Patent Grant
RE47296
When a TCP (Transmission Control Protocol) connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host normally then waits to receiver an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the TCP “three-way handshake.”
While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK is sent.
A TCP SYN flood attack is a well known denial of service attack that exploits the TCP three-way handshake design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue, or otherwise allocates server resources. Since the SYN ACK is destined for an incorrect or non-existent host, the last part of the “three-way handshake” is never completed and the entry remains in the connection queue until a timer expires, typically, for example, for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users. In most instances, there is no easy way to trace the originator of the attack because the IP address of the source is forged. The external manifestations of the problem may include inability to get e-mail, inability to accept connections to WWW or FTP services, or a large number of TCP connections on your host in the state SYN_RCVD.
A malicious client sending high volume of TCP SYN packets without sending the subsequent ACK packets can deplete server resources and severely impact the server's ability to serve its legitimate clients.
Newer operating systems or platforms implement various solutions to minimize the impact of TCP SYN flood attacks. The solutions include better resource management, and the use of a “SYN cookie”.
In an exemplary solution, instead of allocating server resource at the time of receiving a TCP SYN packet, the server sends back a SYN/ACK packet with a specially constructed sequence number known as a SYN cookie. When the server then receives an ACK packet in response to the SYN/ACK packet, the server recovers a SYN cookie from the ACK packet, and validates the recovered SYN cookie before further allocating server resources.
The effectiveness of a solution using a SYN cookie depends on the method with which the SYN cookie is constructed. However, existing solutions using a SYN cookie typically employ a hash function to construct the SYN cookie, which can lead to a high percentage of false validations of the SYN cookie, resulting in less than satisfactory protection again TCP SYN flood attack.
Therefore, there is a need for a better system and method for constructing and validating SYN cookies.
An aspect of the present invention provides a system for TCP SYN cookie validation. The system includes a host server including a processor and memory. The processor is configured for receiving a session SYN packet, generating a transition cookie, the transition cookie comprising a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
One aspect of the invention includes the system above in which the processor is further configured for regarding the received session ACK packet as valid if the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
In another aspect of the invention, the predetermined time interval is in the range of one to six seconds.
In one aspect of the invention, the predetermined time interval is three seconds.
In another aspect of the invention, the step of generating the transition cookie includes the use of data obtained from the session SYN packet.
In one aspect of the invention, the data obtained from the session SYN packet comprises the source IP address of an IP header associated with the session SYN packet.
In another aspect of the invention, the data obtained from the session SYN packet comprises the sequence number of a TCP header associated with the session SYN packet.
In another aspect of the invention, the data obtained from the session SYN packet comprises a source port associated with the session SYN packet.
In another aspect of the invention, the data obtained from the session SYN packet comprises a destination port associated with the session SYN packet.
Another aspect of the present invention provides a method for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module, generating a transition cookie by the TCP session setup module, the transition cookie comprising a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
In an aspect of the invention, the method further includes indicating the received session ACK packet comprises a valid candidate transition cookie if the time value of the candidate transition cookie is within a predetermined time interval of the time the session ACK packet is received.
In another aspect of the invention, the step of generating the transition cookie includes the use of data obtained from the session SYN packet.
In the following description, for purposes of explanation, specific numbers, materials and configurations are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one having ordinary skill in the art, that the invention may be practiced without these specific details. In some instances, well-known features may be omitted or simplified so as not to obscure the present invention. Furthermore, reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase “in an embodiment” in various places in the specification are not necessarily all referring to the same embodiment.
Transmission Control Protocol (“TCP”) is one of the main protocols in TCP/IP networks. Whereas the Internet Protocol (“IP”) deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.
The terms “host server” and “client server” referred to in the descriptions of various embodiments of the invention herein described are intended to generally describe a typical system arrangement in which the embodiments operate. The “host server” generally refers to any computer system interconnected to a TCP/IP network, including but not limited to the Internet, the computer system comprising at a minimum a processor, computer memory, and computer software. The computer system is configured to allow the host server to participate in TCP protocol communications over its connected TCP/IP network. Although the “host server” may be a single personal computer having its own IP address and in communication with the TCP/IP network, it may also be a multi-processor server or server bank. The “client server” is similar to the “host server”, although it is understood that the “client server” may, in fact, be a single personal computer attached to the TCP/IP network. The only difference between the client and the host server for the purposes of the present invention is that the host server receives the SYN from the client server, sends a SYN ACK to the client server, and waits for the ACK from the client server.
The TCP sessions setup module 104 may itself be embedded in one or more other host server modules (not shown). The TCP session setup module may alternatively comprise a hardware or firmware component. For example, the software which handles the TCP handshake 108 on behalf of the host server 102 may be programmed onto a externally programmable read-only memory (“EPROM”) (not shown), and the EPROM may then be integrated into the host server. In another example, the ASIC or FPGA is integrated into the host server.
A TCP/IP segment includes a TCP header and an IP header as described in IETF RFC 793 “Transmission Control Protocol” section 3.1 “Header Format”, incorporated herein by reference. A TCP header optionally includes a sack-permitted option as described in IETF RFC 2018 “TCP Selective Acknowledgement Options” section 2 “Sack-Permitted Option”, incorporated herein by reference. A session SYN packet 210 is a TCP/IP segment with the SYN control bit in the TCP Header set to “1”. A session SYN/ACK packet 220 is a TCP/IP segment with the SYN control bit and the ACK control bit in the TCP header set to “1”. A Session ACK Packet 230 is a TCP/IP segment with the ACK control bit in the TCP header set to “1”.
