Facilitating secure network traffic by an application delivery controller

Description

FIELD OF THE INVENTION

The present disclosure relates generally to data processing, and more specifically to mechanisms that may be employed by an Application Delivery Controller (ADC) to prevent a denial of service attack in various network configurations.

SUMMARY

According to some embodiments, the present technology is directed to a method for facilitating a secure network by a network device. The method may include: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) embedding in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection; and (c) forwarding the embedded data packet to a server.

According to other embodiments, the present technology is directed to a method for facilitating a secure network by a network device. The method may include: (a) receiving, at the network device, a data packet with information from a client indicating that the client is a trusted source; (b) modifying an Internet protocol (IP) header of the data packet with an encoded value from an index table; and (c) forwarding the data packet with the modified IP header to a server.

According to some embodiments, the present technology is directed to a method that comprises: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) communicating, in a first channel established between the network device and a server, connection parameters included in a synchronization (SYN) packet received from the client, the connection parameters comprising parameters necessary for efficient data transfer over the secure network; and (c) forwarding, in a second channel established between the network device and the server, data packets of a data flow from the client.

According to other embodiments, the present technology is directed to an application delivery controller comprising: (a) a processor; and (b) a memory for storing executable instructions, the processor being configured to execute the instructions to: (i) receive a data packet with information from a client indicating that the client is a trusted source; (ii) perform either: (1) an embedding of transmission control protocol (TCP) options header in the data packet, the TCP options header comprising parameters for a protocol connection or (2) a modification of an Internet protocol (IP) header of the data packet with an encoded value from an index table; and (iii) forward the embedded or modified data packet to a server.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments are illustrated by way of example, and not limitation, in the figures of the accompanying drawings, in which like references indicate similar elements.

FIG. 1 is a block diagram of an exemplary symmetric network suitable for implementing one or more methods of the present disclosure;

FIG. 2 is a block diagram of an exemplary asymmetric network suitable for implementing one or more methods of the present disclosure;

FIG. 3 is a flowchart of an example method for facilitating a secure network by a network device;

FIG. 4 is a flowchart of another example method for facilitating a secure network by a network device;

FIG. 5 is a flowchart of an example method for facilitating a secure network by a network device using in-band and out-of-band communication; and

FIG. 6 is a schematic diagram of an example computing device that can be used to implement the present technology.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the presented concepts. The presented concepts may be practiced without some or all of these specific details. In other instances, well known process operations have not been described in detail so as to not unnecessarily obscure the described concepts. While some concepts will be described in conjunction with the specific embodiments, it will be understood that these embodiments are not intended to be limiting.

Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” or “according to one embodiment” (or other phrases having similar import) at various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. Furthermore, depending on the context of discussion herein, a singular term may include its plural forms and a plural term may include its singular form. Similarly, a hyphenated term (e.g., “on-demand”) may be occasionally interchangeably used with its non-hyphenated version (e.g., “on demand”), a capitalized entry (e.g., “Software”) may be interchangeably used with its non-capitalized version (e.g., “software”), a plural term may be indicated with or without an apostrophe (e.g., PE's or PEs), and an italicized term (e.g., “N+1”) may be interchangeably used with its non-italicized version (e.g., “N+1”). Such occasional interchangeable uses shall not be considered inconsistent with each other.

It is noted at the outset that the terms “coupled,” “connected”, “connecting,” “electrically connected,” etc., are used interchangeably herein to generally refer to the condition of being electrically/electronically connected. Similarly, a first entity is considered to be in “communication” with a second entity (or entities) when the first entity electrically sends and/or receives (whether through wireline or wireless means) information signals (whether containing data information or non-data/control information) to the second entity regardless of the type (analog or digital) of those signals. It is further noted that various figures (including component diagrams) shown and discussed herein are for illustrative purpose only, and are not drawn to scale.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

The present disclosure relates generally to data processing, more specifically to mechanisms that may be employed by an Application Delivery Controller (ADC) to prevent a denial of service attack in various network configurations.

Websites, web and mobile applications, cloud computing, and various web and mobile services have been rising in popularity. Some examples of fast growing consumer services include smart phone applications, location based services, navigation services, e-book services, video applications, music applications, Internet television services, and so forth. Subsequently, more and more servers are deployed within data networks including the Internet to accommodate the increasing computing and data storage needs. These servers are typically arranged in data centers or web farms, which may include ADCs, GSLB and/or server load balancers (SLBs).

In TCP/IP networks, one method of establishing a connection between two network devices such as a client device and a server, is through the use of a SYN packet, also sometimes referred to as a SYN flag. In this scenario, the client device that wishes to establish the connection first sends a SYN packet to the server. The SYN packet may comprise information within it such as the source IP address, source port, destination IP address, destination port, timestamp, maximum segment size, window scale, a sequence number for the connection, and other types of information.

Once the server receives the SYN packet, it typically responds with a SYN/ACK (or SYN acknowledgement) to acknowledge receipt of the SYN packet and the request to establish a connection. Upon receipt of the SYN/ACK, the client device typically responds with an acknowledgement ACK packet (the authentication acknowledgement), and the network connection is established, such that the two devices can now send data back and forth over the network. Typically, before the connection has actually been established, the server creates a session entry when it receives the SYN packet and keeps track of the information in the client's SYN packet for the connection (source and destination ports, source and destination IP addresses, timestamp, window scale, sequence number, and so forth).

However, this type of connection is vulnerable to a SYN attack. In a typical SYN attack, the server gets overwhelmed by SYN packets coming in at a faster rate than it can process them. This may lead to a denial of service response by the server, because the server is overwhelmed by the sheer number of SYN packets it receives. Because the server doesn't have enough resources to respond to all of the requests, the server may become unable to respond to any of the requests.

To help protect against these types of attacks, a server may utilize a SYN-cookie. When the server receives a SYN packet from a client device, it may generate a SYN-cookie that contains values based on the information in the original SYN packet. If the client device is a legitimate device and not a botnet, it will return to the server an ACK data packet, or authentication acknowledgement data packet, which contains the information from the SYN-cookie. The server then validates the sequence number and/or other information with the SYN-cookie and re-computes the original values from the SYN packet such as the client device's sequence number, window size, timestamp, maximum segment size, and so forth. The server does not create a session entry for the connection until it receives the ACK packet, thus preventing a botnet from overwhelming a server and taking it down by sending SYN packets.

Conventionally, an ADC is a network device disposed in a datacenter and part of an application delivery network (ADN). The ADC may allow performing common tasks, normally done by web servers, in an effort to remove some load from the web servers. ADCs are typically placed between the firewall/router and the host (web) servers. In addition, conventional ADCs may include various features providing for compression, caching, connection multiplexing, application layer security, and content switching. These features may be combined with basic server load balancing, content manipulation, advanced routing strategies, and highly configurable server health monitoring.

Additionally, ADCs may manage load balancing and delivery of service sessions from client host computers to servers based at least in part on incoming service requests. As more servers are deployed, additional ADCs may be deployed. Similarly, as more servers are pooled together within the data center or spread across multiple data centers to provide scalability, ADCs may become bottlenecks slowing data transmissions between peers on the network.

Because the ADC network device is typically placed between the firewall/router and the host (web) server, it may also be utilized for screening to ensure that the client host computer requesting to connect with the server is from a trusted source. However, routing all network traffic to and from the host servers through the ADCs may cause the ADCs to become a bottleneck. To prevent this from happening and to ease some of the burden on the ADCs, an “asymmetric” network, also referred to as “direct server return” configuration may be deployed. In this configuration, the client device's request for services may be forwarded to the server once the server device has been selected, but the response from the server may be sent directly to the client instead of being routed back through an ADC.

Deploying an ADC in such a TCP/IP network means that three devices must now communicate with each other. In order to send and receive data, the client device, ADC, and server need to maintain the sequence numbers for the connection. In a symmetric network configuration, the ADC can function as the intermediary between the client device and server; it can establish a two-way connection between itself and the client, and also another two-way connection between itself and the server. In this way, the ADC can facilitate the transfer of data back and forth between the client device and server. However, in an asymmetric network configuration, the ADC does not receive the traffic back from the server, and thus cannot serve as the intermediary. Therefore, the ADC needs to pass along the parameters from the client's SYN packet to the server, such that when the server sends back response data, it maintains the same characteristics contained in the original SYN and SYN/ACK packets including, but not limited to, sequence numbers, maximum segment size, window scale, timestamp, etc.

Embodiments disclosed herein may be implemented using a variety of technologies. For example, the methods described herein may be implemented in software executing on a computer system or in hardware utilizing either a combination of microprocessors or other specially designed application-specific integrated circuits (ASICs), programmable logic devices like FPGA's, or various combinations thereof. In particular, the methods described herein may be implemented by a series of computer-executable instructions residing on a storage medium such as a disk drive, or computer-readable medium. It should be noted that methods disclosed herein can be implemented by a computer, e.g., a desktop computer, server, tablet computer, laptop computer, smartphone and so forth.

