SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM
First Claim
1. A method for generating cookie signatures in a multi-core intermediary providing security protection between a plurality of clients and one or more servers, the method comprising:
- (a) establishing, by a first packet processing engine executing on a first core of an intermediary device comprising a plurality of packet processing engines executing on a corresponding core of a plurality of cores, a first cookie timer having a first predetermined time period, the cookie timer to signal regeneration of cookie signatures;
(b) storing, by the first packet processing engine responsive to an expiration of the cookie timer, a random seed in shared memory accessible by each of the plurality of packet processing engines, a new random seed generated by the first packet processing engine responsive to each expiration of the cookie timer;
(c) storing, by a second packet processing engine of the plurality of packet processing engines, the random seed obtained from the shared memory to a cache of the second packet processing engine;
(d) generating, by the second packet processing engine, one or more cookie signatures based on the random seed; and
(e) determining, by the second packet processing engine responsive to a second cookie timer established by the second packet processing engine having a second predetermined timer period less than the first predetermined time period, whether the random seed in shared memory has changed in comparison to the random seed stored in the cache of the second packet processing engine.
8 Assignments
0 Petitions
Accused Products
Abstract
The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures.
-
Citations
20 Claims
-
1. A method for generating cookie signatures in a multi-core intermediary providing security protection between a plurality of clients and one or more servers, the method comprising:
-
(a) establishing, by a first packet processing engine executing on a first core of an intermediary device comprising a plurality of packet processing engines executing on a corresponding core of a plurality of cores, a first cookie timer having a first predetermined time period, the cookie timer to signal regeneration of cookie signatures; (b) storing, by the first packet processing engine responsive to an expiration of the cookie timer, a random seed in shared memory accessible by each of the plurality of packet processing engines, a new random seed generated by the first packet processing engine responsive to each expiration of the cookie timer; (c) storing, by a second packet processing engine of the plurality of packet processing engines, the random seed obtained from the shared memory to a cache of the second packet processing engine; (d) generating, by the second packet processing engine, one or more cookie signatures based on the random seed; and (e) determining, by the second packet processing engine responsive to a second cookie timer established by the second packet processing engine having a second predetermined timer period less than the first predetermined time period, whether the random seed in shared memory has changed in comparison to the random seed stored in the cache of the second packet processing engine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for generating cookie signatures in a multi-core intermediary providing security protection between a plurality of clients and one or more servers, the method comprising:
-
(a) generating, by a second packet processing engine executing on a second core of an intermediary device comprising a plurality of packet processing engines executing on a corresponding core of a plurality of cores, a set of current cookie signatures based on a random seed established by a first packet processing engine executing on a first core of the plurality of cores; (b) storing, by the second packet processing engine responsive to an expiration of a cookie timer, the set of current cookie signatures to a set of previous cookie signatures; (c) receiving, by the second packet processing engine, a request from a client to access a server, the request comprising a cookie; (d) determining, by the second packet processing engine, that a signature of the cookie does not correspond to either of the set of previous cookie signatures and the set of current cookie signatures; (e) generating, by the second packet processing engine, a second set of current cookie signatures responsive to identifying that the random seed of the first packet processing engine has changed; and (f) determining, by the second packet processing engine, whether to accept the request responsive to whether the cookie signature of the cookie corresponds to the second set of current cookie signatures. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification