Patent application number | Description | Published |
20090234972 | Systems and Methods for Content Injection - The present solution is directed towards a policy-based intermediary that dynamically and flexibly injects content in responses between a client and a server based on one or more policies. The present solution addresses the challenges of injecting content in a client-server transaction. The intermediary determines when and what content to inject into a response of a client-server transaction based on a request and/or response policy. The injected content may include timestamp and/or variable tracking of different events in a client-server transaction. For example, when an intermediary appliance is deployed in a system to accelerate system performance and improve user experience, the appliance may inject content based on policy to monitor the acceleration performance of the deployed appliance. | 09-17-2009 |
20100235374 | Method and Systems for Efficient Delivery of Previously Stored Content - Systems and methods for reducing file sizes for files delivered over a network are disclosed. A method comprises receiving a first file comprising sequences of data; creating a hash table having entries corresponding to overlapping sequences of data; receiving a second file comprising sequences of data; comparing each of the sequences of data in the second file to the sequences of data in the hash table to determine sequences of data present in both the first and second files; and creating a third file comprising sequences of data from the second file and representations of locations and lengths of said sequences of data present in both the first and second files. | 09-16-2010 |
20100281217 | SYSTEM AND METHOD FOR PERFORMING ENTITY TAG AND CACHE CONTROL OF A DYNAMICALLY GENERATED OBJECT NOT IDENTIFIED AS CACHEABLE IN A NETWORK - The present invention is directed towards a method and system for modifying by a cache responses from a server that do not identify a dynamically generated object as cacheable to identify the dynamically generated object to a client as cacheable in the response. In some embodiments, such as an embodiment handling HTTP requests and responses for objects, the techniques of the present invention insert an entity tag, or “etag” into the response to provide cache control for objects provided without entity tags and/or cache control information from an originating server. This technique of the present invention provides an increase in cache hit rates by inserting information, such as entity tag and cache control information for an object, in a response to a client to enable the cache to check for a hit in a subsequent request. | 11-04-2010 |
20100325263 | SYSTEMS AND METHODS FOR STATISTICS EXCHANGE BETWEEN CORES FOR LOAD BALANCING - Systems and methods for consolidating metrics and statistics used for load balancing by a plurality of cores of a multi-core intermediary are disclosed. A timer operating on each packet engine of each core in a multi-core system may expire. A consolidator may store, responsive to expiration of the timer, a set of counter values from each of the packet engines to a first storage location. The consolidator may send to each packet engine a message to update the set of counter values. The consolidator may, upon completion of updating the set of counter values by the packet engines, send a second message to the packet engines that includes a consolidated set of counter values determined based on the updated set of values from each packet engine. Each packet engine may establish settings and parameters for load balancing based on the consolidated set of counter values. | 12-23-2010 |
20110145330 | SYSTEM AND METHOD FOR PERFORMING FLASH CROWD CACHING OF DYNAMICALLY GENERATED OBJECTS IN A DATA COMMUNICATION NETWORK - The present invention is directed towards a “flash crowd” technique for handling situations where the cache receives additional requests, e.g., nearly simultaneous requests, for the same object during the time the server is processing and returning the response object for a first requestor. Once all such nearly simultaneous requests are responded to by the cache, the object is flushed from the cache, with no additional expiry time or invalidation action needed. This technique of the present invention enables data to be cached and served for very small amounts of time for objects that would otherwise be considered non-cacheable. As such, this technique yields a significant improvement in applications that serve fast changing data to a large volume of concurrent users, such, for example, as real time stock quotes, or a fast evolving news story. | 06-16-2011 |
20120290646 | SYSTEM AND METHOD FOR PERFORMING FLASH CACHING OF DYNAMICALLY GENERATED OBJECTS IN A DATA COMMUNICATION NETWORK - The present invention is directed towards a method and system for providing a technique referred to as flash caching to respond to requests for an object, such as a dynamically generated object, from multiple clients. This technique of the present invention uses a dynamically generated object stored in a buffer for transmission to a client, for example in response to a request from the client, to also respond to additional requests for the dynamically generated object from other clients while the object is stored in the buffer. Using this technique, the present invention is able to increase cache hit rates for extremely fast changing dynamically generated objects that may not otherwise be cacheable. | 11-15-2012 |