The present technology provides various methods for operation of ADCs in data networks such as the Internet including a plurality of switches, routers, virtual switches, web farms, host servers, and other units. The present technology provides enhanced performance and security of ADC and allows implementing scalable business solutions for any services, applications, clouds and organizations. Furthermore, the present technology provides a scalable, high-performance application networking platform, which delivers superior reliability, security, and energy efficiency at lower total cost of ownership. ADC can also provide increased infrastructure efficiency, a faster end user experience, comprehensive Layer 4-7 feature set and flexible virtualization technologies such as Virtual Chassis System, multi-tenancy, and more for public, private and hybrid cloud environments. The ADC may include software and/or hardware components/platforms that may vary depending on a particular application, performance, infrastructure, network capacity, data traffic parameters, and so forth. A more detailed explanation of an exemplary method of ADC operation is described in U.S. utility patent application Ser. No. 13/791,760, filed on Mar. 8, 2013, titled “Application Delivery Controller and Global Server Load Balancer” which is hereby incorporated herein by reference in its entirety including all references cited therein.

The present technology further provides various systems and methods for operation of a service on a network. It provides technology to identify viruses, botnets, trojans, malware, and other type of unauthorized services from accessing and overwhelming a host server providing the service. These systems and methods may be used to prevent a denial of service attack on a network device.

Turning now to FIG. 1, a high-level block diagram of a network topology 100 suitable for implementing one or more methods of the present disclosure is shown. The network topology 100 shown by FIG. 1 may include a number of host servers 105, a number of switches 110 combining/coupling the host servers 105 and thus performing Layer 2 aggregation and corresponding switching. The topology 100 may further include an ADC 115 including one (or more) ADC switches 120, which may employ one or more of the methods disclosed herein. As will be appreciated by those skilled in the art, the ADC switches 120 may operate in different modes, such as standalone, active/standby mode, backup mode, active-active and others, depending on an application.

Still referring to FIG. 1, the topology 100 may further include a communications network 125, which may refer to, for example, the Internet, Local Area Network (LAN), Wide Area Network (WAN), Internet, a cellular network, a telephone network, or any other switched network or their combinations. There is also a plurality of clients 130, which may include end user computers, mobile phones, thin clients, and so forth. There are also one or more Local DNS Servers which may be associated with one or more clients 130 and/or one or more host servers 105. As shown in FIG. 1, the topology may include a GSLB 135, which may also employ one or more of the methods disclosed herein.

Generally speaking, load balancing is a technique that may be used for distributing the workload evenly across clients 130, networks 125, host servers 105, and other networked resources. The load balancing may enhance utilization of resources and enable maximize throughput with minimum response time, hence avoiding overloading of a single server.

A typical data packet in a TCP/IP network, may be comprised of a data component and one or more header components. The header may comprise a layer 2 header, layer 3 header, layer 4 header, or any other necessary components for transmitting the packet. The layer 2 header may comprise information such as a destination MAC address, source MAC address, and Ethernet type. The layer 3 header may be an IP header, and the layer 4 header may be a TCP header.

The IP header may comprise identifying information such as the source IP address from which the packet originated, the destination IP address for the packet, and other IP options. The IP options in the IP header may comprise information that describes the packet, directs the packet to take a particular route to reach the destination, information regarding policies for the packet, experimental fields, and any other attribute. The IP options may be defined by a type-length-value system whereby the first two bytes represent the option identification number, the next two bytes represent the length, and the remaining bytes represent the value (encoded information about the option itself).

The TCP header may comprise identifying information such as the source port from which the packet originated, the destination port for the packet, window, sequence number, ACK number, any flags (such as SYN flags), and other TCP options. Some examples of TCP options may include maximum segment size (MSS), window scale, selective ACK, timestamp, and other experimental options. The window scale may comprise a factor by which to multiply the window. Typically, the window scale may be any factor up to 15. Selective ACK messages may be used for selective retransmission of individual data packets that were not received at the destination. Timestamp may also be used to identify that the data being sent is from the same device by aligning the numerical values of the timestamp.

In certain embodiments, the ADC 115 may employ a SYN packet technique utilizing a SYN-cookie to verify that the client 130 is a trusted source and not a spoof, botnet, or any other unauthorized program. In an exemplary methodology, the client 130 may first send a SYN packet to the ADC 115, which may include a sequence number for communicating on a TCP/IP stack. The ADC 115 may then send a SYN/ACK to the client 130, comprising a SYN-cookie. The SYN-cookie may comprise a sequence number for the ADC 115, as well as an acknowledgement of the client's sequence number. The client may then respond with an acknowledgement of the SYN-cookie, thus authenticating that the client's IP address has not been spoofed. Once the client 130 has been authenticated, the ADC 115 may then forward data from the client to the host server 105.

In a stateless operating mode, the ADC 115 does not retain any information about the SYN packet until the final acknowledgement is received and the connection is established. This is to prevent a denial of service attack causing the ADC 115 to be overwhelmed with a flood of SYN packets. Furthermore, TCP options from the client 130 to the ADC 115 are typically exchanged in the first SYN packet, and the SYN/ACK, but are not exchanged again after the connection is established. Thus, the ADC 115 may encode the data from the TCP options received in the original SYN packet into the SYN-cookie that it sends with the SYN/ACK. A SYN-cookie typically contains four bytes of data, and thus TCP options such as MSS, window scale, and selective ACK may be encoded within those data bytes. When the client 130 receives the SYN/ACK with the SYN-cookie within it, the client 130 then transmits an acknowledgement back to the ADC 115 with a sequence number referring to the SYN-cookie. Thus, even though the ADC 115 does not retain the actual TCP options received in the original SYN packet while operating in a stateless mode, it may still have the relevant information necessary in the encoded SYN-cookie sequence numbers to re-compute those parameters to communicate with the host servers 105.

Since the ADC 115 is connected to a plurality of servers 105 at any given time, the ADC 115 may periodically probe the servers through a health check or any other methodology to determine which server to route the requests to. In one embodiment, the ADC 115 may probe the active servers 105 and calculate a lowest common denominator to present to the client 130. For example, if the ADC 115 probes three servers about their window scale capacity, and the servers have capacity for a window scale of five, seven, and ten, the ADC 115 may present a window scale of five to the client 130. Thus, regardless of which server the traffic is ultimately routed to, all servers will be able to handle at least that much traffic.

In exemplary embodiments, the ADC 115 may also comprise a translation layer. The translation layer may comprise information that is calculated and placed in the packet header to correlate the options in the packet header from the client with the options that the host server 105 has the capacity to serve. This is to maintain the proper protocols for communicating in the TCP/IP stack. When the ADC 115 routes a particular packet from a client 130 to a host server 105, it may adjust the values in the TCP header to match the parameters that the particular host server 105 has the capacity to serve. In this way, the protocols are aligned and communication between the network devices is streamlined. In certain embodiments, the translation layer may comprise a Layer 4 expanded SYN-cookie, Layer 3 SYN-cookie, or any other mechanism for interfacing between the header options of the client 130 and the host server 105.

FIG. 2 illustrates a block diagram of an exemplary network topology 200 operating in an “asymmetric” or “direct server return” mode. In this mode, a client 130 may submit a request for services. The request is transmitted through the communications network 125 to the ADC 115. Once the ADC 115 can verify that the client is a trusted source and the request is legitimate using a SYN-cookie or any other verification method, the ADC 115 may forward the request to one or more host servers 105. The one or more host servers 105 may then return the data to the client 130, such that the ADC 115 does not become a bottleneck in the system 200.

To maintain the TCP connection between the client 130, ADC 115, and host servers 105, a change is needed to the host server's TCP stack. In a typical TCP/IP stack, the ADC 115 would request to connect to the host server 105 by sending it a SYN packet, and then being authenticated via a SYN-cookie, or any other such method. However, in the asymmetric mode, the ADC 115 begins communicating with the host server 105 by forwarding to it the authentication acknowledgement data packet (ACK packet) from the client such that it has all of the header options from the client 130.

Once the client 130 has been authenticated by the ADC 115, the data from the client 130 is transmitted directly to the server 105. However, the sequence numbers, TCP options, and other data in the packet from the client 130 that is forwarded directly to the server 105 contains references to data parameters that the server is not familiar with, since the authentication of the client 130 occurred prior to the data being transmitted to the server 105. Thus, in some embodiments, when the ADC 115 receives the acknowledgement from the client 130 referencing its SYN-cookie, the ADC 115 may then embed or stamp certain data onto the packet before forwarding it on to a server 105. The ADC 115 may embed data such as server sequence number, client MSS, client selective ACK, client window scale, client timestamp, or any other data found in the header, such that the processing information needed for the data packets from the client matches with the processing information needed for the packets from the server 105. In various embodiments, varying amounts of TCP option information may be embedded in the final ACK packet received from the client 130 before it is forwarded to the server 105.

In various embodiments, the ADC 115 may add TCP options to the ACK packet that it forwards to the server 105. The TCP options may include information such as window, MSS, timestamp, and so forth, or combinations thereof. The ADC 115 may accomplish this by adding one (1) TCP option for every parameter needed, or may simply use one TCP option with designated fields for each parameter. For example, the ADC 115 may designate one TCP option field of 64 bit length. The ADC 115 may use the first eight bits to represent the maximum segment size, the next 8 bits to represent the window size, etc.

When the server 105 receives the packet with the modified header information, it may recognize that the data packet and/or client 130 source has previously been authenticated by the ADC 115, and thus the server may automatically deem the data packet to be trusted and place it into the TCP stack for processing. In certain embodiments, the ADC 115 may only embed such information into the header of the initial packet forwarded to the server 105. In other embodiments, the ADC 115 may embed TCP option data into the header of all data packets it forwards to the server 105. In various embodiments, the TCP options and/or other information may be embedded onto the data packet forwarded by the ADC 115 to the server 105 through the use of an SDK that may be deployed by a network administrator for a server.

