Connection rate limiting
First Claim
1. A computer implemented method for firewall load balancing connection rate limiting, the method comprising:
- incrementing, by a counter incrementer module of a network switch, a counter each time a new connection request for a destination firewall load balancing service is received and a firewall is selected from a plurality of firewalls of the firewall load balancing service to handle the new connection request, the request identifying a source of the request, the request further identifying the destination firewall load balancing service, the counter indicating a total number of times the destination firewall load balancing service has been requested by all sources within a predetermined time interval by examining a destination address of the request;
dropping, by a connection request dropper module of the network switch, the new connection requests for the firewall load balancing service if the counter increases at a rate exceeding a predetermined connection rate limit for the firewall load balancing service, the dropping further comprising sending, by a source address reset sender module, a reset feedback message to a source address contained in the new connection request; and
directing, by a connection granting module of the network switch, the new destination firewall load balancing service connection request to a particular one of the plurality of firewalls of the destination firewall load balancing service, if the counter has not increased at a rate exceeding the predetermined connection rate limit.
7 Assignments
0 Petitions
Accused Products
Abstract
Each service in a computer network may have a connection rate limit. The number of new connections per time period may be limited by using a series of rules. In a specific embodiment of the present invention, a counter is increased each time a server is selected to handle a connection request. For each service, connections coming in are tracked. Therefore, the source of connection-request packets need not be examined. Only the destination service is important. This saves significant time in the examination of the incoming requests. Each service may have its own set of rules to best handle the new traffic for its particular situation.
103 Citations
23 Claims
-
1. A computer implemented method for firewall load balancing connection rate limiting, the method comprising:
-
incrementing, by a counter incrementer module of a network switch, a counter each time a new connection request for a destination firewall load balancing service is received and a firewall is selected from a plurality of firewalls of the firewall load balancing service to handle the new connection request, the request identifying a source of the request, the request further identifying the destination firewall load balancing service, the counter indicating a total number of times the destination firewall load balancing service has been requested by all sources within a predetermined time interval by examining a destination address of the request; dropping, by a connection request dropper module of the network switch, the new connection requests for the firewall load balancing service if the counter increases at a rate exceeding a predetermined connection rate limit for the firewall load balancing service, the dropping further comprising sending, by a source address reset sender module, a reset feedback message to a source address contained in the new connection request; and directing, by a connection granting module of the network switch, the new destination firewall load balancing service connection request to a particular one of the plurality of firewalls of the destination firewall load balancing service, if the counter has not increased at a rate exceeding the predetermined connection rate limit. - View Dependent Claims (2, 3, 4, 16, 20)
-
-
5. An apparatus for firewall load balancing connection rate limiting, the apparatus comprising:
-
a memory; a new firewall load balancing service connection request counter incrementer module coupled to the memory and configured to increment a counter each time a new connection request for a destination firewall load balancing service is received and a firewall is selected from a plurality of firewalls of the firewall load balancing service to handle the new connection request, the request identifying a source of the request, the request further identifying the destination firewall load balancing service, the counter indicating a total number of times the destination firewall load balancing service has been requested by all sources within a predetermined time interval by examining a destination address of the request; a new firewall load balancing service connection request dropper module coupled to the new firewall load balancing service connection request counter incrementer and to the memory and configured to drop the new connection requests for the firewall load balancing service if the counter increases at a rate exceeding a predetermined connection rate limit for the firewall load balancing service, the dropping further comprising sending, by a source address reset sender module, a reset feedback message to a source address contained in the new connection request; and a new firewall load balancing service connection granting module coupled to the new firewall load balancing service connection request counter incrementer and to the memory, wherein the new firewall load balancing service connection granting module is configured to direct the new destination firewall load balancing service connection request to a particular one of the plurality of firewalls of the destination firewall load balancing service, if the counter has not increased at a rate exceeding the predetermined connection rate limit for the service. - View Dependent Claims (6, 7, 17, 21)
-
-
8. An apparatus for firewall load balancing connection rate limiting, the apparatus comprising:
-
means for incrementing, by a counter incrementer module of a network switch, a counter each time a new connection request for a destination firewall load balancing service is received and a firewall is selected from a plurality of firewalls of the firewall load balancing service to handle the new connection request, the request identifying a source of the request, the request further identifying the destination firewall load balancing service, the counter indicating a total number of times the destination firewall load balancing service has been requested by all sources within a predetermined time interval by examining a destination address of the request; means for dropping, by a connection request dropper module of the network switch, the new connection requests for the firewall load balancing service if the counter increases at a rate exceeding a predetermined connection rate limit for the firewall load balancing service, the dropping further comprising sending, by a source address reset sender module, a reset feedback message to a source address contained in the new connection request; and means for directing, by a connection granting module of the network switch, the new destination firewall load balancing service connection request to a particular one of the plurality of firewalls of the destination firewall load balancing service, if the counter as not increased at a rate exceeding the predetermined connection rate limit. - View Dependent Claims (9, 10, 11, 18, 22)
-
-
12. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform a method for firewall load balancing connection rate limiting, the method comprising:
-
incrementing, by a counter incrementer module of a network switch, a counter each time a new connection request for a destination firewall load balancing service is received and a firewall is selected from a plurality of firewalls of the firewall load balancing service to handle the new connection request, the request identifying a source of the request, the request further identifying the destination firewall load balancing service, the counter indicating a total number of times the destination firewall load balancing service has been requested by all sources within a predetermined time interval by examining a destination address of the request; dropping, by a connection request dropper module of the network switch, the new connection requests for the firewall load balancing service if the counter increases at a rate exceeding a predetermined connection rate limit for the firewall load balancing service, the dropping further comprising sending, by a source address reset sender module, a reset feedback message to a source address contained in the new connection request; and directing, by a connection granting module of the network switch, the new destination firewall load balancing service connection request to a particular one of the plurality of firewalls of the destination firewall load balancing service, if the counter has not increased at a rate exceeding the predetermined connection rate limit. - View Dependent Claims (13, 14, 15, 19, 23)
-
Specification