Adaptive traffic bypassing in an intercepting network driver
First Claim
1. In a system that routes requests for information destined for an origin server via an interception device, and redirects the intercepted requests for information to a proxy processing engine that participates in processing the requests for information, a method of routing the requests for information comprising the steps of:
- receiving feature information identifying one or more features of a current transaction or environment;
selecting a bypass percentage value based on the values of system parameters and tolerances;
generating a pseudo-random value using a pseudo-random number generator;
selectively bypassing the proxy processing engine for a particular request for information so that the proxy processing engine does not participate in the processing of the particular request for information;
wherein the selective bypassing of the proxy processing engine is based upon the feature information and environmental information and whether the pseudo-random value is less than the bypass percentage; and
redirecting the particular request for information to the origin server.
7 Assignments
0 Petitions
Accused Products
Abstract
An Internet Protocol driver executed by a network interface card, or a network address translation module, includes a mechanism that enables a server to bypass packets associated with certain destinations, sources, or a combination of the two based upon their IP address. When a packet arrives at the network interface card, the driver extracts a source IP address and a destination IP address from the packet. The driver searches a table to locate a rule matching one of the addresses. If a match is found, the packet is bypassed. If no match is found, the packet is sent on to an indexing and caching server for further processing. The bypass rules may be adaptively and dynamically generated when a message causes a remote server to respond with an error code. The dynamically generated bypass rules prevent the first server from sending subsequent requests to the remote server, thereby insulating the indexing and caching server from unnecessary network traffic.
-
Citations
90 Claims
-
1. In a system that routes requests for information destined for an origin server via an interception device, and redirects the intercepted requests for information to a proxy processing engine that participates in processing the requests for information, a method of routing the requests for information comprising the steps of:
-
receiving feature information identifying one or more features of a current transaction or environment;
selecting a bypass percentage value based on the values of system parameters and tolerances;
generating a pseudo-random value using a pseudo-random number generator;
selectively bypassing the proxy processing engine for a particular request for information so that the proxy processing engine does not participate in the processing of the particular request for information;
wherein the selective bypassing of the proxy processing engine is based upon the feature information and environmental information and whether the pseudo-random value is less than the bypass percentage; and
redirecting the particular request for information to the origin server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
storing, in association with the proxy processing engine, a plurality of bypass activation flags, one of each associated with various error conditions, wherein each of the flags is associated with a different error condition that may occur in the processing of an intercepted request for information; and
detecting a particular error condition associated with the processing of the particular request for information, and augmenting the bypass table to prevent future interception of protocol traffic from a client destined for the origin server, when the flag associated with that particular error condition is set.
-
-
12. The method recited in claim 11, further comprising the steps of augmenting the bypass table by addition of a source-destination bypass rule that prevents intercept processing of protocol traffic from a particular client network address destined for a particular origin server network address.
-
13. The method recited in claim 1, further comprising the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving one or more packets that conform to one or more protocols that are not supported by the proxy processing engine.
-
14. The method recited in claim 1, further comprising the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving erroneous or unsupported requests for information from a client.
-
15. The method recited in claim 1, further comprising the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving an error message from the origin server that indicates refusal or inability to correctly respond to the particular request for information.
-
16. The method recited in claim 1, further comprising the steps of:
-
determining whether one or more system metrics are outside normal tolerances;
inferring that either the origin server or a node on which the proxy processing engine is disposed is under attack when one or more of the system metrics are outside normal tolerances; and
creating and storing one or more bypass rules for use in augmenting a bypass table and that bypass one or more requests for information associated with the attack in response to determining that either the origin server or the node on which the proxy processing engine is disposed is under attack.
-
-
17. The method recited in claim 16, wherein determining whether one or more system metrics are outside normal tolerances includes measuring one or more system metrics selected from among:
- the frequency of packets sent to or from a particular destination, connections opened to or from a destination, listen queue length, errors per unit time, and overall system performance.
-
18. The method recited in claim 1, further comprising the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to detecting a persistent failure of either the origin server or the node on which the proxy processing engine is disposed.
-
19. The method recited in claim 1, further comprising the steps of determining that at least a portion of the particular request for information is presented in a foreign, malformed, or unprocessable protocol, and in response thereto, sending the network information to the origin server in the network, thereby bypassing the proxy processing engine.
-
20. The method recited in claim 1, further comprising the steps of:
-
inferring that the origin server uses client address identification to parameterize the processing of a transaction, through examination of protocol request and response data; and
in response thereto, bypassing the particular request for information to the origin server in the network, thereby bypassing the proxy processing engine and preserving an original client address in the particular request for information.
