Minimize SYN-flood issues with flow cache while maintaining performance
First Claim
1. A method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to perform actions, comprising:
- employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;
employing at least one control segment (CS) component to perform actions, including;
determining if each connection flow is genuine that is evicted from at least one high-speed flow cache;
if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and
if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and
employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and
employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are directed towards minimizing the impact flood attacks may have on packet traffic management performance. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. The impact of flood attacks may be reduced by protecting the high-speed flow caches from being consumed by flow control data associated with malicious and/or in-operative non-genuine network connections. In at least one of the various embodiments, flood control filters may be adaptively activated based on the condition and quality of network traffic received at PTMD.
-
Citations
24 Claims
-
1. A method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to perform actions, comprising:
-
employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache; employing at least one control segment (CS) component to perform actions, including; determining if each connection flow is genuine that is evicted from at least one high-speed flow cache; if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A traffic management device (TMD) that is operative to manage communication over a network, comprising:
-
a transceiver that is operative to communicate over a network; a memory that is operative to store at least instructions for a plurality of components; and a processor device that is operative to execute instructions that enable actions, including; employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache; employing at least one control segment (CS) component to perform actions, including; determining if each connection flow is genuine that is evicted from at last one high-speed flow cache; if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A processor readable non-transitive storage media that includes instructions for a method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to execute the instructions to perform actions, comprising:
-
employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache; employing at least one control segment (CS) component to perform actions, including; determining if each connection flow is genuine that is evicted from at last one high-speed flow cache; if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification