Bandwidth throttling in vulnerability scanning applications

US 9,781,046 B1
Filed: 11/18/2014
Issued: 10/03/2017
Est. Priority Date: 11/19/2013
Status: Active Grant

First Claim

Patent Images

1. A method of routing network packets in a networked device having plural network interfaces by applying combining traffic class and network interface throttling, the method comprising:

marking one or more network packets with a differentiated service code;

throttling the bandwidth of at least one of the network packets based at least in part on a threshold for a designated network interface for the at least one packet, thereby producing first throttled packets;

throttling the bandwidth of at least one of the first throttled packets based at least in part on a threshold for the packet'"'"'s respective differentiated service code, thereby producing second throttled network packets; and

removing the differentiated service code from at least one of the second throttled network packets in a respective functional block queue and emitting network packets on the respective designated network interface for each of the second throttled network packets according to the throttled bandwidth.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus and methods are disclosed for implementing bandwidth throttling to regulate network traffic as can be used in, for example, vulnerability scanning and detection applications in a computer network environment. According to one embodiment, a method of routing network packets in a networked device having plural network interfaces combines applying traffic class and network interface throttling for marking network packets with a differentiated service code based on input received from a profiler application, throttling the bandwidth of network packets based on a threshold for a designated network interface for the packet, throttling the bandwidth of the bandwidth-throttled packets based on a threshold for its respective differentiated service code, and emitting network packets on each respective designated network interface.

Citations

21 Claims

1. A method of routing network packets in a networked device having plural network interfaces by applying combining traffic class and network interface throttling, the method comprising:
- marking one or more network packets with a differentiated service code;
  
  throttling the bandwidth of at least one of the network packets based at least in part on a threshold for a designated network interface for the at least one packet, thereby producing first throttled packets;
  
  throttling the bandwidth of at least one of the first throttled packets based at least in part on a threshold for the packet'"'"'s respective differentiated service code, thereby producing second throttled network packets; and
  
  removing the differentiated service code from at least one of the second throttled network packets in a respective functional block queue and emitting network packets on the respective designated network interface for each of the second throttled network packets according to the throttled bandwidth.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - the marking the network packets is based on input received from a profiler process executing in application space on the networked device; and
      
      the throttling the network packets, the throttling the bandwidth-throttled packets, and the emitting network packets are performed by a kernel executing in privileged space on the networked device.
  - 3. The method of claim 1, further comprising sending network utilization feedback data to a profiler, the profiler being operable to adjust the rate that network packets are sent based on the network utilization feedback.
  - 4. The method of claim 1, wherein the throttling for the first throttled packets or the throttling for the second throttled packets is not performed for a portion of network packets that are sent to a VnE server.
  - 5. The method of claim 1, further comprising applying a firewall mark to some but not all of the network packets, the firewall mark indicating that the interface bandwidth throttling is not to be applied for the firewall-marked packets.
  - 6. The method of claim 5, wherein:
    - the firewall mark is applied using an iptables firewall;
      
      the throttling the network packets and the throttling the bandwidth-throttled packets are performed using a Linux traffic control kernel subsystem; and
      
      the feedback data is sent to a profiler using a Netlink socket.
  - 7. The method of claim 1, further comprising:
    - scanning at least one of networked devices for vulnerabilities; and
      
      marking one or more packets received with the first physical network interface with a differentiated service code, wherein the code is assigned based on the scanning.

8. One or more computer-readable storage media storing computer-readable instructions that when executed by a device connected to a computer network, cause the networked device to perform a method, the instructions comprising:
- instructions to mark at least one of network packets with a firewall mark, wherein the at least one of network packets are exempt from being marked with a differentiated service code;
  
  instructions to mark the at least one of the network packets with a code, producing marked network packets;
  
  instructions to throttle the bandwidth of the marked network packets based at least in part on a threshold for a designated network interface for the packets, thereby producing first throttled packets;
  
  instructions to throttle the bandwidth of the first throttled packets based at least in part on a threshold for the packet'"'"'s respective code, thereby producing second throttled network packets; and
  
  instructions to emit network packets on the respective designated network interface for each of the second throttled network packets according to the throttled bandwidth.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage media of claim 8, wherein:
    - the network packets are marked based on input received from a profiler process executing in application space on the networked device; and
      