-
-
21. The method recited in claim 20, further comprising the steps of inferring that the origin server uses client address information to parameterize the processing of a transaction by the presence of particular transaction response codes, including codes that indicate forbidden access and missing content.
-
22. The method recited in claim 1, further comprising the steps of determining that a redirection target identified in the particular request for information is overloaded, and in response thereto, directing the particular request for information to the origin server in the network to prevent overload of the redirection target.
-
23. The method recited in claim 1, further comprising the steps of:
-
creating and storing one or more lists of servers that do not interact well with the proxy processing engine;
determining that the particular request for information identifies one of the servers in one of the lists of servers;
in response thereto, directing the particular request for information to the origin server in the network and away from the proxy processing engine.
-
-
24. The method recited in claim 1, further comprising the steps of determining that the particular request for information relates to a transaction that will not benefit from redirection to the proxy processing engine and in response thereto, directing the particular request for information to the origin server in the network and away from the proxy processing engine.
-
25. The method recited in claim 24, further comprising the steps of determining that the particular request for information relates to a transaction that will not benefit from redirection to the proxy processing engine based on examination of transaction type and resource identifying information from the the particular request for information.
-
26. The method recited in claim 25, further comprising the steps of:
-
extracting a transaction request type, resource identifying information, and additional request attribute information from the particular request for information; and
generating instructions that cause bypassing of the proxy processing engine when the transaction request type is not supported, or the transaction request type gains no benefit from a caching or proxy server, or the resource identifying information contains syntactic patterns suggesting lack of cachability, or the additional request attributes suggest lack of cachability.
-
-
27. The method recited in claim 25, further comprising the steps of:
-
exchanging one or more packets among the proxy processing engine and a client to sufficiently establish a communication channel in order to receive enough transaction request data to make a bypass determination; and
if a bypass determination is made, establishing a new connection to the origin server, replaying consumed data and forwarding remaining data to the origin server, rewriting packet addresses and headers as necessary, to provide a complete and proper bypassed data stream to the origin server.
-
-
28. The method recited in claim 1, further comprising periodically uploading bypass tables to a centralized server, thereby aggregating adaptive bypass information from individual, distributed servers.
-
29. The method recited in claim 1, further comprising periodically downloading predetermined bypass tables from centralized servers in the network, replacing or augmenting a current local bypass list, thereby sharing and disseminated centralized, professionally managed, or aggregated bypass information.
-
30. The method recited in claim 11, further comprising the steps of:
-
suppressing client response data until a bypass generation determination is made; and
when a bypass rule is generated, and when a client-server transaction is deemed important issuing a transaction retry request to the client, whereby the client retries the transaction, the retried transaction matches the bypass list, and the transaction is vectored to the origin server for correct processing.
-
-
31. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to route requests for information destined for an origin server via an interception device by:
-
receiving feature information identifying one or more features of a current transaction or environment;
selecting a bypass percentage value based on the values of system parameters and tolerances;
generating a pseudo-random value using a pseudo-random number generator;
selectively bypassing a proxy processing engine for a particular request for information so that the proxy processing engine does not participate in the processing of the particular request for information;
wherein the selective bypassing of the proxy processing engine is based upon the feature information and environmental information and whether the pseudo-random value is less than the bypass percentage; and
redirecting the particular request for information to the origin server. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
storing, in association with the proxy processing engine, a plurality of bypass activation flags, one of each associated with various error conditions, wherein each of the flags is associated with a different error condition that may occur in the processing of an intercepted request for information; and
detecting a particular error condition associated with the processing of the particular request for information, and augmenting the bypass table to prevent future interception of protocol traffic from a client destined for the origin server, when the flag associated with that particular error condition is set.
-
-
42. The computer-readable medium recited in claim 41, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of augmenting the bypass table by addition of a source-destination bypass rule that prevents intercept processing of protocol traffic from a particular client network address destined for a particular origin server network address.
-
43. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving one or more packets that conform to one or more protocols that are not supported by the proxy processing engine.
-
44. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving erroneous or unsupported requests for information from a client.
-
45. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving an error message from the origin server that indicates refusal or inability to correctly respond to the particular request for information.
