will not successfully establish a TCP connection with a malicious host, due to the nature of the attack itself. Accordingly, no connections will be made from the null-cache TCP proxies to the server under attack, and the server will be protected.

摘要翻译： 协调的SYN拒绝服务（CSDoS）攻击是通过指示第4-7层交换机将一小部分去往服务器S的SYN数据包转移到网络保护处理器的过程来减少或消除的。 Web保护处理器充当与发起分组的一个或多个客户端的连接中的终止点，并且在与合法客户端建立第一TCP连接时，向服务器打开新的TCP连接并传送数据 在这两个连接之间。 它还监控每个客户端的超时连接数。 当CSDoS攻击正在进行时，伪造的攻击数据包的数量以及超时连接的数量显着增加。 如果该号码超过预定阈值，则Web保护处理器将声明该服务器受到攻击。 然后重新编程交换机以将发往该服务器的所有业务（即，SYN分组）转移到网络保护处理器，或者将所有SYN分组删除到所讨论的服务器。 如果超时连接的数量增加，它还可以通知其他Web保护处理器的布置，和/或尝试找到伪造的数据包的真正的发起主机。 在任何一种情况下，服务器都被屏蔽，并且不会感觉到DoS攻击的影响。 或者，更简单的方法是布置层4-7交换机将SYN分组转发到相应的“空缓存”TCP代理，每个“代理”被配置为在没有相关联的高速缓存的情况下运行，因此安装和操作便宜。 由于攻击本身的性质，这些空缓存TCP代理在遇到CSDoS攻击时，不会成功地与恶意主机建立TCP连接。 因此，不会将空缓存TCP代理连接到受到攻击的服务器，并且服务器将受到保护。

公开(公告)号：US07251692B1

公开(公告)日：2007-07-31

申请号：US09672206

申请日：2000-09-28

申请人： Danny Raz

发明人： Danny Raz

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： H04L63/1458

摘要： Denial of service (CSDoS) attacks are managed by a process that diverts a fraction of SYN packets destined to a server S to a web guard processor. The web guard processor acts as a termination point in the connection with the one or more clients from which the packets originated, and upon the establishment of a first TCP connection with a legitimate client, opens a new TCP connection to the server and transfers the data between these two connections. It also monitors the number of timed-out connections. When an attack is in progress, the number of the forged attack packets and timed-out connections increases significantly. If this number exceeds a predetermined threshold amount, the web guard processor declares that this server is under attack. The switch diverts all traffic (i.e. SYN packets) destined to this server to the web guard processor, or to delete all SYN packets to the server.

摘要翻译： 拒绝服务（CSDoS）攻击由一个将去往服务器S的一小部分SYN数据包转发到网络防护处理器的进程管理。 Web保护处理器充当与发起分组的一个或多个客户端的连接中的终止点，并且在与合法客户端建立第一TCP连接时，向服务器打开新的TCP连接并传送数据 在这两个连接之间。 它还监视超时连接的数量。 当攻击正在进行时，伪造的攻击数据包和超时连接的数量显着增加。 如果该号码超过预定阈值，则Web保护处理器将声明该服务器受到攻击。 交换机将发往此服务器的所有流量（即SYN数据包）转移到Web保护处理器，或将所有SYN数据包删除到服务器。

公开(公告)号：US07627677B2

公开(公告)日：2009-12-01

申请号：US11774060

申请日：2007-07-06

申请人： Danny Raz

发明人： Danny Raz

IPC分类号： G06F15/16 ,  G06F15/173

CPC分类号： H04L63/1458

摘要： Coordinated SYN denial of service (CSDoS) attacks are reduced or eliminated by a process that instructs a switch to divert SYN rackets destined to a server to a TCP proxy which, when subject to a CSDoS attack, will not successfully establish a TCP connection with a host. CSDoS attacks are reduced or eliminated by a process that includes forwarding a sampling of packets destined to a server to a processor and, when packets in the sampling indicate an attack, arranging the switch to divert all packets destined to the server to the processor. CSDoS attacks are reduced or eliminated in a system including a switch, a server, and a processor, where the processor is adapted to control the network switch to divert all SYN packets destined to the server to the processor based on monitoring a number of timed-out connections between the processor and one or more clients.