20130132472 | METHOD AND DEVICE FOR PERFORMING CACHING OF DYNAMICALLY GENERATED OBJECTS IN A DATA COMMUNICATION NETWORK - A method for maintaining a cache of dynamically generated objects. The method includes storing in the cache dynamically generated objects previously served from an originating server to a client. A communication between the client and server is intercepted by the cache. The cache parses the communication to identify an object determinant and to determine whether the object determinant indicates whether a change has occurred or will occur in an object at the originating server. The cache marks the object stored in the cache as invalid if the object determinant so indicates. If the object has been marked as invalid, the cache retrieves the object from the originating server. | 05-23-2013 |
20140365563 | SYSTEMS AND METHODS FOR CONTENT INJECTION - The present solution is directed towards a policy-based intermediary that dynamically and flexibly injects content in responses between a client and a server based on one or more policies. The present solution addresses the challenges of injecting content in a client-server transaction. The intermediary determines when and what content to inject into a response of a client-server transaction based on a request and/or response policy. The injected content may include timestamp and/or variable tracking of different events in a client-server transaction. For example, when an intermediary appliance is deployed in a system to accelerate system performance and improve user experience, the appliance may inject content based on policy to monitor the acceleration performance of the deployed appliance. | 12-11-2014 |
20150026567 | SYSTEMS AND METHODS FOR ENHANCED DELTA COMPRESSION - Systems and methods for reducing file sizes for files delivered over a network are disclosed. A method comprises receiving a first file comprising sequences of data; creating a hash table having entries corresponding to overlapping sequences of data; receiving a second file comprising sequences of data; comparing each of the sequences of data in the second file to the sequences of data in the hash table to determine sequences of data present in both the first and second files; and creating a third file comprising sequences of data from the second file and representations of locations and lengths of said sequences of data present in both the first and second files. | 01-22-2015 |
Patent application number | Description | Published |
20100325371 | SYSTEMS AND METHODS FOR WEB LOGGING OF TRACE DATA IN A MULTI-CORE SYSTEM - A method and system for generating a web log that includes transaction entries from transaction queues of one or more cores of a multi-core system. A transaction queue is maintained for each core so that either a packet engine or web logging client executing on the core can write transaction entries to the transaction queue. In some embodiments, a timestamp value obtained from a synchronized timestamp variable can be assigned to the transaction entries. When a new transaction entry is added to the transaction queue, the earliest transaction entry is removed from the transaction queue and added to a heap. Periodically the earliest entry in the heap is removed from the heap and written to a web log. When an entry is removed from the heap, the earliest entry in a transaction queue corresponding to the removed entry is removed from the transaction queue and added to the heap. | 12-23-2010 |
20120226804 | SYSTEMS AND METHODS FOR SCALABLE N-CORE STATS AGGREGATION - The present invention is directed towards systems and methods for aggregating and providing statistics from cores of a multi-core system intermediary between one or more clients and servers. The system may maintain in shared memory a global device number for each core of the multi-core system. The system may provide a thread for each core of the multi-core system to gather data from the corresponding core. A first thread may generate aggregated statistics from a corresponding core by parsing the gathered data from the corresponding core. The first thread may transfer the generated statistics to a statistics log according to a schedule. The system may adaptively reschedule the transfer by monitoring the operation of each computing thread. Responsive to a request from a client, an agent of the client may obtain statistics from the statistics log. | 09-06-2012 |
20120250512 | Systems and Methods for Handling NIC Congestion via NIC Aware Application - The present solution is directed to a system for handling network interface card (NIC) congestion by a NIC aware application. The system may include a device having a plurality of network interface cards (NICs), a transmission queue corresponding to a NIC of the plurality of NICs; and an overflow queue for storing packets for the NIC when congested. The system may also include an application executing on the device outputting a plurality of packets to the transmission queue responsive to detecting that the NIC is identified as not congested. The device identifies the NIC as congested responsive to determining that a number of packets stored in the transmission queue has reached a predetermined threshold and responsive to detecting identification of the NIC as congested, the application stores one or more packets to the overflow queue. The device transmits one or more of the plurality of packets stored in the transmission queue and transmits a predetermined number of packets from the overflow queue. | 10-04-2012 |