Referring to
After the TCP session setup module 104 has sent out the session SYN/ACK packet 220, it waits for receipt of a responding session ACK packet 230. In an embodiment, when a session SYN/ACK packet 230 is received, the TCP session setup module 104 generates a 32-bit candidate transition cookie 270 such that the sum of candidate transition cookie 270 and a value of “1” equal the acknowledgement number of the TCP header in the session ACK packet 230. For example, if the acknowledgement number is “41B4362A” in hexadecimal format the candidate transition cookie 270 is “41B43629” in hexadecimal format; the sum of “41B43629” and a value of “1” equals “41B4362A”. In another example, if the acknowledgement number is “00A30000” in hexadecimal format the candidate transition cookie 270 is “00A2FFFF” in hexadecimal format; the sum of “00A2FFFF” and a value of “1” equals “00A30000”. In another example, if the acknowledgement number is “00000000” in hexadecimal format the Candidate Transition Cookie 270 is “FFFFFFFF” in hexadecimal format; the sum of “FFFFFFFF” and a value of “1” equals “00000000”, with the most significant bit carried beyond the 32-bit boundary. The TCP session setup module 104 may thus validate the candidate transition cookie 270 in this manner. If the TCP session setup module 104 determines that the candidate transition cookie 270 is thus valid, the session ACK packet 230 is also valid. In this case, the TCP session setup module 104 obtains data from the validated session ACK packet 230 and sends the data and information generated during the validation of candidate transition cookie 270 to a computing module (not shown) for further processing.
In order to generate and validate transition cookies 250, 270, the TCP session setup module 104 may include a transition cookie generator 245 and a transition cookie validator 275, respectively. Alternatively, the generation and validation may be performed directly by the TCP session setup module 104. In the descriptions herein, references to the TCP and transition cookie validator 275 are understood to include any of the alternative embodiments of these components.
A transition cookie generator 245 includes the functionality of generating a transition cookie based on the data obtained from a session SYN 210 packet received by the TCP session setup module 104.
A transition cookie validator 275 includes the functionality of validating a candidate transition cookie 270 generated based on data obtained from a session ACK packet 230 received by the TCP session setup module 104.
In exemplary operation, a transition cookie generator 245 is software or firmware that generates a transition cookie 250 based on data obtained from a session SYN packet 210 received by the TCP session setup module 104. An exemplary method for generating a transition cookie 250 by a transition cookie generator 245 includes multiple steps as illustrated in
The transition cookie data element 330 is preferably a 32-bit data element, generated by the transition cookie generator 245 based on the selective ACK 321, the MSS index 324 and the 32-bit current time of day indicated by clock 305. Selective ACK 321 is a 1-bit data element which is set to a value of “1” by transition cookie generator 245 if a TCP header in a received session SYN packet 210 includes an optional sack-permitted option, or to “0” if a TCP header in a received session SYN packet 210 does not include an optional sack-permitted option.
Maximum Segment Size (“MSS”) 322 is the maximum number of bytes that TCP will allow in an TCP/IP packet, such as session SYN packet 210, session SYN/ACK packet 220, and session ACK packet 230, and is normally represented by an integer value in a TCP packet header. If a TCP header in a received session SYN packet 210 includes a maximum segment size option, the transition cookie generator 245 sets the MSS 322 to equal the maximum segment size option data of the maximum segment size option. Otherwise, if the TCP header in a received session SYN packet 210 does not include a maximum segment size option, the transition cookie generator 245 sets the MSS 322 to a default value, for example, such as integer “536”. The MSS index 324 is a 4-bit data element set by the transition cookie generator 245 based on the MSS 322. The transition cookie generator 245 preferably includes an MSS table 307, which maps an MSS 322 to an MSS index 324. The transition cookie generator 245 maps a MSS 322 with the MSS table 307 to set the value of MSS index 324. For example, MSS 322 has an integer value of “1460”. After the mapping, MSS index 324 has a value of “4” as represented in hexadecimal format. In an alternative embodiment, means other than an MSS table 307 may be employed to determine the MSS index 324 value, such as the use of a mapping algorithm.
In generating a transition cookie data element 330, the transition cookie generator 245 sets a transition cookie data element 330 to equal the 32-bit current time of day indicated by clock 305. For example, the 32-bit current time of day may be “A68079E8” as represented in hexadecimal format, so the transition cookie data element 330 has a value of “A68079E8”.
Next, the transition cookie generator 245 replaces the least significant 4 bits (bit 0-3) of transition cookie data element 330 with the MSS index 324, and replaces bit 4 of a transition cookie data element 330 with selective ACK 321. For example, if a transition cookie data element 330 has been set to a value of “A68079E8”, selective ACK 321 has a value of “1”, and MSS index 324 has a value of “4” as represented in hexadecimal format, after the replacements, transition cookie data element 330 has a value of “A68079F4” in hexadecimal format.
Next, since the transition cookie secret key 360 is a 128-bit data element, the transition cookie generator 245 may use a hash function to generate the transition cookie secret key 360 from the first data item 340. Further, the transition cookie generator 245 may use a secret key offset 301, which may be a 6-bit integer value, to select a 6-bit non-negative integer from first data item 340 starting at the bit indicated by secret key offset 301. For example, if the secret key offset 301 has a value of “12” and the first data item 340 has a hexadecimal value of “C0A801869A275B84129900F0”, the transition cookie generator 245 selects a 6-bit non-negative integer from the first data item 340 starting at bit 12 (bit 12-17). The selected non-negative integer is of this example is thus “16”. The transition cookie generator 245 then uses the selected non-negative integer to select 64 bits of data from the first data item 340, starting at the bit indicated by the selected non-negative integer, to generate the second data item 350, which has 64 bits.