In other embodiments, the ADC 115 may add IP options to the ACK packet that it forwards from the client 130 to the server 105. The IP header of a data packet may include a fixed header and options fields. In one embodiment, the ADC 115 may use the IP options field(s) of the IP header to encode the relevant information necessary for the server 105 to communicate directly with the client 130, including the sequence numbers, timestamp, etc. The ADC 115 may accomplish this by adding one IP option for every parameter needed, or may simply use one IP option with designated fields for each parameter. For example, the ADC 115 may designate one IP option field of 64 bit length, and use eight bits to represent each of the various parameters.

In another embodiment, the ADC 115 may use the fixed header portion of an IP header. In the fixed header portion of an IP header of a data packet, there is an IP identification field. Typically, the IP identification field is two bytes in length, which allows 16 bits of encoded information. The ADC 115 may create an index table of 2^16 different combinations of parameter values, or some other appropriately sized index table. After the client 130 has been authenticated, the ADC 115 may re-compute the original parameters from the client's original SYN packet, and then pick the most appropriate parameter combination from the options in the index table. Then, the ADC 115 may encode a value associated with that entry in the index table into the IP identification field of the fixed IP header, which is then added to the data packet forwarded to the server 105.

When the server 105 receives this data packet from the ADC 115, it may receive the value from the IP identification field of the fixed IP header on the data packet, look up this value in the index table, and from there extract the proper source information, destination information, sequence numbers, timestamp, and all other relevant parameters necessary for ensuring proper data transfer over the network.

The index table that the ADC 115 uses to encode a value into the IP identification field is the same index table that the servers 105 may use to decode the value. The table may be static, such that the parameters and their associated encoded values are fixed. Alternatively, the table may be dynamic, and the ADC 115 and servers 105 may synchronize their tables periodically. In various embodiments, each network device may maintain its own local copy of the index table that is periodically synchronized. Alternatively, the index table may be maintained in a network database, or any other data structure, that is accessible to any network device from any location in the network.

In another embodiment, the processing information needed by the server 105 may directly be placed by the ADC 115 in a network database, or any other data structure, that is accessible to any network device from multiple locations in the network. In this configuration, the server 105 may look up the processing information directly, without the ADC 115 being required to make modifications to the packets it sends to the servers.

In further embodiments, the ADC 115 may transfer the relevant connection parameters from the client's SYN packet to the servers 105 through an out of band mechanism. In these embodiments, the ADC 115 may utilize one channel to authenticate itself to the servers 105 and transfer information regarding the data flow to the servers such as the sequence numbers, timestamp, window size, and any other relevant parameter necessary for efficient data transfer over the network. The ADC 115 may then utilize a separate channel to forward the actual data packets from the client 130 to the servers 105. In this way, the ADC 115 may not need to alter the ACK packet or any other data packets it receives from the client 130 before forwarding to the server 105 for processing.

In various embodiments, the ADC 115 may utilize the first channel to transmit information about the upcoming data flow to the server 105 at the beginning of each data flow, periodically throughout the data flow, and/or at the end of the data flow.

In other embodiments, the ADC 115 may utilize IP tunneling to transfer the relevant information necessary to the servers 105 about the data. In these embodiments, the ADC 115 may not need to edit the ACK packet received from the client 130 before forwarding it to the server 105. The ADC 115 may instead utilize a module to place the ACK packet in another packet with an IP header that contains the relevant parameters, and then send this modified packet to the servers 105. When the server 105 receives the modified packet, it may extract from the modified packet's IP header the sequence number for the connection, timestamp, and all other relevant parameters necessary for proper data flow between the server 105 and the client 130. In various embodiments, the ADC 115 may utilize a tunnel header to communicate the relevant parameters. The ADC 115 may use a module to encapsulate the ACK packet from the client with data representing the relevant parameters. When the server 105 receives the modified packet, it may use a module to extract the outer header with the relevant parameters such that when it sends response data back to the client 130, it may do so with the proper sequence numbers, timestamp, window, and/or other parameters to communicate over the network protocol.

While the above methods have been described generally with a first packet being received by the server from the ADC as being the ACK packet that includes processing information (that is, information that is needed by the server for communicating with the client), it will be understood by those skilled in the art that the first packet received by the server from the ADC may not be the ACK packet, but could also be another SYN packet or some other packet in which the necessary processing information is embedded or otherwise communicated.

FIG. 3 illustrates a method for facilitating a secure network by a network device, such as the ADC described above. According to some embodiments, the method may include the ADC receiving 305 a data packet with information from a client indicating that the client is a trusted source. As mentioned above, the process of the client indicating that it is a trusted source may include a SYN, SYN/ACK, SYN-cookie, and final ACK exchange process as described above. The ADC mediates between the client and server in exchanging these messages so as to prevent malicious network activity by potentially malicious clients. For example, a malicious client may attempt to flood the network with SYN messages to cause a denial of service attack.

In furtherance of this goal, the method also further includes the ADC embedding 310 in the data packet a transmission control protocol (TCP) options header. In some embodiments the TCP options header comprises information including at least a sequence number for a protocol connection. The TCP options header can also include connection parameters, which include parameters that are necessary for efficient data transfer over the secure network. For example, a maximum segment size, a window scale, and a selective acknowledgement message, as well as other parameters that would be known to one of ordinary skill in the art with the present disclosure before them.

The method includes the ADC forwarding 315 the embedded data packet to a server, as well as establishing 320 a network connection between the client and the server.

While the example of FIG. 3 has been described with respect to an ADC, it will be understood that other network device such as routers, switches, firewalls, or other network devices can be also configured to execute the methods described herein. That is, the technology described herein is not limited to being executed by an ADC.

FIG. 4 illustrates another method for facilitating a secure network by a network device, such as the ADC described above. In general, this method is configured to use the IP header of a data packet, rather than the TCP options header. In this embodiment, the method includes the ADC receiving 405, at the network device, a data packet with information from a client indicating that the client is a trusted source. Again, this may include a SYN packet or an ACK message received from the client as specified in the examples provided supra.

Next, the method includes the ADC modifying 410 an Internet protocol (IP) header of the data packet with an encoded value from an index table. As with the method above, the encoded value may include a fixed header and options fields. The modification may include encoding parameters such as source information, destination information, sequence numbers, timestamp, as well as other network protocol parameters that would be known to one of ordinary skill in the art.

Once the IP header of the client's packet has been modified, the method includes forwarding 415 the data packet with the modified IP header to a server.

Optionally, the method may include determining 420 the network capabilities of the server and adjusting 425 the parameters included in the IP header such that the IP header parameters correlate to the server's capabilities. For example, if the IP header information includes protocol parameters that cannot be serviced by the server, the ADC can determine the capabilities of the server and adjust the parameters received from the client to ensure that the client and server are able to communicate with one another over the network in a secure manner.

FIG. 5 illustrates a method for facilitating a secure network by a network device, where the network device is configured to use in-band and out-of-band channels for communicating with a server. The method may include receiving 505 a data packet with information from a client indicating that the client is a trusted source. Once the data packet is received, the method includes communicating 510, in a first channel established between the network device and a server, connection parameters included in a SYN packet received from the client. It will be understood that the connection parameters comprise, in some embodiments, to parameters included in a SYN packet received from the client. As with the other embodiments, the connection parameters comprise parameters necessary for efficient data transfer over the secure network. In some embodiments, the method includes forwarding 515, in a second channel established between the network device and the server, data packets of a data flow from the client.

As mentioned above, the ADC may also be configured to use IP tunneling as part of the in-band/out-of-band methodology.

FIG. 6 illustrates an exemplary computing device 1 that is to implement an embodiment of the present systems and methods. The system 1 of FIG. 6 may be implemented in the contexts of the likes of the server 105 described herein. The computing device 1 of FIG. 6 includes a processor 10 and main memory 20. Main memory 20 stores, in part, instructions and data for execution by processor 10. Main memory 20 may store the executable code when in operation. The system 1 of FIG. 6 further includes a mass storage device 30, portable storage device 40, output devices 50, user input devices 60, a display system 70, and peripherals 80.

The components shown in FIG. 6 are depicted as being connected via a single bus 90. The components may be connected through one or more data transport means. Processor 10 and main memory 20 may be connected via a local microprocessor bus, and the mass storage device 30, peripherals 80, portable storage device 40, and display system 70 may be connected via one or more input/output (I/O) buses.

Mass storage device 30, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor 10. Mass storage device 30 can store the system software for implementing embodiments of the present technology for purposes of loading that software into main memory 20.

Portable storage device 40 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or digital video disc, to input and output data and code to and from the computing system 1 of FIG. 6. The system software for implementing embodiments of the present technology may be stored on such a portable medium and input to the computing system 1 via the portable storage device 40.

Input devices 60 provide a portion of a user interface. Input devices 60 may include an alphanumeric keypad, such as a keyboard, for inputting alphanumeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys, or a scanner for reading bar codes. Additionally, the system 1 as shown in FIG. 6 includes output devices 50. Suitable output devices include speakers, label and receipt printers, network interfaces, and monitors.

Display system 70 may include a liquid crystal display (LCD) or other suitable display device. Display system 70 receives textual and graphical information, and processes the information for output to the display device.