20120250530 | Systems and Methods for Learning MSS of Services - The virtual Server (vServer) of an intermediary device deployed between a plurality of clients and services supports parameters for setting maximum segment size (MSS) on a per vServer/service basis and for automatically learning the MSS among the back-end services. In case of vServer/service setting, all vServers will use the MSS value set through the parameter for the MSS value set in TCP SYN+ACK to clients. In the case of learning mode, the backend service MSS will be learnt through monitor probing. The vServer will monitor and learn the MSS that is being frequently used by the services. When the learning is active, the intermediary device may keep statistics of the MSS of backend services picked up during load balancing decisions and once an interval timer expires, the MSS value may be picked by a majority and set on the vServer. If there is no majority, then the highest MSS is picked up to be set on the vServer. | 10-04-2012 |
20130007239 | SYSTEMS AND METHODS FOR TRANSPARENT LAYER 2 REDIRECTION TO ANY SERVICE - The present solution is directed to providing, transparently and seamlessly to any client or server, layer 2 redirection of client requests to any services of a device deployed in parallel to an intermediary device An intermediary device deployed between the client and the server may intercept a client request and check if the request is to be processed by a service provided by one of the devices deployed in parallel with the intermediary device. The service may be any type and form of service or feature for processing, checking or modifying the request, including a firewall, a cache server, a encryption/decryption engine, a security device, an authentication device, an authorization device or any other type and form of service or device described herein. The intermediary device may select the machine to process the request and use layer 2 redirection to the machine. The intermediary device may change a Media Access Control (MAC) address of a destination of the request to a MAC address of the selected machine. Once the selected machine processes the request, the intermediary device may receive from this machine a response to processing the request. The intermediary device may then continue processing the request of the client responsive to the response from the machine or in response to identifying that the response to the request is from that particular selected machine. The forwarding to and processing by the parallel deployed machine may be performed seamlessly and transparently to the server and/or client. | 01-03-2013 |
20130041934 | Systems and Methods for Tracking Application Layer Flow Via a Multi-Connection Intermediary Device - The present disclosure is directed towards tracking application layer flow via a multi-connection intermediary. Transaction level or application layer information may be tracked via the intermediary, including one or more of: (i) the request method; (ii) response codes; (iii) URLs; (iv) HTTP cookies; (v) RTT of both ends of the transaction in a quad flow arrangement; (vi) server time to provide first byte of a communication; (vii) server time to provide the last byte of a communication; (viii) flow flags; or any other type and form of transaction level data may be captured, exported, and analyzed. The application layer flow or transaction level information may be provided in an IPFIX-compliant data record. This may be done to provide template-based data record definition, as well as providing data on an application or transaction level of granularity. | 02-14-2013 |
20130297814 | SYSTEMS AND METHODS FOR A SPDY TO HTTP GATEWAY - The present disclosure is directed towards a system and method for providing a SPDY to HTTP gateway via a device intermediary to a plurality of clients and a server. An NPN handshake by the intermediary device may establish SPDY support. The intermediary device may receive and process one or more control frames via SPDY session with the client. The intermediary device may generate and transmit HTTP communication to server corresponding to SPDY control frames. The intermediary device may receive and process one or more HTTP responses from server. The intermediary device may generate and transmit SPDY communication via SPDY session to client corresponding to HTTP response. | 11-07-2013 |