For example, if the selected non-negative integer is “8” and the first data item 340 has a hexadecimal value of “C0A801869A275B84129900F0”, the transition cookie generator 245 selects 64 bits (bit 8-71) of the first data item 340 to generate a second data item 350, having a hexadecimal value of “869A275B84129900”. In another example, if the selected non-negative integer is “52”, and the transition cookie generator 245 selects 64 bits (bit 52-95 and bit 0-19) of the first data item 340 in a wrap-around fashion, bits 52-95 have a hexadecimal value of “C0A801869A2”, and bit 0-19 have a hexadecimal value of “900F0”, so the generated second data item 350 has a hexadecimal value of “900F0C0A801869A2”. The transition cookie generator 245 then generates a transition cookie secret key 360 by storing the second data item 350 in the least significant 64 bits (bit 0-63) of the transition cookie secret key 360 and setting the most significant 64 bits (bit 64-127) to “0”. For example, if the second data item 350 has a hexadecimal value of “869A275B84129900”, the transition cookie secret key 360 has a hexadecimal value of “0000000000000000869A275B84129900”.
Next, the transition cookie generator 245 performs an unsigned binary addition on an encrypted data element 370 and the sequence number 318, and stores the result in the transition cookie 250. For example, if the encrypted data element 370 has a value of “0025BC83” in hexadecimal format, and the sequence number 318 has a value of “0743BD55” in hexadecimal format, the result of the addition is hexadecimal “076979D8”. After the addition, the transition cookie 250 has a value of “076979D8” in hexadecimal. In another example, if the encrypted data element 370 has a value of “BE43D096” in hexadecimal format, and the sequence number 318 has a value of “9A275B84” in hexadecimal format, the result of the addition, and the value of transition cookie 250 is hexadecimal “1586B2C1A”, with the most significant bit carried beyond the 32-bit boundary.
In another embodiment, a transition cookie generator 245 may use different steps to generate a transition cookie secret key 360. For example, a secret key offset 301 may be an integer of a different bit length, such as a 4-bit integer value, a 3-bit integer value, or a 5-bit integer value. Also, a transition cookie generator 245 may use a secret key offset 301 to select a non-negative integer value of a different bit length from a first data item 340. For example, a transition cookie generator 245 may select a 4-bit non-negative integer value, a 7-bit non-negative integer value, or a 5-bit non-negative value from a first data item 340.
In other embodiments, a transition cookie generator 245 may store a second data item 350 in the least significant 64 bits (bit 0-63) of a transition cookie secret key 360 or store second data item 350 in the most significant 64 bits (bit 64-127) of a transition cookie secret key 360.
A transition cookie generator 245 may also perform an exclusive-or operation on the most significant 48 bits (bit 0-47) of a first data item 340 and the least significant 48 bits (bit 48-95) of a first data element 340 to form a 48-bit temporary data element (not shown). Similarly, in another embodiment, a transition cookie generator 245 may perform an exclusive-or operation on the 48 even bits (bit 0, 2, 4, . . . 90, 92, 94) and the 48 odd bits (bit 1, 3, 5, . . . 93, 95, 97) to form a 48 bit temporary data element. In yet another embodiment, a transition cookie generator 245 may store a 48-bit temporary data element in the least significant 48 bits (bit 0-47) and the most significant 48 bits (bit 80-127) of a transition cookie secret key 360, and set bit 48-79 to “0”, or store a 48-bit temporary data element in the least significant 48 bits (bit 0-47) of a transition cookie secret key 360, and set the most significant 80 bits (bit 48-127) of a transition cookie secret key 360 to “0”.
In other embodiments of the invention, a transition cookie generator 245 may use an encryption algorithm to generate a transition cookie secret key 360 from the first data item 340.
In another embodiment, a transition cookie generator 245 includes a secret key and an encryption algorithm, and uses a first data element 340 as a plaintext input, and a secret key as an encryption key input to the encryption algorithm to generate a 128-bit ciphertext output. Next, a transition cookie generator 245 generates a transition cookie secret key 360 as a 128-bit ciphertext output. Alternatively, the ciphertext output may be a 96-bit data element, and a transition cookie generator 245 stores a 96-bit ciphertext output in the least significant 96 bits (bit 0-95) of a transition cookie secret key 360, and sets the most significant 32 bits (bit 96-127) to “0”. In another alternative, a transition cookie generator 245 stores the least significant 32 bits (bit 0-31) of a 96-bit ciphertext output in the most significant 32 bits (bit 96-127) of a transition cookie secret key 360.
As seen in
The candidate sequence number 428 may be a 32-bit data element generated by a transition cookie validator 275 such that the sum of candidate sequence number 428 and a value of “1” equals the sequence number 418.
The candidate encrypted data element 470 is generated by the transition cookie validator 275 such that the result of performing an unsigned binary addition of the candidate encrypted data element 470 and the candidate sequence number 428 equals the candidate transition cookie 270.