Peripherals 80 may include any type of computer support device to add additional functionality to the computing system. Peripherals 80 may include a modem or a router.

The components contained in the computing system 1 of FIG. 6 are those typically found in computing systems that may be suitable for use with embodiments of the present technology and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computing system 1 can be a personal computer, hand held computing system, telephone, mobile computing system, workstation, server, minicomputer, mainframe computer, or any other computing system. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including UNIX, Linux, Windows, Macintosh OS, Palm OS, and other suitable operating systems.

Some of the above-described functions may be composed of instructions that are stored on storage media (e.g., computer-readable medium). The instructions may be retrieved and executed by the processor. Some examples of storage media are memory devices, tapes, disks, and the like. The instructions are operational when executed by the processor to direct the processor to operate in accord with the technology. Those skilled in the art are familiar with instructions, processor(s), and storage media.

It is noteworthy that any hardware platform suitable for performing the processing described herein is suitable for use with the technology. The terms “computer-readable storage medium” and “computer-readable storage media” as used herein refer to any medium or media that participate in providing instructions to a CPU for execution. Such media can take many forms, including, but not limited to, non-volatile media, volatile media and transmission media. Non-volatile media include, for example, optical or magnetic disks, such as a fixed disk. Volatile media include dynamic memory, such as system RAM. Transmission media include coaxial cables, copper wire and fiber optics, among others, including the wires that comprise one embodiment of a bus. Transmission media can also take the form of acoustic or light waves, such as those generated during radio frequency (RF) and infrared (IR) data communications. Common forms of computer-readable media include, for example, a floppy disk, a flexible disk, a hard disk, magnetic tape, any other magnetic medium, a CD-ROM disk, digital video disk (DVD), any other optical medium, any other physical medium with patterns of marks or holes, a RAM, a PROM, an EPROM, an EEPROM, a FLASHEPROM, any other memory chip or data exchange adapter, a carrier wave, or any other medium from which a computer can read.

Various forms of computer-readable media may be involved in carrying one or more sequences of one or more instructions to a CPU for execution. A bus carries the data to system RAM, from which a CPU retrieves and executes the instructions. The instructions received by system RAM can optionally be stored on a fixed disk either before or after execution by a CPU.

Computer program code for carrying out operations for aspects of the present technology may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, PHP, MySQL, HTML, Java Script, CSS, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).

The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present technology has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. Exemplary embodiments were chosen and described in order to best explain the principles of the present technology and its practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Aspects of the present technology are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

While the present invention has been described in connection with a series of preferred embodiment, these descriptions are not intended to limit the scope of the invention to the particular forms set forth herein. It will be further understood that the methods of the invention are not necessarily limited to the discrete steps or the order of the steps described. To the contrary, the present descriptions are intended to cover such alternatives, modifications, and equivalents as may be included within the spirit and scope of the invention as defined by the appended claims and otherwise appreciated by one of ordinary skill in the art.

Claims

1. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising: receiving, by the network device, a data packet with information from a client indicating that the client is a trusted source;embedding, by the network device, in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; andforwarding, by the network device, the embedded data packet to a server, the server recognizing, based on the server sequence number, the embedded data packet as associated with the trusted source previously authenticated by the network device.
2. The method of claim 1, wherein the data packet received from the client comprises a synchronization (SYN)-cookie received from the network device, wherein the SYN-cookie comprises a sequence number for the network device and an acknowledgement (ACK) that includes a sequence number of the client.
3. The method of claim 2, wherein the network device does not retain information from the data packet until the ACK has been received from the client and a network connection has been established between the server and the client.
4. The method of claim 3, wherein the TCP options header is embedded into the ACK, the ACK being forwarded to the server.
5. The method of claim 3, wherein the network device does not retain the TCP options when the network device is operating in a stateless mode.
6. The method of claim 1, wherein the TCP options comprise a maximum segment size, a window scale, and a selective acknowledgement message, wherein the selective acknowledgement message is used for selective retransmission of individual data packets that were not received by the server.
7. The method of claim 1, wherein TCP options are included in the data packet received from the client.
8. The method of claim 1, further comprising authenticating the client by the network device.
9. The method of claim 8, further comprising embedding or stamping at least one of a server sequence number, a client maximum segment size, a client timestamp, and information required for the server to process the embedded data packet.
10. The method of claim 1, wherein the TCP options are embodied in a single message having a predetermined length of bits, wherein the length of bits is separated into segments, each of the segments comprising bits representing one of the TCP options.
11. A method for facilitating secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising: receiving, at the network device, a data packet with information from a client indicating that the client is a trusted source;modifying, by the network device, an Internet protocol (IP) header of the data packet with an encoded value from an index table, the encoded value comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; andforwarding, by the network device, the data packet with the modified IP header to a server, the server recognizing, based on the server sequence number, the data packet as associated with the trusted source previously authenticated by the network device.
12. The method of claim 11, further comprising: authenticating the client;computing parameters included in a synchronization (SYN) packet received from the client; selecting a combination of parameters from the index table based on the computed parameters; andencoding the combination of parameters into an IP identification field of IP header of the data packet.
13. A method for facilitating a secure network by a network device that comprises a processor and a memory for storing executable instructions, wherein the processor executes the instructions to perform the method, comprising: receiving a data packet with information from a client indicating that the client is a trusted source;communicating, in a first channel established between the network device and a server, connection parameters included in a synchronization (SYN) packet received from the client, the connection parameters comprising parameters necessary for data transfer over the secure network, the connection parameters comprising information including at least a sequence number for a protocol connection, the sequence number including a server sequence number; andforwarding, in a second channel established between the network device and the server, data packets of a data flow from the client, the server recognizing, based on the server sequence number, the data packet as associated with the trusted source previously authenticated by the network device.
14. The method of claim 13, wherein the parameters comprise at least one of sequence numbers, timestamp, and window size.
15. An application delivery controller, comprising: a processor; anda memory for storing executable instructions, the processor being configured to execute the instructions to: receive a data packet with information from a client indicating that the client is a trusted source;perform either: (1) an embedding of a transmission control protocol (TCP) options header in the data packet, the TCP options header comprising parameters for a protocol connection, the parameters including at least a sequence number for the protocol connection, the sequence number including a server sequence number, or (2) a modification of an Internet protocol (IP) header of the data packet with an encoded value from an index table, the encoded value including the server sequence number; andforward the embedded or modified data packet to a server, the server recognizing, based on the server sequence number, the embedded or modified data packet as associated with a trusted source previously authenticated by the processor.
16. The application delivery controller of claim 15, wherein the application delivery controller comprises a module that is configured to place an acknowledgement (ACK) packet in the IP header of the data packet.
17. The application delivery controller of claim 16, wherein the application delivery controller is configured to use IP tunneling to transfer the modified data packet with the modified IP header to the server.
18. The application delivery controller of claim 17, wherein the data included in the TCP header is placed into a tunnel header.
19. The application delivery controller of claim 15, wherein the application delivery controller is configured to determine TCP options that the server is capable of providing.
20. The application delivery controller of claim 19, wherein the application delivery controller is configured to adjust the parameters in the TCP options header with the TCP options that the server is capable of providing.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent application Ser. No. 14/268,914, filed May 2, 2014, title “Facilitating Secure Network Traffic by an Application Delivery Controller” which claims the priority benefit of U.S. Provisional Application Ser. No. 61/819,417, filed May 3, 2013, titled “Facilitating Secure Network Traffic by an Application Delivery Controller”. This application is also related to co-pending U.S. Nonprovisional patent application Ser. No. 14/261,322, filed Apr. 24, 2014 and titled “Systems and Methods for Network Access Control,” and to co-pending U.S. patent application Ser. No. 13/791,760 titled “Application Delivery Controller and Global Server Load Balancer” filed on Mar. 8, 2013. All of the disclosures of the above applications are hereby incorporated by reference in their entireties, including all references cited therein.

US Referenced Citations (516)