-
46. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
determining whether one or more system metrics are outside normal tolerances;
inferring that either the origin server or a node on which the proxy processing engine is disposed is under attack when one or more of the system metrics are outside normal tolerances; and
creating and storing one or more bypass rules for use in augmenting a bypass table and that bypass one or more requests for information associated with the attack in response to determining that either the origin server or the node on which the proxy processing engine is disposed is under attack.
-
-
47. The computer-readable medium recited in claim 46, wherein determining whether one or more system metrics are outside normal tolerances includes measuring one or more system metrics selected from among:
- the frequency of packets sent to or from a particular destination, connections opened to or from a destination, listen queue length, errors per unit time, and overall system performance.
-
48. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to detecting a persistent failure of either the origin server or the node on which the proxy processing engine is disposed.
-
49. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of determining that at least a portion of the particular request for information is presented in a foreign, malformed, or unprocessable protocol, and in response thereto, sending the network information to the origin server in the network, thereby bypassing the proxy processing engine.
-
50. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
inferring that the origin server uses client address identification to parameterize the processing of a transaction, through examination of protocol request and response data; and
in response thereto, bypassing the particular request for information to the origin server in the network, thereby bypassing the proxy processing engine and preserving an original client address in the particular request for information.
-
-
51. The computer-readable medium recited in claim 50, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of inferring that the origin server uses client address information to parameterize the processing of a transaction by the presence of particular transaction response codes, including codes that indicate forbidden access and missing content.
-
52. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of determining that a redirection target identified in the particular request for information is overloaded, and in response thereto, directing the particular request for information to the origin server in the network to prevent overload of the redirection target.
-
53. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
creating and storing one or more lists of servers that do not interact well with the proxy processing engine;
determining that the particular request for information identifies one of the servers in one of the lists of servers;
in response thereto, directing the particular request for information to the origin server in the network and away from the proxy processing engine.
-
-
54. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of determining that the particular request for information relates to a transaction that will not benefit from redirection to the proxy processing engine and in response thereto, directing the particular request for information to the origin server in the network and away from the proxy processing engine.
-
55. The computer-readable medium recited in claim 54, further comprising the steps of determining that the particular request for information relates to a transaction that will not benefit from redirection to the proxy processing engine based on examination of transaction type and resource identifying information from the particular request for information.
-
56. The computer-readable medium recited in claim 55, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
extracting a transaction request type, resource identifying information, and additional request attribute information from the particular request for information; and
generating instructions that cause bypassing of the proxy processing engine when the transaction request type is not supported, or the transaction request type gains no benefit from a caching or proxy server, or the resource identifying information contains syntactic patterns suggesting lack of cachability, or the additional request attributes suggest lack of cachability.
-
-
57. The computer-readable medium recited in claim 55, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
exchanging one or more packets among the proxy processing engine and a client to sufficiently establish a communication channel in order to receive enough transaction request data to make a bypass determination; and
if a bypass determination is made, establishing a new connection to the origin server, replaying consumed data and forwarding remaining data to the origin server, rewriting packet addresses and headers as necessary, to provide a complete and proper bypassed data stream to the origin server.
-
-
58. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of periodically uploading bypass tables to a centralized server, thereby aggregating adaptive bypass information from individual, distributed servers.
-
59. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of periodically downloading predetermined bypass tables from centralized servers in the network, replacing or augmenting the current local bypass list, thereby sharing and disseminated centralized, professionally managed, or aggregated bypass information.
-
60. The computer-readable medium recited in claim 31, further comprising one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
suppressing client response data until a bypass generation determination is made; and
when a bypass rule is generated, and when a client-server transaction is deemed important issuing a transaction retry request to the client, whereby the client retries the transaction, the retried transaction matches a bypass list, and the transaction is vectored to the origin server for correct processing.
-
-
61. An apparatus comprising a memory carrying one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to route requests for information destined for an origin server via an interception device by:
-
receiving feature information identifying one or more features of a current transaction or environment;
selecting a bypass percentage value based on the values of system parameters and tolerances;
generating a pseudo-random value using a pseudo-random number generator;
selectively bypassing a proxy processing engine for a particular request for information so that the proxy processing engine does not participate in the processing of the particular request for information;
wherein the selective bypassing of the proxy processing engine is based upon the feature information and environmental information and whether the pseudo-random value is less than the bypass percentage; and
redirecting the particular request for information to the origin server. - View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90)
storing, in association with the proxy processing engine, a plurality of bypass activation flags, one of each associated with various error conditions, wherein each of the flags is associated with a different error condition that may occur in the processing of an intercepted request for information; and
detecting a particular error condition associated with the processing of the particular request for information, and augmenting the bypass table to prevent future interception of protocol traffic from a client destined for the origin server, when the flag associated with that particular error condition is set.