Next, the 128-bit candidate transition cookie secret key 460 is generated from a first data item 440 by a transition cookie validator 275 using a hash function. In an embodiment, a transition cookie validator 275 uses a 6-bit secret key offset 401 to select a 6-bit non-negative integer from a first data item 440 starting at a bit indicated by secret key offset 401. For example, if the secret key offset 401 has a value of “12” and the first data item 440 is “C0A801869A275B84129900F0”, the transition cookie validator 275 selects a 6-bit non-negative integer from the first data item 440 starting at bit 12 (bits 12-17), selecting the non-negative integer “16”. The transition cookie validator 275 then generates a 64-bit second data item 350 by using the selected non-negative integer to select 64 bits of data from the first data item 440, starting at the bit indicated by the selected non-negative integer.
For example, if the selected non-negative integer is “8” and the first data item 440 has a hexadecimal value of “C0A801869A275B84129900F0”, the transition cookie validator 275 selects 64 bits (bit 8-71) of the first data item 440 to generate a second data item 450 having a hexadecimal value of “869A275B84129900”. In another example, if the first data item 440 has a hexadecimal value of “C0A801869A275B84129900F0”, and the selected non-negative integer is “52”, the transition cookie validator 275 selects 64 bits (bit 52-95 and bit 0-19) in a wrap-around fashion. Bits 52-95 have a hexadecimal value of “C0A801869A2”, and bits 0-19 have a hexadecimal value of “900F0”, so the generated second data item 450 has a hexadecimal value of “900F0C0A801869A2”.
Next, the transition cookie validator 275 generates a candidate transition cookie secret key 460 by storing the second data item 450 in the least significant 64 bits (bit 0-63) of the candidate transition cookie secret key 460 and setting the most significant 64 bits (bit 64-127) to “0”. For example, if the second data item 450 has a hexadecinmal value of “869A275B84129900”, the candidate transition cookie secret key 460 has a hexadecimal value of “0000000000000000869A275B84129900”.
In an embodiment, a transition cookie validator 275 applies a cryptographic method 408 on a candidate transition cookie secret key 460 and a candidate encrypted data element 470. An exemplary cryptographic method 408 is an RC5 algorithm described in IETF RFC 2040 “The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms” section 1 “Overview”, and sections 2-8 with detailed explanations, incorporated herein by reference. The RC5 algorithm takes a 32-bit ciphertext input and a 128-bit decryption key to generate a 32-bit plaintext output. A transition cookie validator 275 uses a candidate encrypted data element 470 as a ciphertext input to the RC5 algorithm, and a candidate transition cookie secret key 460 as a decryption key input to the RC5 algorithm, to generate a 32-bit candidate transition cookie data element 430 as the plaintext output of the RC5 decryption algorithm.
Next, a transition cookie validator 275 sets a 32-bit adjusted candidate transition cookie data element 431 to equal the candidate transition cookie data element 430, and then sets the least significant 5 bits (bit 0-4) of the adjusted candidate transition cookie data element 431 to “0”. For example, if the adjusted candidate transition cookie data element 431 has a hexadecimal value of “89DB468F”, after setting the least significant 5 bits to “0”, the adjusted candidate transition cookie data element 431 has a hexadecimal value of “89DB4680”.
The transition cookie validator 275 may then determine if the candidate transition cookie data element 430 is valid by determining if the adjusted candidate transition cookie data element 431 is within a time margin of 3 seconds of the modified current time 409. In an embodiment, in order to determine if the adjusted candidate transition cookie data element 431 is within a time margin of 3 seconds of the modified current time 409, the transition cookie stores the modified current time 409 in the least significant 32 bits (bit 0-31) of a first 33-bit time data element, sets the most significant bit (bit 32) to “0”, and adds 6 seconds to the first 33-bit time data element. Adding 6 seconds is to add 6,000,000 micro seconds as represented by “5B8D80” in hexadecimal format. For example, if before the addition, the first 33-bit time data element has a hexadecimal value of “0FFFFFAE2”, After the addition of “5B8D80”, the first 33-bit time data element has a hexadecimal value of “1005B8862”. The transition cookie validator 275 stores the adjusted candidate transition cookie data element 431 in the least significant 32 bits (bit 0-31) of a second 33-bit time data element, sets the most significant bit (bit 32) to “0”, and adds 3 seconds to the second 33-bit time data element. Adding 3 seconds is to add 3,000,000 micro seconds as represented by hexadecimal “2DC6C0”. The transition cookie validator 275 stores the modified current time 409 in the least significant 32 bits (bit 0-31) of a third 33-bit time data element, and sets the most significant bit (bit 32) to “0”. If the second 33-bit time data element is smaller than the first 33-bit time data element and the second 33-bit time data element is larger than the third 33-bit time data element, the transition cookie validator 275 determines that the adjusted candidate transition cookie data element 431 is within 3 seconds of the modified current time 409, and thus that the candidate transition cookie data element 430 is valid.
There are many different encryption algorithms that use encryption keys of different bit lengths, such as, for example, 56-bit, 64-bit, 96-bit, 128-bit. These may generate ciphertext outputs of different bit lengths, for example, 96-bit, 64-bit, 128-bit, or 32-bit. Persons of ordinary skill in the cipher arts will be able to apply different methods, for example a hash function, to generate the transition cookie secret key 360 from the ciphertext output.
A transition cookie validator 275 may also use different steps to generate a candidate transition cookie secret key 460. The steps used by a transition cookie validator 275 to generate a candidate transition cookie secret key 460 are similar to the steps used by a transition cookie generator 245 to generate a transition cookie secret key 360.