Number	Name	Date	Kind
4403286	Fry et al.	Sep 1983	A
4495570	Kitajima et al.	Jan 1985	A
4577272	Ballew et al.	Mar 1986	A
4720850	Oberlander et al.	Jan 1988	A
4864492	Blakely-Fogel et al.	Sep 1989	A
4882699	Evensen	Nov 1989	A
5031089	Liu et al.	Jul 1991	A
5218602	Grant et al.	Jun 1993	A
5218676	Ben-Ayed et al.	Jun 1993	A
5293488	Riley et al.	Mar 1994	A
5341477	Pitkin et al.	Aug 1994	A
5432908	Heddes et al.	Jul 1995	A
5537542	Eilert et al.	Jul 1996	A
5563878	Blakeley et al.	Oct 1996	A
5603029	Aman et al.	Feb 1997	A
5675739	Eilert et al.	Oct 1997	A
5740371	Wallis	Apr 1998	A
5751971	Dobbins et al.	May 1998	A
5754752	Sheh et al.	May 1998	A
5774660	Brendel et al.	Jun 1998	A
5774668	Choquier et al.	Jun 1998	A
5796936	Watabe et al.	Aug 1998	A
5812771	Fee et al.	Sep 1998	A
5828847	Gehr et al.	Oct 1998	A
5835724	Smith	Nov 1998	A
5867636	Walker	Feb 1999	A
5867661	Bittinger et al.	Feb 1999	A
5875296	Shi et al.	Feb 1999	A
5917997	Bell et al.	Jun 1999	A
5918017	Attanasio et al.	Jun 1999	A
5923854	Bell et al.	Jul 1999	A
5931914	Chiu	Aug 1999	A
5935207	Logue et al.	Aug 1999	A
5935215	Bell et al.	Aug 1999	A
5941988	Bhagwat et al.	Aug 1999	A
5944794	Okamoto et al.	Aug 1999	A
5946686	Schmuck et al.	Aug 1999	A
5951650	Bell et al.	Sep 1999	A
5951694	Choquier et al.	Sep 1999	A
5958053	Denker	Sep 1999	A
5995981	Wikstrom	Nov 1999	A
6003069	Cavill	Dec 1999	A
6006264	Colby et al.	Dec 1999	A
6006269	Phaal	Dec 1999	A
6031978	Cotner et al.	Feb 2000	A
6041357	Kunzelman et al.	Mar 2000	A
6047268	Bartoli et al.	Apr 2000	A
6076108	Courts et al.	Jun 2000	A
6088728	Bellemore et al.	Jul 2000	A
6098093	Bayeh et al.	Aug 2000	A
6104717	Coile et al.	Aug 2000	A
6119174	Borowsky et al.	Sep 2000	A
6128279	O'Neil et al.	Oct 2000	A
6131163	Wiegel	Oct 2000	A
6141759	Braddy	Oct 2000	A
6185598	Farber et al.	Feb 2001	B1
6219706	Fan et al.	Apr 2001	B1
6223205	Harchol-Balter et al.	Apr 2001	B1
6223287	Douglas et al.	Apr 2001	B1
6247057	Barrera, III	Jun 2001	B1
6249820	Dobbins et al.	Jun 2001	B1
6252878	Locklear, Jr. et al.	Jun 2001	B1
6259705	Takahashi et al.	Jul 2001	B1
6262976	McNamara	Jul 2001	B1
6286039	Van Horne et al.	Sep 2001	B1
6314463	Abbott et al.	Nov 2001	B1
6317786	Yamane et al.	Nov 2001	B1
6321338	Porras et al.	Nov 2001	B1
6324177	Howes et al.	Nov 2001	B1
6330560	Harrison et al.	Dec 2001	B1
6339423	Sampson et al.	Jan 2002	B1
6353614	Borella et al.	Mar 2002	B1
6363075	Huang et al.	Mar 2002	B1
6363081	Gase	Mar 2002	B1
6374300	Masters	Apr 2002	B2
6374359	Shrader et al.	Apr 2002	B1
6381632	Lowell	Apr 2002	B1
6393475	Leong et al.	May 2002	B1
6397261	Eldridge et al.	May 2002	B1
6430622	Aiken, Jr. et al.	Aug 2002	B1
6445704	Howes et al.	Sep 2002	B1
6446225	Robsman et al.	Sep 2002	B1
6459682	Ellesson et al.	Oct 2002	B1
6490682	Vanstone et al.	Dec 2002	B2
6496866	Attanasio et al.	Dec 2002	B2
6510464	Grantges, Jr. et al.	Jan 2003	B1
6515988	Eldridge et al.	Feb 2003	B1
6542926	Zalewski et al.	Apr 2003	B2
6564215	Hsiao et al.	May 2003	B1
6567857	Gupta et al.	May 2003	B1
6578066	Logan et al.	Jun 2003	B1
6587866	Modi et al.	Jul 2003	B1
6591262	MacLellan et al.	Jul 2003	B1
6594268	Aukia et al.	Jul 2003	B1
6598167	Devine et al.	Jul 2003	B2
6606315	Albert et al.	Aug 2003	B1
6609150	Lee et al.	Aug 2003	B2
6611498	Baker et al.	Aug 2003	B1
6650641	Albert et al.	Nov 2003	B1
6657974	Britton et al.	Dec 2003	B1
6697354	Borella et al.	Feb 2004	B1
6701377	Burmann et al.	Mar 2004	B2
6704317	Dobson	Mar 2004	B1
6711618	Danner et al.	Mar 2004	B1
6714979	Brandt et al.	Mar 2004	B1
6718383	Hebert	Apr 2004	B1
6742126	Mann et al.	May 2004	B1
6745229	Gobin et al.	Jun 2004	B1
6748413	Bournas	Jun 2004	B1
6748414	Bournas	Jun 2004	B1
6760758	Lund et al.	Jul 2004	B1
6763370	Schmeidler et al.	Jul 2004	B1
6763468	Gupta et al.	Jul 2004	B2
6772333	Brendel	Aug 2004	B1
6772334	Glawitsch	Aug 2004	B1
6779017	Lamberton et al.	Aug 2004	B1
6779033	Watson et al.	Aug 2004	B1
6877095	Allen	Apr 2005	B1
6886044	Miles et al.	Apr 2005	B1
6892307	Wood et al.	May 2005	B1
6941384	Aiken, Jr. et al.	Sep 2005	B1
6952728	Alles et al.	Oct 2005	B1
6954784	Aiken, Jr. et al.	Oct 2005	B2
6963917	Callis et al.	Nov 2005	B1
6965930	Arrowood et al.	Nov 2005	B1
6996617	Aiken, Jr. et al.	Feb 2006	B1
6996631	Aiken, Jr. et al.	Feb 2006	B1
7010605	Dharmarajan	Mar 2006	B1
7013482	Krumel	Mar 2006	B1
7058600	Combar et al.	Jun 2006	B1
7058718	Fontes et al.	Jun 2006	B2
7058789	Henderson et al.	Jun 2006	B2
7069438	Balabine et al.	Jun 2006	B2
7076555	Orman et al.	Jul 2006	B1
7120697	Aiken, Jr. et al.	Oct 2006	B2
7143087	Fairweather	Nov 2006	B2
7167927	Philbrick et al.	Jan 2007	B2
7181524	Lele	Feb 2007	B1
7188181	Squier et al.	Mar 2007	B1
7218722	Turner et al.	May 2007	B1
7225249	Barry et al.	May 2007	B1
7228359	Monteiro	Jun 2007	B1
7234161	Maufer et al.	Jun 2007	B1
7236457	Joe	Jun 2007	B2
7254133	Govindarajan et al.	Aug 2007	B2
7269850	Govindarajan et al.	Sep 2007	B2
7277963	Dolson et al.	Oct 2007	B2
7301899	Goldstone	Nov 2007	B2
7308499	Chavez	Dec 2007	B2
7310686	Uysal	Dec 2007	B2
7328267	Bashyam et al.	Feb 2008	B1
7334232	Jacobs et al.	Feb 2008	B2
7337241	Boucher et al.	Feb 2008	B2
7343399	Hayball et al.	Mar 2008	B2
7349970	Clement et al.	Mar 2008	B2
7370353	Yang	May 2008	B2
7391725	Huitema et al.	Jun 2008	B2
7398317	Chen et al.	Jul 2008	B2
7423977	Joshi	Sep 2008	B1
7430611	Aiken, Jr. et al.	Sep 2008	B2
7430755	Hughes et al.	Sep 2008	B1
7463648	Eppstein et al.	Dec 2008	B1
7467202	Savchuk	Dec 2008	B2
7472190	Robinson	Dec 2008	B2
7492766	Cabeca et al.	Feb 2009	B2
7506360	Wilkinson et al.	Mar 2009	B1
7509369	Tormasov	Mar 2009	B1
7512980	Copeland et al.	Mar 2009	B2
7533409	Keane et al.	May 2009	B2
7552323	Shay	Jun 2009	B2
7584262	Wang et al.	Sep 2009	B1
7584301	Joshi	Sep 2009	B1
7590736	Hydrie et al.	Sep 2009	B2
7613193	Swami et al.	Nov 2009	B2
7613822	Joy et al.	Nov 2009	B2
7673072	Boucher et al.	Mar 2010	B2
7675854	Chen et al.	Mar 2010	B2
7703102	Eppstein et al.	Apr 2010	B1
7707295	Szeto et al.	Apr 2010	B1
7711790	Barrett et al.	May 2010	B1
7747748	Allen	Jun 2010	B2
7765328	Bryers et al.	Jul 2010	B2
7792113	Foschiano et al.	Sep 2010	B1
7808994	Vinokour et al.	Oct 2010	B1
7826487	Mukerji et al.	Nov 2010	B1
7881215	Daigle et al.	Feb 2011	B1
7948952	Hurtta et al.	May 2011	B2
7970934	Patel	Jun 2011	B1
7979585	Chen et al.	Jul 2011	B2
7983258	Ruben et al.	Jul 2011	B1
7990847	Leroy et al.	Aug 2011	B1
7991859	Miller et al.	Aug 2011	B1
8019870	Eppstein et al.	Sep 2011	B1
8032634	Eppstein et al.	Oct 2011	B1
8090866	Bashyam et al.	Jan 2012	B1
8122116	Matsunaga et al.	Feb 2012	B2
8179809	Eppstein et al.	May 2012	B1
8185651	Moran et al.	May 2012	B2
8191106	Choyi et al.	May 2012	B2
8224971	Miller et al.	Jul 2012	B1
8234650	Eppstein et al.	Jul 2012	B1
8239445	Gage et al.	Aug 2012	B1
8255644	Sonnier et al.	Aug 2012	B2
8266235	Jalan et al.	Sep 2012	B2
8296434	Miller et al.	Oct 2012	B1
8312507	Chen et al.	Nov 2012	B2
8379515	Mukerji	Feb 2013	B1
8499093	Grosser et al.	Jul 2013	B2
8539075	Bali et al.	Sep 2013	B2
8554929	Szeto et al.	Oct 2013	B1
8560693	Wang et al.	Oct 2013	B1
8584199	Chen et al.	Nov 2013	B1
8595791	Chen et al.	Nov 2013	B1
RE44701	Chen et al.	Jan 2014	E
8675488	Sidebottom et al.	Mar 2014	B1
8681610	Mukerji	Mar 2014	B1
8750164	Casado et al.	Jun 2014	B2
8782221	Han	Jul 2014	B2
8813180	Chen et al.	Aug 2014	B1
8826372	Chen et al.	Sep 2014	B1
8879427	Krumel	Nov 2014	B2
8885463	Medved et al.	Nov 2014	B1
8897154	Jalan et al.	Nov 2014	B2
8965957	Barros	Feb 2015	B2
8977749	Han	Mar 2015	B1
8990262	Chen et al.	Mar 2015	B2
9094364	Jalan et al.	Jul 2015	B2
9106561	Jalan et al.	Aug 2015	B2
9118618	Davis	Aug 2015	B2
9118620	Davis	Aug 2015	B1
9154577	Jalan et al.	Oct 2015	B2
9154584	Han	Oct 2015	B1
9215275	Kannan et al.	Dec 2015	B2
9219751	Chen et al.	Dec 2015	B1
9253152	Chen et al.	Feb 2016	B1
9270705	Chen et al.	Feb 2016	B1
9270774	Jalan et al.	Feb 2016	B2
9338225	Jalan et al.	May 2016	B2
9350744	Chen et al.	May 2016	B2
9356910	Chen et al.	May 2016	B2
9386088	Zheng et al.	Jul 2016	B2
9497201	Chen et al.	Nov 2016	B2
9531846	Han et al.	Dec 2016	B2
9544364	Jalan et al.	Jan 2017	B2
9602442	Han	Mar 2017	B2
9609052	Jalan et al.	Mar 2017	B2
9661026	Chen et al.	May 2017	B2
9705800	Sankar et al.	Jul 2017	B2
9742879	Davis	Aug 2017	B2
9843484	Sankar et al.	Dec 2017	B2
9900252	Chiong	Feb 2018	B2
9906422	Jalan et al.	Feb 2018	B2
9906591	Jalan et al.	Feb 2018	B2
20010015812	Sugaya	Aug 2001	A1
20010049741	Skene et al.	Dec 2001	A1
20020010783	Primak et al.	Jan 2002	A1
20020032777	Kawata et al.	Mar 2002	A1
20020078164	Reinschmidt	Jun 2002	A1
20020091831	Johnson	Jul 2002	A1
20020091844	Craft et al.	Jul 2002	A1
20020103916	Chen et al.	Aug 2002	A1
20020124089	Aiken et al.	Sep 2002	A1
20020133491	Sim et al.	Sep 2002	A1
20020138618	Szabo	Sep 2002	A1
20020141448	Matsunaga	Oct 2002	A1
20020143953	Aiken	Oct 2002	A1
20020143954	Aiken et al.	Oct 2002	A1
20020143991	Chow et al.	Oct 2002	A1
20020166080	Attanasio et al.	Nov 2002	A1
20020178259	Doyle et al.	Nov 2002	A1
20020178265	Aiken et al.	Nov 2002	A1
20020178268	Aiken et al.	Nov 2002	A1