      the instructions to;
      
      throttle the network packets, throttle the bandwidth-throttled packets, and emit the network packets are executed by a process executing in privileged space on the networked device.
  - 10. The computer-readable storage media of claim 8, further comprising:
    - instructions to send network utilization feedback data to a profiler process, the profiler process being configured to adjust the rate that network packets are sent based on network utilization feedback.
  - 11. The computer-readable storage media of claim 8, further comprising:
    - instructions to remove the marked code from the second throttled network packets when executing the instructions to emit the network packets.
  - 12. The computer-readable storage media of claim 8, wherein:
    - the instructions are further arranged such that the throttling for the first throttled packets or the throttling for the second throttled packets is not performed for a portion of network packets that are sent to a designated server.
  - 13. The computer-readable storage media of claim 8, further comprising:
    - instructions to apply a firewall mark to some but not all of the network packets, the firewall mark indicating that the interface bandwidth throttling is not to be applied for the firewall-marked packets.
  - 14. The computer-readable storage media of claim 13, wherein:
    - the instructions to apply the firewall mark use an iptables firewall;
      
      the instructions to perform the throttling the network packets and the throttling the bandwidth-throttled packets use a Linux traffic control kernel subsystem; and
      
      the feedback data is sent to a profiler via a Netlink socket.

15. An apparatus, comprising:
- one or more processors;
  
  a first physical network interface and a second physical network interface; and
  
  memory or storage devices storing computer-executable instructions that when executed by the processors, cause the apparatus to perform a method, the method comprising;
  
  scanning at least one of networked devices for vulnerabilities,marking one or more packets received with the first physical network interface with a differentiated service code, wherein the code is assigned based on the scanning,throttling the bandwidth of at least one of the packets based at least in part on a threshold designated for the second physical network interface for the at least one packet, thereby producing first throttled packets,throttling the bandwidth of at least one of the first throttled packets based at least in part on a threshold for the packet'"'"'s respective differentiated service code, thereby producing second throttled network packets, andemitting network packets on the second physical network interface for each of the second throttled network packets according to the throttled bandwidth.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The apparatus of claim 15, wherein:
    - the marking the network packets is based on input received from a profiler process executing in application space on the networked device; and
      
      the throttling the network packets, the throttling the bandwidth-throttled packets, and the emitting network packets are performed with a kernel executing in privileged space on the one or more processors.
  - 17. The apparatus of claim 15, wherein the method further comprises sending network utilization feedback data to a profiler executing on the one or more processors, the profiler being operable to adjust the rate that network packets are sent based on the network utilization feedback.
  - 18. The apparatus of claim 15, wherein the method further comprises removing the differentiated service code from the second throttled network packets when emitting the network packets.
  - 19. The apparatus of claim 15, wherein the throttling for the first throttled packets or the throttling for the second throttled packets is not performed for a portion of network packets that are sent to a management server.
  - 20. The apparatus of claim 15, wherein the method further comprises applying a firewall mark to some but not all of the network packets, the firewall mark indicating that the interface bandwidth throttling is not to be applied for the firewall-marked packets.
  - 21. The apparatus of claim 20, wherein:
    - the firewall mark is applied using an iptables firewall hosted by the one or more processors;
      
      the throttling the network packets and the throttling the bandwidth-throttled packets are performed using a Linux traffic control kernel subsystem hosted by the one or more processors; and
      
      the feedback data is sent to a profiler using a Netlink socket.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Pawlukowsky, Chris, Turner, Ian, Appleby, Mike
Primary Examiner(s)
Tran, Jimmy H

Application Number

US14/546,863
Time in Patent Office

1,050 Days
Field of Search
US Class Current
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/20   Traffic policing

H04L 47/22   Traffic shaping

H04L 47/2408   for supporting different se...

H04L 47/2491   Mapping quality of service ...

H04L 47/263   Rate modification at the so...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0245   Filtering by information in...

H04L 63/1433   Vulnerability analysis

H04L 67/61   taking into account QoS or ...

Y02D 30/50   in wire-line communication ...

Bandwidth throttling in vulnerability scanning applications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Bandwidth throttling in vulnerability scanning applications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links