Alternative embodiments of the invention may employ a different algorithm for the cryptographic methods 308, 408. In one example, the different algorithm is an RC2 algorithm described in IETF RFC 2268 “A Description of the RC2(r) Encryption Algorithm” section 1 “Introduction” and section 2-4 with detailed explanation, incorporated herein by reference. In another example, the different algorithm is a Blowfish algorithm. In one other example, the different algorithm is a Data Encryption Standards (“DES”) algorithm based on Federal Information Processing Standards Publication “Data Encryption Standard (DES) FIPS PUB 46-3”, which is incorporated herein by reference in its entirety. Other algorithms are also usable.
Also, a transition cookie validator 275 may use different time margins of modified current time 409 to determine if the candidate transition cookie data element is valid. Different time margins include but are not limited to 1 second, 4 seconds, 6 seconds, 2 seconds, or 11 seconds.
In an embodiment, the method of generating a transition cookie includes MD5 signature option information in the TCP options field. When this method is used, the method of validating a candidate transition cookie 270 correspondingly includes the MD5 signature option information in the TCP options field.
In another embodiment, transition cookie generator 245 may include a plurality of transition cookie generation methods for generating transition cookie 250. For example, the secret key offset 301 may have a different value, such as an integer value of different bit length, such as 4-bit, or 8-bit. In other examples, the selected non-negative integer from first data item 340 may be of different bit length, such as 8-bit, or 10-bit, the cryptographic method 308 may be a different algorithm than RC5, or the generating of transition cookie data element 330 may include MD5 signature option information in the TCP options field of session SYN packet 210. A transition cookie generation method may include steps different from the steps in the exemplary method illustrated in
In an embodiment, the transition cookie generator 245 may selects method to generate transition cookie 250 based on random data.
The random data may include time. In one embodiment, transition cookie generator 245 selects a method based on the time of day. Alternatively, the transition cookie generator 245 may select a method after a time period, such as 10 seconds, 30 seconds, 2 minutes or 3 hours.
In another embodiment, the random data may include a source IP address in session SYN packet 210, or a destination IP address in session SYN packet 210.
The random data may include the network interface at which a TCP session setup module 104 receives a session SYN packet 210, or a Virtual Local Area Network (VLAN) information associated with a session SYN packet 210.
In one embodiment, transition cookie validator 275 includes a plurality of transition cookie validation methods for validating candidate transition cookie 270. A transition cookie validation method may include steps different from the steps in the exemplary method illustrated in
In these embodiments it is understood to be preferred that the transition cookie validator 275 selects a complementary method to the method selected by transition cookie generator 245.
Although the invention herein has been described with reference to particular embodiments, it is to be understood that these embodiments are merely illustrative of the principles and applications of the present invention. It is therefore to be understood that numerous modifications may be made to the illustrative embodiments and that other arrangements may be devised without departing from the spirit and scope of the present invention as defined by the appended claims.
This application is a continuation reissue application of U.S. Pat. No. 7,675,854 and claims benefit under 35 U.S.C. 120 as a continuation of application Ser. No. 13/413,191 filed on Mar. 6, 2012, which is an application for reissue of U.S. Pat. No. 7,675,854, originally issued on Mar. 9, 2010.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5218602 | Grant et al. | Jun 1993 | A |