20130339503 | SYSTEMS AND METHODS FOR SUPPORTING A SNMP REQUEST OVER A CLUSTER - The present disclosure is directed towards systems and methods for supporting Simple Network Management Protocol (SNMP) request operations over clustered networking devices. The system includes a cluster that includes a plurality of intermediary devices and an SNMP agent executing on a first intermediary device of the plurality of intermediary devices. The SNMP agent receives an SNMP GETNEXT request for an entity. Responsive to receipt of the SNMP GETNEXT request, the SNMP agent requests a next entity from each intermediary device of the plurality of intermediary devices of the cluster. To respond to the SNMP request, the SNMP agent selects a lexicographically minimum entity. The SNMP agent may select the lexicographically minimum entity from a plurality of next entities received via responses from each intermediary device of the plurality of intermediary devices. | 12-19-2013 |
20140149605 | SYSTEMS AND METHODS FOR DICTIONARY BASED COMPRESSION - This disclosure is directed to dictionary-based compression, which may be employed to achieve stateful header compression without maintaining a complete deflate state. The compressor may maintain a history of data streams compressed by the compressor, compressed according to a compression dictionary. Responsive to the compression of the one or more data streams, the compressor may delete the first compression dictionary from the memory. Subsequent to the deletion, the compressor may compress an additional data stream using the maintained history. The compressor may generate a second compression dictionary from at least one of: the maintained history and a portion of the additional data stream. The compressor may allocate memory for a compression state of the additional data stream and may load the maintained history into the compression state. | 05-29-2014 |
20140247737 | SYSTEMS AND METHODS FOR LEARNING MSS OF SERVICES - The virtual Server (vServer) of an intermediary device deployed between a plurality of clients and services supports parameters for setting maximum segment size (MSS) on a per vServer/service basis and for automatically learning the MSS among the back-end services. In case of vServer/service setting, all vServers will use the MSS value set through the parameter for the MSS value set in TCP SYN+ACK to clients. In the case of learning mode, the backend service MSS will be learnt through monitor probing. The vServer will monitor and learn the MSS that is being frequently used by the services. When the learning is active, the intermediary device may keep statistics of the MSS of backend services picked up during load balancing decisions and once an interval timer expires, the MSS value may be picked by a majority and set on the vServer. If there is no majority, then the highest MSS is picked up to be set on the vServer. | 09-04-2014 |
20140301213 | SYSTEMS AND METHODS FOR CAPTURING AND CONSOLIDATING PACKET TRACING IN A CLUSTER SYSTEM - The present solution relates to systems and methods for capturing and consolidating packet tracing in a cluster system. A multi-nodal cluster processing network traffic contains multiple nodes each handling some of the processing. A node may initially receive a flow and transfer processing of the flow to another node for processing. A flow may therefore pass from one node to another, from two nodes to many nodes. In some instances, it is helpful to generate a trace of a flow. For example, in debugging a network communication flow, a trace of the flow through the cluster can be helpful. Each node has a packet engine (“PE”) which processes data packets and can, when trace is enabled, generate a trace file for the packets processed at the respective node. A trace aggregator merges these distinct trace files into an aggregate trace for the cluster | 10-09-2014 |
20140301388 | SYSTEMS AND METHODS TO CACHE PACKET STEERING DECISIONS FOR A CLUSTER OF LOAD BALANCERS - The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device. | 10-09-2014 |
20140303934 | SYSTEMS AND METHODS FOR EXPORTING CLIENT AND SERVER TIMING INFORMATION FOR WEBPAGE AND EMBEDDED OBJECT ACCESS - The present disclosure is directed towards systems and methods for application performance measurement. A device may receive a first document for transmission to a client, comprising instructions for the client to transmit a request for an embedded object. A flow monitor executed the device may generate a unique identification associated with the first document, the unique identification identifying a first access of the first document, and transmit the first document and unique identification to the client. The device may receive, from the client, a request for the embedded object comprising the unique identification, and transmit, to a server, the request for the embedded object at a transmit time. The device may receive, from the server, the embedded object at a receipt time, and may transmit a performance record comprising an identification of the object, the server, the transmit time, the receipt time, and the unique identification to a data collector. | 10-09-2014 |
20140304320 | SYSTEMS AND METHODS FOR DYNAMIC RECEIVE BUFFERING - The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy. | 10-09-2014 |
20140304325 | SYSTEMS AND METHODS FOR ETAG PERSISTENCY - The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content. | 10-09-2014 |