20020191575	Kalavade	Dec 2002	A1
20020194335	Maynard	Dec 2002	A1
20020194350	Lu et al.	Dec 2002	A1
20020199000	Banerjee	Dec 2002	A1
20030009591	Hayball et al.	Jan 2003	A1
20030014544	Pettey	Jan 2003	A1
20030023711	Parmar et al.	Jan 2003	A1
20030023873	Ben-Itzhak	Jan 2003	A1
20030031180	Datta et al.	Feb 2003	A1
20030035409	Wang et al.	Feb 2003	A1
20030035420	Niu	Feb 2003	A1
20030061402	Yadav	Mar 2003	A1
20030079146	Burstein	Apr 2003	A1
20030081624	Aggarwal et al.	May 2003	A1
20030091028	Chang et al.	May 2003	A1
20030131245	Linderman	Jul 2003	A1
20030135625	Fontes et al.	Jul 2003	A1
20030152078	Henderson et al.	Aug 2003	A1
20030195962	Kikuchi et al.	Oct 2003	A1
20030202536	Foster et al.	Oct 2003	A1
20040001497	Sharma	Jan 2004	A1
20040062246	Boucher et al.	Apr 2004	A1
20040073703	Boucher et al.	Apr 2004	A1
20040078419	Ferrari et al.	Apr 2004	A1
20040078480	Boucher et al.	Apr 2004	A1
20040111516	Cain	Jun 2004	A1
20040128312	Shalabi et al.	Jul 2004	A1
20040139057	Hirata et al.	Jul 2004	A1
20040139108	Tang et al.	Jul 2004	A1
20040141005	Banatwala et al.	Jul 2004	A1
20040143599	Shalabi et al.	Jul 2004	A1
20040184442	Jones et al.	Sep 2004	A1
20040187032	Gels et al.	Sep 2004	A1
20040199616	Karhu	Oct 2004	A1
20040199646	Susai et al.	Oct 2004	A1
20040202182	Lund et al.	Oct 2004	A1
20040210623	Hydrie et al.	Oct 2004	A1
20040210663	Phillips et al.	Oct 2004	A1
20040213158	Collett et al.	Oct 2004	A1
20040253956	Collins	Dec 2004	A1
20040268358	Darling et al.	Dec 2004	A1
20050005207	Herneque	Jan 2005	A1
20050009520	Herrero et al.	Jan 2005	A1
20050021848	Jorgenson	Jan 2005	A1
20050021949	Izawa et al.	Jan 2005	A1
20050027862	Nguyen et al.	Feb 2005	A1
20050036501	Chung et al.	Feb 2005	A1
20050036511	Baratakke et al.	Feb 2005	A1
20050044270	Grove et al.	Feb 2005	A1
20050074013	Hershey et al.	Apr 2005	A1
20050080890	Yang et al.	Apr 2005	A1
20050102400	Nakahara et al.	May 2005	A1
20050125276	Rusu	Jun 2005	A1
20050141506	Aiken et al.	Jun 2005	A1
20050163073	Heller et al.	Jul 2005	A1
20050198335	Brown et al.	Sep 2005	A1
20050213586	Cyganski et al.	Sep 2005	A1
20050240989	Kim et al.	Oct 2005	A1
20050249225	Singhal	Nov 2005	A1
20050259586	Hafid et al.	Nov 2005	A1
20060023721	Miyake et al.	Feb 2006	A1
20060036610	Wang	Feb 2006	A1
20060036733	Fujimoto et al.	Feb 2006	A1
20060064478	Sirkin	Mar 2006	A1
20060069774	Chen et al.	Mar 2006	A1
20060069804	Miyake	Mar 2006	A1
20060077926	Rune	Apr 2006	A1
20060092950	Arregoces et al.	May 2006	A1
20060098645	Walkin	May 2006	A1
20060112170	Sirkin	May 2006	A1
20060168319	Trossen	Jul 2006	A1
20060187901	Cortes et al.	Aug 2006	A1
20060190997	Mahajani et al.	Aug 2006	A1
20060209789	Gupta	Sep 2006	A1
20060233100	Luft et al.	Oct 2006	A1
20060251057	Kwon et al.	Nov 2006	A1
20060277303	Hegde et al.	Dec 2006	A1
20060280121	Matoba	Dec 2006	A1
20070019543	Wei et al.	Jan 2007	A1
20070086382	Narayanan	Apr 2007	A1
20070094396	Takano et al.	Apr 2007	A1
20070118881	Mitchell et al.	May 2007	A1
20070156919	Potti et al.	Jul 2007	A1
20070165622	O'Rourke et al.	Jul 2007	A1
20070185998	Touitou et al.	Aug 2007	A1
20070230337	Igarashi et al.	Oct 2007	A1
20070245090	King et al.	Oct 2007	A1
20070259673	Willars et al.	Nov 2007	A1
20070274285	Werber et al.	Nov 2007	A1
20070283429	Chen et al.	Dec 2007	A1
20070286077	Wu	Dec 2007	A1
20070288247	Mackay	Dec 2007	A1
20070294209	Strub et al.	Dec 2007	A1
20080031263	Ervin et al.	Feb 2008	A1
20080101396	Miyata	May 2008	A1
20080109452	Patterson	May 2008	A1
20080109870	Sherlock et al.	May 2008	A1
20080134332	Keohane et al.	Jun 2008	A1
20080162679	Maher	Jul 2008	A1
20080181213	Ovsiannikov	Jul 2008	A1
20080228781	Chen et al.	Sep 2008	A1
20080250099	Shen et al.	Oct 2008	A1
20080263209	Pisharody et al.	Oct 2008	A1
20080271130	Ramamoorthy	Oct 2008	A1
20080282254	Blander et al.	Nov 2008	A1
20080291911	Lee et al.	Nov 2008	A1
20080320151	McCanne et al.	Dec 2008	A1
20090037361	Prathaban et al.	Feb 2009	A1
20090049198	Blinn et al.	Feb 2009	A1
20090070470	Bauman et al.	Mar 2009	A1
20090077651	Poeluev	Mar 2009	A1
20090092124	Singhal et al.	Apr 2009	A1
20090106830	Maher	Apr 2009	A1
20090138606	Moran et al.	May 2009	A1
20090138945	Savchuk	May 2009	A1
20090141634	Rothstein et al.	Jun 2009	A1
20090164614	Christian et al.	Jun 2009	A1
20090172093	Matsubara	Jul 2009	A1
20090213858	Dolganow et al.	Aug 2009	A1
20090222583	Josefsberg et al.	Sep 2009	A1
20090227228	Hu et al.	Sep 2009	A1
20090228547	Miyaoka et al.	Sep 2009	A1
20090262741	Jungck	Oct 2009	A1
20090271472	Scheifler et al.	Oct 2009	A1
20090313379	Rydnell	Dec 2009	A1
20100008229	Bi et al.	Jan 2010	A1
20100023621	Ezolt et al.	Jan 2010	A1
20100036952	Hazlewood et al.	Feb 2010	A1
20100054139	Chun et al.	Mar 2010	A1
20100061319	Aso et al.	Mar 2010	A1
20100064008	Yan et al.	Mar 2010	A1
20100082787	Kommula et al.	Apr 2010	A1
20100083076	Ushiyama	Apr 2010	A1
20100094985	Abu-Samaha et al.	Apr 2010	A1
20100098417	Tse-Au	Apr 2010	A1
20100106833	Banerjee et al.	Apr 2010	A1
20100106854	Kim et al.	Apr 2010	A1
20100128606	Patel et al.	May 2010	A1
20100162378	Jayawardena et al.	Jun 2010	A1
20100188975	Raleigh	Jul 2010	A1
20100210265	Borzsei et al.	Aug 2010	A1
20100217793	Preiss	Aug 2010	A1
20100223630	Degenkolb et al.	Sep 2010	A1
20100228819	Wei	Sep 2010	A1
20100235507	Szeto et al.	Sep 2010	A1
20100235522	Chen et al.	Sep 2010	A1
20100238828	Russell	Sep 2010	A1
20100265824	Chao et al.	Oct 2010	A1
20100268814	Cross et al.	Oct 2010	A1
20100293296	Hsu et al.	Nov 2010	A1
20100312740	Clemm et al.	Dec 2010	A1
20100318631	Shukla	Dec 2010	A1
20100322252	Suganthi et al.	Dec 2010	A1
20100330971	Selitser et al.	Dec 2010	A1
20100333101	Pope et al.	Dec 2010	A1
20110007652	Bai	Jan 2011	A1
20110013525	Breslau et al.	Jan 2011	A1
20110019550	Bryers et al.	Jan 2011	A1
20110023071	Li et al.	Jan 2011	A1
20110029599	Pulleyn et al.	Feb 2011	A1
20110032941	Quach et al.	Feb 2011	A1
20110040826	Chadzelek et al.	Feb 2011	A1
20110047294	Singh et al.	Feb 2011	A1
20110060831	Ishii et al.	Mar 2011	A1
20110064083	Borkenhagen et al.	Mar 2011	A1
20110093522	Chen et al.	Apr 2011	A1
20110099403	Miyata et al.	Apr 2011	A1
20110110294	Valluri et al.	May 2011	A1
20110131646	Park et al.	Jun 2011	A1
20110145324	Reinart et al.	Jun 2011	A1
20110153834	Bharrat	Jun 2011	A1
20110178985	San Martin Arribas et al.	Jul 2011	A1
20110185073	Jagadeeswaran et al.	Jul 2011	A1
20110191442	Ovsiannikov	Aug 2011	A1
20110191773	Pavel et al.	Aug 2011	A1
20110196971	Reguraman et al.	Aug 2011	A1
20110276695	Maldaner	Nov 2011	A1
20110276982	Nakayama et al.	Nov 2011	A1
20110289496	Steer	Nov 2011	A1
20110292939	Subramaian et al.	Dec 2011	A1
20110302256	Sureshehandra et al.	Dec 2011	A1
20110307541	Walsh et al.	Dec 2011	A1
20120008495	Shen et al.	Jan 2012	A1
20120023231	Ueno	Jan 2012	A1
20120026897	Guichard et al.	Feb 2012	A1
20120030341	Jensen et al.	Feb 2012	A1
20120066371	Patel et al.	Mar 2012	A1
20120084460	McGinnity et al.	Apr 2012	A1
20120106355	Ludwig	May 2012	A1
20120117571	Davis et al.	May 2012	A1
20120144014	Natham et al.	Jun 2012	A1
20120151353	Joanny	Jun 2012	A1
20120155495	Clee et al.	Jun 2012	A1
20120170548	Rajagopalan et al.	Jul 2012	A1
20120173759	Agarwal et al.	Jul 2012	A1
20120191839	Maynard	Jul 2012	A1
20120239792	Banerjee et al.	Sep 2012	A1
20120240185	Kapoor et al.	Sep 2012	A1
20120290727	Tivig	Nov 2012	A1
20120297046	Raja et al.	Nov 2012	A1
20130007225	Gage et al.	Jan 2013	A1
20130046876	Narayana et al.	Feb 2013	A1
20130058335	Koponen et al.	Mar 2013	A1
20130074177	Varadhan et al.	Mar 2013	A1
20130083725	Mallya et al.	Apr 2013	A1
20130089099	Pollock et al.	Apr 2013	A1
20130091273	Ly et al.	Apr 2013	A1
20130124713	Feinberg et al.	May 2013	A1
20130148500	Sonoda et al.	Jun 2013	A1
20130166731	Yamanaka et al.	Jun 2013	A1
20130173795	McPherson	Jul 2013	A1
20130176854	Chisu et al.	Jul 2013	A1
20130191486	Someya et al.	Jul 2013	A1
20130191548	Boddukuri et al.	Jul 2013	A1
20130198385	Han et al.	Aug 2013	A1
20130250765	Ehsan et al.	Sep 2013	A1
20130258846	Damola	Oct 2013	A1
20130282791	Kruglick	Oct 2013	A1
20130311686	Fetterman et al.	Nov 2013	A1
20140047115	Lipscomb et al.	Feb 2014	A1
20140258465	Li	Sep 2014	A1
20140269728	Jalan et al.	Sep 2014	A1
20140286313	Fu et al.	Sep 2014	A1
20140298091	Carlen et al.	Oct 2014	A1
20140330977	van Bemmel	Nov 2014	A1
20140330982	Jalan et al.	Nov 2014	A1
20140334485	Jain et al.	Nov 2014	A1
20140359052	Joachimpillai et al.	Dec 2014	A1
20150085650	Cui et al.	Mar 2015	A1
20150156223	Xu et al.	Jun 2015	A1
20150215436	Kancherla	Jul 2015	A1
20150237173	Virkki et al.	Aug 2015	A1
20150281087	Jalan et al.	Oct 2015	A1
20150281104	Golshan et al.	Oct 2015	A1
20150296058	Jalan et al.	Oct 2015	A1
20150312268	Ray	Oct 2015	A1
20150350048	Sampat et al.	Dec 2015	A1
20150350379	Jalan et al.	Dec 2015	A1
20150381465	Narayanan et al.	Dec 2015	A1
20160042014	Jalan et al.	Feb 2016	A1
20160044095	Sankar et al.	Feb 2016	A1
20160088074	Kannan et al.	Mar 2016	A1
20160139910	Ramanathan et al.	May 2016	A1
20160261642	Chen et al.	Sep 2016	A1