| 5774660 | Brendel et al. | Jun 1998 | A |
| 5862339 | Bonnaure et al. | Jan 1999 | A |
| 5875185 | Wang et al. | Feb 1999 | A |
| 5935207 | Logue et al. | Aug 1999 | A |
| 5958053 | Denker | Sep 1999 | A |
| 5995981 | Wikstrom | Nov 1999 | A |
| 6003069 | Cavill | Dec 1999 | A |
| 6047268 | Bartoli et al. | Apr 2000 | A |
| 6075783 | Voit | Jun 2000 | A |
| 6131163 | Wiegel | Oct 2000 | A |
| 6219706 | Fan et al. | Apr 2001 | B1 |
| 6259705 | Takahashi et al. | Jul 2001 | B1 |
| 6321338 | Porras et al. | Nov 2001 | B1 |
| 6374300 | Masters | Apr 2002 | B2 |
| 6456617 | Oda et al. | Sep 2002 | B1 |
| 6459682 | Ellesson et al. | Oct 2002 | B1 |
| 6483600 | Schuster et al. | Nov 2002 | B1 |
| 6535516 | Leu et al. | Mar 2003 | B1 |
| 6578066 | Logan et al. | Jun 2003 | B1 |
| 6587866 | Modi et al. | Jul 2003 | B1 |
| 6600738 | Alperovich et al. | Jul 2003 | B1 |
| 6658114 | Farn et al. | Dec 2003 | B1 |
| 6748414 | Bournas | Jun 2004 | B1 |
| 6772205 | Lavian et al. | Aug 2004 | B1 |
| 6772334 | Glawitsch | Aug 2004 | B1 |
| 6779017 | Lamberton et al. | Aug 2004 | B1 |
| 6779033 | Watson et al. | Aug 2004 | B1 |
| 6804224 | Schuster et al. | Oct 2004 | B1 |
| 6952728 | Alles et al. | Oct 2005 | B1 |
| 7010605 | Dharmarajan | Mar 2006 | B1 |
| 7013482 | Krumel | Mar 2006 | B1 |
| 7058718 | Fontes et al. | Jun 2006 | B2 |
| 7069438 | Balabine et al. | Jun 2006 | B2 |
| 7076555 | Orman et al. | Jul 2006 | B1 |
| 7143087 | Fairweather | Nov 2006 | B2 |
| 7167927 | Philbrick et al. | Jan 2007 | B2 |
| 7181524 | Lele | Feb 2007 | B1 |
| 7218722 | Turner et al. | May 2007 | B1 |
| 7228359 | Monteiro | Jun 2007 | B1 |
| 7234161 | Maufer et al. | Jun 2007 | B1 |
| 7236457 | Joe | Jun 2007 | B2 |
| 7254133 | Govindarajan et al. | Aug 2007 | B2 |
| 7269850 | Govindarajan et al. | Sep 2007 | B2 |
| 7277963 | Dolson et al. | Oct 2007 | B2 |
| 7301899 | Goldstone | Nov 2007 | B2 |
| 7308499 | Chavez | Dec 2007 | B2 |
| 7310686 | Uysal | Dec 2007 | B2 |
| 7328267 | Bashyam et al. | Feb 2008 | B1 |
| 7334232 | Jacobs et al. | Feb 2008 | B2 |
| 7337241 | Boucher et al. | Feb 2008 | B2 |
| 7343399 | Hayball et al. | Mar 2008 | B2 |
| 7349970 | Clement et al. | Mar 2008 | B2 |
| 7370353 | Yang | May 2008 | B2 |
| 7373500 | Ramelson et al. | May 2008 | B2 |
| 7391725 | Huitema et al. | Jun 2008 | B2 |
| 7398317 | Chen et al. | Jul 2008 | B2 |
| 7423977 | Joshi | Sep 2008 | B1 |
| 7430755 | Hughes et al. | Sep 2008 | B1 |
| 7463648 | Eppstein et al. | Dec 2008 | B1 |
| 7467202 | Savchuk | Dec 2008 | B2 |
| 7472190 | Robinson | Dec 2008 | B2 |
| 7492766 | Cabeca et al. | Feb 2009 | B2 |
| 7506360 | Wilkinson et al. | Mar 2009 | B1 |
| 7509369 | Tormasov | Mar 2009 | B1 |
| 7512980 | Copeland et al. | Mar 2009 | B2 |
| 7533409 | Keane et al. | May 2009 | B2 |
| 7552323 | Shay | Jun 2009 | B2 |
| 7584262 | Wang et al. | Sep 2009 | B1 |
| 7584301 | Joshi | Sep 2009 | B1 |
| 7590736 | Hydrie et al. | Sep 2009 | B2 |
| 7610622 | Touitou | Oct 2009 | B2 |
| 7613193 | Swami et al. | Nov 2009 | B2 |
| 7613822 | Joy et al. | Nov 2009 | B2 |
| 7673072 | Boucher et al. | Mar 2010 | B2 |
| 7675854 | Chen et al. | Mar 2010 | B2 |
| 7703102 | Eppstein et al. | Apr 2010 | B1 |
| 7707295 | Szeto et al. | Apr 2010 | B1 |
| 7711790 | Barrett et al. | May 2010 | B1 |
| 7733866 | Mishra | Jun 2010 | B2 |
| 7747748 | Allen | Jun 2010 | B2 |
| 7765328 | Bryers et al. | Jul 2010 | B2 |
| 7792113 | Foschiano et al. | Sep 2010 | B1 |
| 7808994 | Vinokour et al. | Oct 2010 | B1 |
| 7826487 | Mukerji et al. | Nov 2010 | B1 |
| 7881215 | Daigle et al. | Feb 2011 | B1 |
| 7948952 | Hurtta et al. | May 2011 | B2 |
| 7965727 | Sakata et al. | Jun 2011 | B2 |
| 7970934 | Patel | Jun 2011 | B1 |
| 7979694 | Touitou | Jul 2011 | B2 |
| 7983258 | Ruben et al. | Jul 2011 | B1 |