摘要翻译： 协调的SYN拒绝服务（CSDoS）攻击是通过指示交换机将注册到服务器的SYN网络转移到TCP代理的进程来减少或消除的，当TCP受到CSDoS攻击时，它不会成功建立TCP连接 主办。 CSDoS攻击通过以下过程减少或消除，该过程包括将去往服务器的数据包的采样转发到处理器，并且当采样中的数据包指示攻击时，安排交换机将转发到服务器的所有数据包转移到处理器。 在包括交换机，服务器和处理器的系统中，CSDoS攻击被减少或消除，其中处理器适于控制网络交换机，以便基于监视多个定时器来控制到服务器的所有SYN分组到处理器， 处理器与一个或多个客户端之间的连接。

公开(公告)号：US06606710B2

公开(公告)日：2003-08-12

申请号：US10179460

申请日：2002-06-24

申请人： P. Krishnan ,  Danny Raz ,  Binay Sugla

发明人： P. Krishnan ,  Danny Raz ,  Binay Sugla

IPC分类号： G06F1130

CPC分类号： H04L63/0227 ,  H04L63/0263

摘要： A packet data filter which stores ordered rules and sequentially applies the rules to received data packets to determine the disposition of the data packet. The packet filter maintains a match count in memory which indicates the number of times each rule matched an incoming data packet. Periodically, at the initiation of a user, or based on operating parameters of the filter, the rules are automatically re-ordered based on the match count. As a result of the re-ordering, rules with higher match counts are moved earlier in the sequential evaluation order and rules with lower match counts are moved later in the sequential evaluation order. As such, rules which are more likely to match incoming data packets are evaluated earlier, thus avoiding the evaluation of later rules. In order to prevent a re-ordering which would change the overall security policy of the packet filter, pairs of rules are compared to determine if they conflict (i.e., the swapping of the two rules would result in a change in the overall security policy). During re-ordering, the swapping of conflicting rules is prevented.

摘要翻译： 分组数据过滤器，其存储有序规则，并且将规则顺序地应用于接收的数据分组，以确定数据分组的配置。 分组过滤器在内存中保持匹配计数，其指示每个规则与输入数据分组匹配的次数。 定期地，在用户开始时，或者基于过滤器的操作参数，基于匹配计数自动重新排序规则。 作为重新排序的结果，具有较高匹配计数的规则在顺序评估顺序中被更早地移动，并且具有较低匹配计数的规则将在顺序评估顺序中稍后移动。 因此，较早地评估更有可能匹配传入数据分组的规则，从而避免对稍后规则的评估。 为了防止重新排序，这将改变分组过滤器的整体安全策略，将比较对规则来确定它们是否冲突（即，两个规则的交换将导致总体安全策略的改变） 。 在重新订购期间，阻止了冲突规则的交换。

公开(公告)号：US5439309A

公开(公告)日：1995-08-08

申请号：US48897

申请日：1993-04-20

申请人： Danny Raz

发明人： Danny Raz

IPC分类号： E04B1/19 ,  E04B1/58 ,  F16B7/04 ,  F16B7/22 ,  F16L37/26 ,  G08B23/00

CPC分类号： E04B1/1903 ,  E04B1/585 ,  F16B7/0406 ,  F16B7/044 ,  F16B7/22 ,  E04B2001/1927 ,  E04B2001/1966 ,  Y10T403/581 ,  Y10T403/583 ,  Y10T403/655

摘要： A joint coupling for axially connecting together a first joint and a second joint, which includes first and second joints each having a complementary member sized and shaped so that, when the joints are properly aligned, the complementary members form an overlap structure which is effectively a continuation of the first joint or the second joint, and a sleeve which is slidable over the overlap structure to secure the joint coupling. The inside surfaces of the sleeve are tapered, as are the outside surfaces of the overlap structure such that when the sleeve is slid completely over the overlap structure, the inside surfaces of the sleeve make full contact with the outside surfaces of the overlap structure to firmly secure the joint coupling. Two or more joints may be joined at any desired relative orientation by use of a hub which has complementary elements which can accommodate the complementary members of the joints. The joint couplings can be readily used to create complicated structures of virtually any desired shape.