20140304393 | SYSTEMS AND METHODS FOR EXPORTING APPLICATION DETAILS USING APPFLOW - The present disclosure is directed towards systems and methods for lightweight identification of flow information by application. A flow monitor executed by a processor of a device may maintain a counter. The flow monitor may associate an application with the value of the counter and transmit, to a data collector executed by a second device, the counter value and a name of the application. The flow monitor may monitor a data flow associated with the application to generate a data record. The flow monitor may transmit the data record to the data collector, the data record including an identification of the application consisting of the counter value and not including the name of the application. The data collector may then re-associate the data record with the application name based on the previously received counter value. | 10-09-2014 |
20140304401 | SYSTEMS AND METHODS TO COLLECT LOGS FROM MULTIPLE NODES IN A CLUSTER OF LOAD BALANCERS - The systems and methods of the present solution are directed to collecting log information from multiple nodes in a multi-nodal cluster. Generally, a logging process runs to collect log information from multiple nodes in a multi-nodal cluster, e.g., a cluster of appliances. The logging process collects the log information and merges the collected log information to create a coherent unified log. The logging process may run on a node designated for the purpose. The designated node may be internal or external to the cluster. The logging process determines a topology for the cluster, establishes a communication channel with each active intermediary device identified in the topology, collects log entries from each active intermediary device, each log entry comprising information on network traffic traversing the respective intermediary device, and merges the collected log entries into a unified cluster log comprising information on network traffic traversing the cluster. | 10-09-2014 |
20140304425 | SYSTEMS AND METHODS FOR TCP WESTWOOD HYBRID APPROACH - Methods and systems for providing congestion control to a transport control protocol implementation are described. A device detects that there is a congestion event on a transport control protocol (TCP) connection of the device. The device determines that a bandwidth estimate is lower than half a current value of a slow start threshold for the TCP connection. In response to the determination, the device changes the slow start threshold to half of the current value of the slow start threshold for the TCP connection. The bandwidth estimate can be the product of the eligible rate estimate and the minimum round trip time. In some implementations, the transport control protocol implementation is a TCP Westwood implementation. | 10-09-2014 |
20140304798 | SYSTEMS AND METHODS FOR HTTP-BODY DOS ATTACK PREVENTION WITH ADAPTIVE TIMEOUT - The present disclosure is directed generally to systems and methods for changing an application layer transaction timeout to prevent Denial of Service attacks. A device intermediary to a client and a server may receive, via a transport layer connection between the device and the client, a packet of an application layer transaction. The device may increment an attack counter for the transport layer connection by a first predetermined amount responsive to a size of the packet being less than a predetermined fraction of a maximum segment size for the transport layer connection. The device may increment the attack counter by a second predetermined amount responsive to an inter-packet-delay between the packet and a previous packet being more than a predetermined multiplier of a round trip time. The device may change a timeout for the application layer transaction responsive to comparing the attack counter to a predetermined threshold. | 10-09-2014 |
20140304810 | SYSTEMS AND METHODS FOR PROTECTING CLUSTER SYSTEMS FROM TCP SYN ATTACK - The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped. | 10-09-2014 |
Patent application number | Description | Published |
20080222363 | SYSTEMS AND METHODS OF MAINTAINING FRESHNESS OF A CACHED OBJECT BASED ON DEMAND AND EXPIRATION TIME - A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache. | 09-11-2008 |
20110125892 | SYSTEMS AND METHODS FOR TRACE FILTERS BY ASSOCIATION OF CLIENT TO VSERVER TO SERVICES - The present disclosure is directed towards systems and methods for tracing packets via an intermediary device. The systems and methods include an intermediary device that establishes connections with clients and connections with servers. The intermediary device links a connection to a server with a connection to a client to provide a client with access to the server. When the client requests a packet trace, the intermediary device applies the trace to linked connections with the client to obtain full trace information for network packets servicing the client. | 05-26-2011 |
20110131654 | SYSTEMS AND METHODS FOR AGGRESSIVE WINDOW PROBING - The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender. | 06-02-2011 |