| 7990847 | Leroy et al. | Aug 2011 | B1 |
| 7991859 | Miller et al. | Aug 2011 | B1 |
| 7992201 | Aldridge et al. | Aug 2011 | B2 |
| 8019870 | Eppstein et al. | Sep 2011 | B1 |
| 8032634 | Eppstein et al. | Oct 2011 | B1 |
| 8081640 | Ozawa et al. | Dec 2011 | B2 |
| 8090866 | Bashyam et al. | Jan 2012 | B1 |
| 8099492 | Dahlin et al. | Jan 2012 | B2 |
| 8116312 | Riddoch et al. | Feb 2012 | B2 |
| 8122116 | Matsunaga et al. | Feb 2012 | B2 |
| 8151019 | Le et al. | Apr 2012 | B1 |
| 8179809 | Eppstein et al. | May 2012 | B1 |
| 8185651 | Moran et al. | May 2012 | B2 |
| 8191106 | Choyi et al. | May 2012 | B2 |
| 8224971 | Miller et al. | Jul 2012 | B1 |
| 8261339 | Aldridge et al. | Sep 2012 | B2 |
| 8266235 | Jalan et al. | Sep 2012 | B2 |
| 8296434 | Miller et al. | Oct 2012 | B1 |
| 8312507 | Chen et al. | Nov 2012 | B2 |
| 8379515 | Mukerji | Feb 2013 | B1 |
| 8499093 | Grosser et al. | Jul 2013 | B2 |
| 8539075 | Bali et al. | Sep 2013 | B2 |
| 8554929 | Szeto et al. | Oct 2013 | B1 |
| 8559437 | Mishra | Oct 2013 | B2 |
| 8560693 | Wang et al. | Oct 2013 | B1 |
| 8584199 | Chen et al. | Nov 2013 | B1 |
| 8595791 | Chen et al. | Nov 2013 | B1 |
| RE44701 | Chen et al. | Jan 2014 | E |
| 8675488 | Sidebottom et al. | Mar 2014 | B1 |
| 8681610 | Mukerji | Mar 2014 | B1 |
| 8750164 | Casado et al. | Jun 2014 | B2 |
| 8782221 | Han | Jul 2014 | B2 |
| 8813180 | Chen et al. | Aug 2014 | B1 |
| 8826372 | Chen et al. | Sep 2014 | B1 |
| 8879427 | Krumel | Nov 2014 | B2 |
| 8885463 | Medved et al. | Nov 2014 | B1 |
| 8897154 | Jalan et al. | Nov 2014 | B2 |
| 8965957 | Barros | Feb 2015 | B2 |
| 8977749 | Han | Mar 2015 | B1 |
| 8990262 | Chen et al. | Mar 2015 | B2 |
| 9094364 | Jalan et al. | Jul 2015 | B2 |
| 9106561 | Jalan et al. | Aug 2015 | B2 |
| 9137301 | Dunlap et al. | Sep 2015 | B1 |
| 9154577 | Jalan et al. | Oct 2015 | B2 |
| 9154584 | Han | Oct 2015 | B1 |
| 9215275 | Kannan et al. | Dec 2015 | B2 |
| 9219751 | Chen et al. | Dec 2015 | B1 |
| 9253152 | Chen et al. | Feb 2016 | B1 |
| 9270705 | Chen et al. | Feb 2016 | B1 |
| 9270774 | Jalan et al. | Feb 2016 | B2 |
| 9338225 | Jalan et al. | May 2016 | B2 |
| 9350744 | Chen et al. | May 2016 | B2 |
| 9356910 | Chen et al. | May 2016 | B2 |
| 9386088 | Zheng et al. | Jul 2016 | B2 |
| 9531846 | Han et al. | Dec 2016 | B2 |
| 20010042200 | Lamberton | Nov 2001 | A1 |
| 20010049741 | Skene et al. | Dec 2001 | A1 |
| 20020026515 | Michielsens et al. | Feb 2002 | A1 |
| 20020032777 | Kawata et al. | Mar 2002 | A1 |
| 20020032799 | Wiedeman et al. | Mar 2002 | A1 |
| 20020078164 | Reinschmidt | Jun 2002 | A1 |
| 20020091844 | Craft et al. | Jul 2002 | A1 |
| 20020103916 | Chen et al. | Aug 2002 | A1 |
| 20020133491 | Sim et al. | Sep 2002 | A1 |
| 20020138618 | Szabo | Sep 2002 | A1 |
| 20020141386 | Minert et al. | Oct 2002 | A1 |
| 20020143991 | Chow et al. | Oct 2002 | A1 |
| 20020178259 | Doyle et al. | Nov 2002 | A1 |
| 20020188678 | Edecker et al. | Dec 2002 | A1 |
| 20020191575 | Kalavade et al. | Dec 2002 | A1 |
| 20020194335 | Maynard | Dec 2002 | A1 |
| 20020194350 | Lu et al. | Dec 2002 | A1 |
| 20030009591 | Hayball et al. | Jan 2003 | A1 |
| 20030014544 | Pettey | Jan 2003 | A1 |
| 20030023711 | Parmar et al. | Jan 2003 | A1 |
| 20030023873 | Ben-Itzhak | Jan 2003 | A1 |
| 20030035409 | Wang et al. | Feb 2003 | A1 |
| 20030035420 | Niu | Feb 2003 | A1 |
| 20030061506 | Cooper et al. | Mar 2003 | A1 |
| 20030091028 | Chang et al. | May 2003 | A1 |
| 20030131245 | Linderman | Jul 2003 | A1 |
| 20030135625 | Fontes et al. | Jul 2003 | A1 |
| 20030195962 | Kikuchi et al. | Oct 2003 | A1 |
| 20040010545 | Pandya | Jan 2004 | A1 |
| 20040062246 | Boucher et al. | Apr 2004 | A1 |
| 20040073703 | Boucher et al. | Apr 2004 | A1 |
| 20040078419 | Ferrari et al. | Apr 2004 | A1 |
| 20040078480 | Boucher et al. | Apr 2004 | A1 |
| 20040103315 | Cooper et al. | May 2004 | A1 |
| 20040111516 | Cain | Jun 2004 | A1 |
| 20040128312 | Shalabi et al. | Jul 2004 | A1 |