Foreign Referenced Citations (110)

Number	Date	Country
1372662	Oct 2002	CN
1449618	Oct 2003	CN
1473300	Feb 2004	CN
1529460	Sep 2004	CN
1575582	Feb 2005	CN
1714545	Dec 2005	CN
1725702	Jan 2006	CN
1910869	Feb 2007	CN
101004740	Jul 2007	CN
101094225	Dec 2007	CN
101163336	Apr 2008	CN
101169785	Apr 2008	CN
101189598	May 2008	CN
101193089	Jun 2008	CN
101247349	Aug 2008	CN
101261644	Sep 2008	CN
101495993	Jul 2009	CN
101567818	Oct 2009	CN
101878663	Nov 2010	CN
102104548	Jun 2011	CN
102143075	Aug 2011	CN
102546590	Jul 2012	CN
102571742	Jul 2012	CN
102577252	Jul 2012	CN
102918801	Feb 2013	CN
103365654	Oct 2013	CN
103533018	Jan 2014	CN
103944954	Jul 2014	CN
104040990	Sep 2014	CN
104067569	Sep 2014	CN
104106241	Oct 2014	CN
104137491	Nov 2014	CN
104796396	Jul 2015	CN
102577252	Mar 2016	CN
102918801	May 2016	CN
0648038	Apr 1995	EP
1209876	May 2002	EP
1770915	Apr 2007	EP
1885096	Feb 2008	EP
2296313	Mar 2011	EP
2577910	Apr 2013	EP
2622795	Aug 2013	EP
2647174	Oct 2013	EP
2760170	Jul 2014	EP
2772026	Sep 2014	EP
2901308	Aug 2015	EP
2760170	Dec 2015	EP
1182560	Nov 2013	HK
1183569	Dec 2013	HK
1183996	Jan 2014	HK
1189438	Jan 2014	HK
1188498	May 2014	HK
1198565	May 2015	HK
1198848	Jun 2015	HK
1199153	Jun 2015	HK
1199779	Jul 2015	HK
1200617	Aug 2015	HK
IN3764CHN2014	Sep 2015	IN
H0997233	Apr 1997	JP
H1196128	Apr 1999	JP
H11338836	Dec 1999	JP
2000276432	Oct 2000	JP
2000307634	Nov 2000	JP
2001051859	Feb 2001	JP
2001298449	Oct 2001	JP
2002091936	Mar 2002	JP
2003141068	May 2003	JP
2003186776	Jul 2003	JP
2005141441	Jun 2005	JP
2006332825	Dec 2006	JP
2008040718	Feb 2008	JP
2009500731	Jan 2009	JP
2013528330	Jul 2013	JP
2014504484	Feb 2014	JP
2014143686	Aug 2014	JP
2015507380	Mar 2015	JP
5855663	Feb 2016	JP
5906263	Apr 2016	JP
5913609	Apr 2016	JP
5946189	Jul 2016	JP
100830413	May 2008	KR
20130096624	Aug 2013	KR
101576585	Dec 2015	KR
WO2001013228	Feb 2001	WO
WO2001014990	Mar 2001	WO
WO2001045349	Jun 2001	WO
WO2003103237	Dec 2003	WO
WO2004084085	Sep 2004	WO
WO2006098033	Sep 2006	WO
WO2008053954	May 2008	WO
WO2008078593	Jul 2008	WO
WO2011049770	Apr 2011	WO
WO2011079381	Jul 2011	WO
WO2011149796	Dec 2011	WO
WO2012050747	Apr 2012	WO
WO2012075237	Jun 2012	WO
WO2012083264	Jun 2012	WO
WO2012097015	Jul 2012	WO
WO2013070391	May 2013	WO
WO2013081952	Jun 2013	WO
WO2013096019	Jun 2013	WO
WO2013112492	Aug 2013	WO
WO2014031046	Feb 2014	WO
WO2014052099	Apr 2014	WO
WO2014088741	Jun 2014	WO
WO2014093829	Jun 2014	WO
WO2014138483	Sep 2014	WO
WO2014144837	Sep 2014	WO
WO2014179753	Nov 2014	WO
WO2015153020	Oct 2015	WO