-
-
72. The apparatus recited in claim 71, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of augmenting the bypass table by addition of a source-destination bypass rule that prevents intercept processing of protocol traffic from a particular client network address destined for a particular origin server network address.
-
73. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving one or more packets that conform to one or more protocols that are not supported by the proxy processing engine.
-
74. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving erroneous or unsupported requests for information from a client.
-
75. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to receiving an error message from the origin server that indicates refusal or inability to correctly respond to the particular request for information.
-
76. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
determining whether one or more system metrics are outside normal tolerances;
inferring that either the origin server or a node on which the proxy processing engine is disposed is under attack when one or more of the system metrics are outside normal tolerances; and
creating and storing one or more bypass rules for use in augmenting a bypass table and that bypass one or more requests for information associated with the attack in response to determining that either the origin server or the node on which the proxy processing engine is disposed is under attack.
-
-
77. The apparatus recited in claim 76, wherein determining whether one or more system metrics are outside normal tolerances includes measuring one or more system metrics selected from among:
- the frequency of packets sent to or from a particular destination, connections opened to or from a destination, listen queue length, errors per unit time, and overall system performance.
-
78. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of creating and storing one or more bypass rules for use in augmenting a bypass table in response to detecting a persistent failure of either the origin server or the node on which the proxy processing engine is disposed.
-
79. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of determining that at least a portion of the particular request for information is presented in a foreign, malformed, or unprocessable protocol, and in response thereto, sending the network information to the origin server in the network, thereby bypassing the proxy processing engine.
-
80. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
inferring that the origin server uses client address identification to parameterize the processing of a transaction, through examination of protocol request and response data; and
in response thereto, bypassing the particular request for information to the origin server in the network, thereby bypassing the proxy processing engine and preserving an original client address in the particular request for information.
-
-
81. The apparatus recited in claim 80, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of inferring that the origin server uses client address information to parameterize the processing of a transaction by the presence of particular transaction response codes, including codes that indicate forbidden access and missing content.
-
82. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of determining that a redirection target identified in the particular request for information is overloaded, and in response thereto, directing the particular request for information to the origin server in the network to prevent overload of the redirection target.
-
83. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
creating and storing one or more lists of servers that do not interact well with the proxy processing engine;
determining that the particular request for information identifies one of the servers in one of the lists of servers;
in response thereto, directing the particular request for information to the origin server in the network and away from the proxy processing engine.
-
-
84. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of determining that the particular request for information relates to a transaction that will not benefit from redirection to the proxy processing engine and in response thereto, directing the particular request for information to the origin server in the network and away from the proxy processing engine.
-
85. The apparatus recited in claim 84, the memory carrying the steps of determining that the particular request for information relates to a transaction that will not benefit from redirection to the proxy processing engine based on examination of transaction type and resource identifying information from the particular request for information.
-
86. The apparatus recited in claim 85, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
extracting a transaction request type, resource identifying information, and additional request attribute information from the particular request for information; and
generating instructions that cause bypassing of the proxy processing engine when the transaction request type is not supported, or the transaction request type gains no benefit from a caching or proxy server, or the resource identifying information contains syntactic patterns suggesting lack of cachability, or the additional request attributes suggest lack of cachability.
-
-
87. The apparatus recited in claim 85, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
exchanging one or more packets among the proxy processing engine and a client to sufficiently establish a communication channel in order to receive enough transaction request data to make a bypass determination; and
if a bypass determination is made, establishing a new connection to the origin server, replaying consumed data and forwarding remaining data to the origin server, rewriting packet addresses and headers as necessary, to provide a complete and proper bypassed data stream to the origin server.
-
-
88. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of periodically uploading bypass tables to a centralized server, thereby aggregating adaptive bypass information from individual, distributed servers.
-
89. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of periodically downloading predetermined bypass tables from centralized servers in the network, replacing or augmenting the current local bypass list, thereby sharing and disseminated centralized, professionally managed, or aggregated bypass information.
-
90. The apparatus recited in claim 61, the memory carrying one or more sequences of additional instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of the steps of:
-
suppressing client response data until a bypass generation determination is made; and
when a bypass rule is generated, and when a client-server transaction is deemed important issuing a transaction retry request to the client, whereby the client retries the transaction, the retried transaction matches a bypass list, and the transaction is vectored to the origin server for correct processing.
-
Specification