摘要翻译： 一种用于将第一接头和第二接头轴向连接在一起的联接接头，其包括第一和第二接头，每个接头均具有尺寸和形状的互补构件，使得当接头被适当对准时，互补部件形成重叠结构， 第一关节或第二关节的延伸，以及可在覆盖结构上滑动以固定关节联接的套筒。 套筒的内表面与重叠结构的外表面一样是锥形的，使得当套筒完全滑过重叠结构时，套筒的内表面与重叠结构的外表面完全接触以牢固地 固定接头联轴器。 两个或更多个接头可以通过使用具有可容纳接头的互补构件的互补元件的毂而以任何期望的相对定向连接。 接头联接件可以容易地用于产生几乎任何所需形状的复杂结构。

公开(公告)号：US09015229B1

公开(公告)日：2015-04-21

申请号：US13104623

申请日：2011-05-10

申请人： Danny Raz ,  Nareshkumar Rajkumar ,  Leeann Bent ,  Bradley Whitehead ,  Douglas Zongker

发明人： Danny Raz ,  Nareshkumar Rajkumar ,  Leeann Bent ,  Bradley Whitehead ,  Douglas Zongker

IPC分类号： G06F15/16 ,  G06F13/38

CPC分类号： G06F13/38 ,  G06F9/5083 ,  G06F2209/502

摘要： User information describing a group of users of a distributed computer system configured to store and retrieve individualized user data associated with individual ones of the group of users, and system resource information associated with the distributed computer system, may be obtained. A global distribution plan describing a distribution of at least a portion of the individualized user data associated with the group may be determined based on a global optimization function of the obtained user information and system resource information associated with the distributed computer system, wherein the global optimization function is based on optimizing a global distribution of the portion of the individualized user data based on a determination of a measure of performance and fault tolerance associated with a model of the distributed computer system configured in accordance with the global distribution plan. The determined global distribution plan may be provided to a device for processing.

摘要翻译： 描述被配置为存储和检索与所述用户组中的各个用户相关联的个性化用户数据的分布式计算机系统的用户组的用户信息，以及与所述分布式计算机系统相关联的系统资源信息。 可以基于所获得的用户信息和与分布式计算机系统相关联的系统资源信息的全局优化功能来确定描述与组相关联的至少一部分个性化用户数据的分布的全局分发计划，其中全局优化 功能基于基于与根据全球分配计划配置的分布式计算机系统的模型相关联的性能和容错度量度的确定来优化个体化用户数据的一部分的全局分布。 可以将确定的全球分配计划提供给用于处理的设备。

公开(公告)号：US08402129B2

公开(公告)日：2013-03-19

申请号：US09813415

申请日：2001-03-21

申请人： Mark Dilman ,  Danny Raz

发明人： Mark Dilman ,  Danny Raz

IPC分类号： G06F15/173

CPC分类号： H04L41/00 ,  H04L41/0681 ,  H04L41/147 ,  H04L43/00 ,  H04L43/0882 ,  H04L43/10 ,  H04L43/103 ,  H04L43/16 ,  H04L67/1002 ,  H04L67/1029 ,  H04L2029/06054

摘要： A technique for managing network elements significantly reduces the amount of monitoring related traffic by using a combination of aperiodic polling and asynchronous event reporting. A global resource (e.g., a network of interconnected nodes or resources) is partitioned into a plurality of separate nodes, giving a fixed resource budget to each of the nodes. When any of the nodes exceeds its budget, based upon local monitoring at that node, the node triggers a report, typically sending a message to a central manager. In response, the central manager then and only then issues a global poll of all (or substantially all) of the nodes in the network. A rate based technique can also be used to monitor resource usage at the nodes, and send a message to a central monitoring location only when the rate at which the value of a local variable changes is too high.

摘要翻译： 用于管理网络元件的技术通过使用非周期轮询和异步事件报告的组合来显着地减少监视相关流量的量。 将全局资源（例如，互连的节点或资源的网络）划分为多个单独的节点，给每个节点提供固定的资源预算。 当任何节点超过其预算时，基于该节点处的本地监视，节点触发报告，通常向中央管理员发送消息。 作为回应，中央管理员然后仅发布对网络中所有（或基本上所有）节点的全局轮询​​。 基于速率的技术也可以用于监视节点的资源使用情况，只有当局部变量的值变化的速率太高时才将消息发送到中央监控位置。