Non-Patent Literature Citations (35)

Entry
Abe, et al., “Adaptive Split Connection Schemes in Advanced Relay Nodes,” IEICE Technical Report, 2010, vol. 109 (438), pp. 25-30.
ACEdirector: 8-Port 10/100 MBPS Ethernet Web Switch, Alteon WebSystems, 1999, <http://www.andovercg.com/datasheets/alteon-ad3-act4.pdf>, pp. 2.
Allot Communications Announces Business-Aware Network Policy Manager, Allot Communications, Sophia Antipolis, France, 1999, pp. 2.
Allot Communications Announces Directory Services Based Network Policy Manager, Allot Communications, Los Galos, California, 1999, pp. 2.
Allot Announces the General Availability of its Directroy Services-Based NetPolicy Manager, Allot Communications, Tel Aviv, Israel, 2000, pp. 2.
Allot Introduces Turnkey Next Generation IP Service and Creation Solution—The Virtual Bandwidth Manager, Allot Communications, SUPERCOMM, 2000, 2 pgs.
Allot Communications Launches NetEnforcer with Netwizard, the Fastest Way to Implement Accurate and Reliable Network QoS Policies, Allot Communications, 2001, 2 pgs.
Allot Communications Announces the NetEnforcer Family of IP Traffic Management Products: Fault-Tolerant, Scaleable, Policy-Based Bandwidth Management, QoS, SLA Solutions, Allot Communications, 1999, 2 pgs.
Allot Communications Policy-Based Network Architecture, Allot Communications, 2001, pp. 1-12.
Apostolopoulos, et al., “Design, Implementation and Performance of a Content-Based Switch,” INFOCOM, Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings, 2000, vol. 3, pp. 1117-1126.
Aron, et al., “Efficient Support for P-HTTP in Cluster-Based Web Servers,” Proceedings of the Annual Conference on USENIX Annual Technical Conference, 1999, pp. 14.
Aron, “Scalable Content-Aware Request Distribution in Cluster-Based Network Servers,” Department of Computer Science, Rice University, [online retreived Mar. 13, 2001], <URL:http://softlib.rice.edu/scalableRD.html>, pp. 8.
Aron, et al., “Scalable Content-Aware Request Distribution in Cluster-Based Networks Servers,” Proceedings of the Annual Conference on USENIX Annual Technical Conference, 2000, pp. 15.
Cardellini, et al., “Dynamic Load Balancing on Web-Server Systems,” IEEE Internet Computing, 1999, vol. 3 (3), pp. 28-39.
Dahlin, et al., “EDDIE: A Robust and Scalable Internet Server,” 1998, http://www.eddie.org/, pp. 1-7 (Copy Unavailable).
Data Communications Awards Allot Communications “Hot Product” in Internetworking / IP Tools Catergory, Allot Communications, 1999, 2 pgs.
1.3.20 DEVICE and LINK Statement—Virtual Devices (VIPA), IP Configuration, IBM BookManager BookServer, 1998, <http://w3.enterlib.ibm.com:80/cgi-bin/bookmgr/books/F1AF7001/1.3.2>, pp. 3.
Devine, “TCP/IP Application Availability and Workload Balancing in the Parallel Sysplex,” SHARE Technical Conference, 1999, pp. 17.
Enhancing Web User Experience with Global Server Load Balancing, Alteon WebSystems, 1999, pp. 8.
FreeBSD, “tcp—TCP Protocal,” Linux Programme□ s Manual [online], 2007, [retrieved on Apr. 13, 2016], Retreived from the Internet: <https://www.freebsd.org/cgi/man.cgi?query=tcp&apropos=0&sektion=7&manpath=SuSe+Linux%2Fi386+11.0&format=asci>.
Gite, “Linux Tune Network Stack (Buffers Size) to Increase Networking Performance,” nixCraft [online], 2009, [retreived on Apr. 13, 2016], Retreived from the Internet <URL:http://www.cyberciti.biz/faq/linux-tcp-tuning/>.
Goldszmidt, et al., “NetDispatcher: A TCP Connection Router,” IBM Researc Report, RC 20853, 1997, pp. 1-31.
1.3.23 HOME Statement, IP Configuration, IBM BookManager BookServer, 1998, <http://w3.enterlib.com:80/cgi-bin/bookmgr/books/F1AF7001/1.3.2>, pp. 6.
Kjaer, et al., “Resource Allocation and Disturbance Rejection in Web Servers Using SLAs and Virtualized Servers,” IEEE Transactions on Network Service Management, 2009, vol. 6 (4), pp. 226-239.
Koike, et al., “Transport Middleware for Network-Based Control,” IEICE Technical Report, 2000, vol. 100 (53), pp. 13-18.
Noguchi, “Realizing the Highest Level “Layer 7” Switch”= Totally Managing Network Resources, Applications, and Users =, Computer & Network LAN, 2000, vol. 18 (1), pp. 109-112.
Ohnuma, “AppSwitch: 7th Layer Switch Provided with Full Setup and Report Tools,” Interop Magazine, 2000, vol. 10 (6), pp. 148-150.
Pai, et al., “Locality-Aware Request Distribution in Cluster-Based Network Servers,” ASPLOS VIII Proceedings of the Eighth International Conference on Architectural Support for Programming Languages and Operating Systems, 1998, pp. 205-216.
Samar, “Single Sign-On Using Cookies for Web Applications,” IEEE WETICE, 1999, pp. 158-163.
Sharifian, et al., “An Approximation-Based Load-Balancing Algorithm with Admission Control for Cluster Web Servers with Dynamic Workloads,” The Journal of Supercomputing, 2010, vol. 53 (3), pp. 440-463.
Spatscheck, et al., “Optimizing TCP Forwarder Performance,” IEEE/ACM Transactions on Networking, 2000, vol. 8 (2), pp. 146-157.
Takahashi, “The Fundamentals of the Windows Network: Understanding the Mystery of the Windows Network from the Basics,” Network Magazine, 2006, vol. 11 (7), pp. 32-35.
The Next Step in Server Load Balancing, Alteon WebSystems, 1999, pp. 16.
1.3.1.2.5 Virtual IP Addressing (VIPA), IP Configuration, IBM BookManager BookServer, 1998, <http://w3.enterlib.ibm.com:80/cgi-bin/boolmgr/books/F1AF7001/1.3.2>, pp. 4.
Yamamoto, et al., “Performance Evaluation of Window Size in Proxy-Based TCP for Multi-Hop Wireless Networks,” IPSJ SIG Technical Reports, 2008, vol. 2008 (44), pp. 109-114.

Related Publications (1)

	Number	Date	Country
	20180124052 A1	May 2018	US

Provisional Applications (1)

	Number	Date	Country
	61819417	May 2013	US

Continuations (1)

	Number	Date	Country
Parent	14268914	May 2014	US
Child	15858382		US

Facilitating secure network traffic by an application delivery controller

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

International Classifications

Abstract