20110153720 | SYSTEMS AND METHODS FOR SAMPLING MANAGEMENT ACROSS MULTIPLE CORES FOR HTML INJECTION - A method for sampling management includes establishing, for a multi-core intermediary comprising a plurality of packet evaluation components executing on a corresponding plurality of cores, a frequency at which the multi-core intermediary intercepts a response transmitted from a server to a client and injects data into the intercepted response. For each of the plurality of packet evaluation components, an offset and a frequency based on a number of packet evaluation components in the plurality of packet evaluation components is established, a combination of the established frequencies substantially similar to the frequency established for the multi-core intermediary. One of the plurality of cores intercepts a response from the server to the client, at a time specified by the frequency and the offset. The packet evaluation component executing on the one of the plurality of cores injects data into the intercepted response. | 06-23-2011 |
20110153822 | SYSTEMS AND METHODS FOR MANAGING PREFERRED CLIENT CONNECTIVITY TO SERVERS VIA MULTI-CORE SYSTEM - The present application is directed towards systems and methods for providing a cookie by an intermediary device comprising a plurality of packet processing engines executing on a corresponding plurality of cores, the cookie identifying a session of a user that was redirected responsive to a service exceeding a response time limit. The cookie may be generated with identifiers based off a name of a virtual server managing a service of a server, and a name of a policy associated with the virtual server. Each packet processing engine of the plurality of packet processing engines may interpret cookies generated by other packet processing engines due to the name of the virtual server and name of the policy, and may provide preferred client connectivity based on cookies included in requests for access to a service. | 06-23-2011 |
20110153839 | SYSTEMS AND METHODS FOR SERVER SURGE PROTECTION IN A MULTI-CORE SYSTEM - The present application is directed towards systems and methods for providing connection surge protection to one or more servers by an intermediary multi-core system. A packet processing engine of a multi-core device deployed as an intermediary between a plurality of clients and one or more servers determines an estimated number of total pending requests received by all packet processing engines based on a value of a local counter of received requests, the total number of pending requests received by all other packet processing engines at a last predetermined interval, and a rate of change of the total number of pending requests received by all other packet processing engines multiplied by the time since the last predetermined interval. The packet processing engine applies a surge protection policy to received pending requests responsive to the determined estimated number of total pending requests. | 06-23-2011 |
20110153937 | SYSTEMS AND METHODS FOR MAINTAINING TRANSPARENT END TO END CACHE REDIRECTION - The present disclosure presents systems and methods for maintaining original source and destination IP addresses of a request while performing intermediary cache redirection. An intermediary receives a request from a client destined to a server identifying a client IP address as a source IP address and a server IP address as a destination IP address. The intermediary transmits the request to a cache server, the request maintaining original IP addresses and identifying a MAC address of the cache server as the destination MAC address. The intermediary receives the request from the cache server responsive to a cache miss, the received request maintaining the original source and destination IP addresses. The intermediary identifying that the third request is coming from the cache server via one or more data link layer properties of the third transport layer connection. The intermediary transmits to the server the request identifying the client IP address as the source IP address and the server IP address as the destination IP address. | 06-23-2011 |
20110154488 | SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM - The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures. | 06-23-2011 |
20110185073 | SYSTEMS AND METHODS FOR CLIENT IP ADDRESS INSERTION VIA TCP OPTIONS - The present disclosure presents systems and methods for maintaining identification of network devices sending or traversing a network packet en route to an intermediary device deployed between a source and a destination network device. An intermediary may receive an acknowledgement packet comprising an option field identified by an option number for a transport layer connection established via intermediary. The acknowledgement packet may comprise overlay network data that identifies IP addresses of the originating network device and host network devices intercepting and forwarding the network packet to the intermediary. The intermediary device may determine the option number for the option field from which to obtain the overlay network data identifying IP addresses. The intermediary device may receive a second request of the client to access the server via the transport layer connection and insert IP addresses from the overlay network data into an application layer protocol header of the second request forwarded to the server. | 07-28-2011 |
20110320617 | SYSTEMS AND METHODS FOR DETECTING INCOMPLETE REQUESTS, TCP TIMEOUTS AND APPLICATION TIMEOUTS - Described herein is a method and system for preventing Denial of Service (DoS) attacks. An intermediary device is deployed between clients and servers. The device receives a first packet of an application layer transaction via a transport layer connection between the device and client. The device records a last activity time for the transport layer connection based upon the timestamp of the first packet. The device receives subsequent data packets and determines whether the data in the packets completes a protocol data structure of the application layer protocol. If the device determines that the subsequent packet completes the protocol data structure, the last activity time is updated. If the device determines that the application layer protocol remains incomplete, the device retains the last activity time and determines that the duration of inactivity for the transport layer connection exceeds a predetermined threshold. The device may subsequently drop the connection. | 12-29-2011 |
20130151650 | SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN A MULTI-CORE SYSTEM - The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures. | 06-13-2013 |
20130159540 | SYSTEMS AND METHODS FOR AGGRESSIVE WINDOW PROBING - The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender. | 06-20-2013 |
20130173801 | SYSTEMS AND METHODS FOR MANAGING PREFERRED CLIENT CONNECTIVITY TO SERVERS VIA MULTI-CORE SYSTEM - The present application is directed towards systems and methods for providing a cookie by an intermediary device comprising a plurality of packet processing engines executing on a corresponding plurality of cores, the cookie identifying a session of a user that was redirected responsive to a service exceeding a response time limit. The cookie may be generated with identifiers based off a name of a virtual server managing a service of a server, and a name of a policy associated with the virtual server. Each packet processing engine of the plurality of packet processing engines may interpret cookies generated by other packet processing engines due to the name of the virtual server and name of the policy, and may provide preferred client connectivity based on cookies included in requests for access to a service. | 07-04-2013 |
20130275617 | SYSTEMS AND METHODS FOR SERVER SURGE PROTECTION IN A MULTI-CORE SYSTEM - The present application is directed towards systems and methods for providing connection surge protection to one or more servers by an intermediary multi-core system. A packet processing engine of a multi-core device deployed as an intermediary between a plurality of clients and one or more servers determines an estimated number of total pending requests received by all packet processing engines based on a value of a local counter of received requests, the total number of pending requests received by all other packet processing engines at a last predetermined interval, and a rate of change of the total number of pending requests received by all other packet processing engines multiplied by the time since the last predetermined interval. The packet processing engine applies a surge protection policy to received pending requests responsive to the determined estimated number of total pending requests. | 10-17-2013 |
20140258390 | SYSTEMS AND METHODS FOR MAINTAINING TRANSPARENT END TO END CACHE REDIRECTION - The present disclosure presents systems and methods for maintaining original source and destination IP addresses of a request while performing intermediary cache redirection. An intermediary receives a request from a client destined to a server identifying a client IP address as a source IP address and a server IP address as a destination IP address. The intermediary transmits the request to a cache server, the request maintaining original IP addresses and identifying a MAC address of the cache server as the destination MAC address. The intermediary receives the request from the cache server responsive to a cache miss, the received request maintaining the original source and destination IP addresses. The intermediary identifying that the third request is coming from the cache server via one or more data link layer properties of the third transport layer connection. The intermediary transmits to the server the request identifying the client IP address as the source IP address and the server IP address as the destination IP address. | 09-11-2014 |
20150019630 | SYSTEMS AND METHODS FOR SAMPLING MANAGEMENT ACROSS MULTIPLE CORES FOR HTML INJECTION - A method for sampling management includes establishing, for a multi-core intermediary comprising a plurality of packet evaluation components executing on a corresponding plurality of cores, a frequency at which the multi-core intermediary intercepts a response transmitted from a server to a client and injects data into the intercepted response. For each of the plurality of packet evaluation components, an offset and a frequency based on a number of packet evaluation components in the plurality of packet evaluation components is established, a combination of the established frequencies substantially similar to the frequency established for the multi-core intermediary. One of the plurality of cores intercepts a response from the server to the client, at a time specified by the frequency and the offset. The packet evaluation component executing on the one of the plurality of cores injects data into the intercepted response. | 01-15-2015 |