| 20040139057 | Hirata et al. | Jul 2004 | A1 |
| 20040139108 | Tang et al. | Jul 2004 | A1 |
| 20040141005 | Banatwala et al. | Jul 2004 | A1 |
| 20040143599 | Shalabi et al. | Jul 2004 | A1 |
| 20040187032 | Gels et al. | Sep 2004 | A1 |
| 20040199616 | Karhu | Oct 2004 | A1 |
| 20040199646 | Susai et al. | Oct 2004 | A1 |
| 20040202182 | Lund et al. | Oct 2004 | A1 |
| 20040210623 | Hydrie et al. | Oct 2004 | A1 |
| 20040210663 | Phillips et al. | Oct 2004 | A1 |
| 20040213158 | Collett et al. | Oct 2004 | A1 |
| 20040250059 | Ramelson et al. | Dec 2004 | A1 |
| 20040268358 | Darling et al. | Dec 2004 | A1 |
| 20050005207 | Herneque | Jan 2005 | A1 |
| 20050009520 | Herrero et al. | Jan 2005 | A1 |
| 20050021848 | Jorgenson | Jan 2005 | A1 |
| 20050027862 | Nguyen et al. | Feb 2005 | A1 |
| 20050036501 | Chung et al. | Feb 2005 | A1 |
| 20050036511 | Baratakke et al. | Feb 2005 | A1 |
| 20050039033 | Meyers et al. | Feb 2005 | A1 |
| 20050044270 | Grove et al. | Feb 2005 | A1 |
| 20050074013 | Hershey et al. | Apr 2005 | A1 |
| 20050080890 | Yang et al. | Apr 2005 | A1 |
| 20050102400 | Nakahara et al. | May 2005 | A1 |
| 20050125276 | Rusu | Jun 2005 | A1 |
| 20050163073 | Heller et al. | Jul 2005 | A1 |
| 20050198335 | Brown et al. | Sep 2005 | A1 |
| 20050213586 | Cyganski et al. | Sep 2005 | A1 |
| 20050240989 | Kim et al. | Oct 2005 | A1 |
| 20050249225 | Singhal | Nov 2005 | A1 |
| 20050259586 | Hafid et al. | Nov 2005 | A1 |
| 20050281190 | McGee et al. | Dec 2005 | A1 |
| 20060023721 | Miyake et al. | Feb 2006 | A1 |
| 20060036610 | Wang | Feb 2006 | A1 |
| 20060036733 | Fujimoto et al. | Feb 2006 | A1 |
| 20060041745 | Parnes | Feb 2006 | A1 |
| 20060064478 | Sirkin | Mar 2006 | A1 |
| 20060069774 | Chen et al. | Mar 2006 | A1 |
| 20060069804 | Miyake et al. | Mar 2006 | A1 |
| 20060077926 | Rune | Apr 2006 | A1 |
| 20060092950 | Arregoces et al. | May 2006 | A1 |
| 20060098645 | Walkin | May 2006 | A1 |
| 20060112170 | Sirkin | May 2006 | A1 |
| 20060164978 | Werner et al. | Jul 2006 | A1 |
| 20060168319 | Trossen | Jul 2006 | A1 |
| 20060187901 | Cortes et al. | Aug 2006 | A1 |
| 20060190997 | Mahajani et al. | Aug 2006 | A1 |
| 20060209789 | Gupta et al. | Sep 2006 | A1 |
| 20060230129 | Swami | Oct 2006 | A1 |
| 20060233100 | Luft et al. | Oct 2006 | A1 |
| 20060251057 | Kwon et al. | Nov 2006 | A1 |
| 20060277303 | Hegde et al. | Dec 2006 | A1 |
| 20060280121 | Matoba | Dec 2006 | A1 |
| 20070019543 | Wei et al. | Jan 2007 | A1 |
| 20070022479 | Sikdar et al. | Jan 2007 | A1 |
| 20070076653 | Park et al. | Apr 2007 | A1 |
| 20070086382 | Narayanan et al. | Apr 2007 | A1 |
| 20070094396 | Takano et al. | Apr 2007 | A1 |
| 20070118881 | Mitchell et al. | May 2007 | A1 |
| 20070124502 | Li | May 2007 | A1 |
| 20070156919 | Potti et al. | Jul 2007 | A1 |
| 20070165622 | O'Rourke et al. | Jul 2007 | A1 |
| 20070180119 | Khivesara et al. | Aug 2007 | A1 |
| 20070185998 | Touitou et al. | Aug 2007 | A1 |
| 20070195792 | Chen et al. | Aug 2007 | A1 |
| 20070230337 | Igarashi et al. | Oct 2007 | A1 |
| 20070242738 | Park et al. | Oct 2007 | A1 |
| 20070243879 | Park et al. | Oct 2007 | A1 |
| 20070245090 | King et al. | Oct 2007 | A1 |
| 20070248009 | Petersen | Oct 2007 | A1 |
| 20070259673 | Willars et al. | Nov 2007 | A1 |
| 20070283429 | Chen et al. | Dec 2007 | A1 |
| 20070286077 | Wu | Dec 2007 | A1 |
| 20070288247 | Mackay | Dec 2007 | A1 |
| 20070294209 | Strub et al. | Dec 2007 | A1 |
| 20080016161 | Tsirtsis et al. | Jan 2008 | A1 |
| 20080031263 | Ervin et al. | Feb 2008 | A1 |
| 20080076432 | Senarath et al. | Mar 2008 | A1 |
| 20080101396 | Miyata | May 2008 | A1 |
| 20080109452 | Patterson | May 2008 | A1 |
| 20080109870 | Sherlock et al. | May 2008 | A1 |
| 20080120129 | Seubert et al. | May 2008 | A1 |
| 20080134332 | Keohane et al. | Jun 2008 | A1 |
| 20080162679 | Maher et al. | Jul 2008 | A1 |
| 20080225722 | Khemani et al. | Sep 2008 | A1 |
| 20080228781 | Chen et al. | Sep 2008 | A1 |
| 20080250099 | Shen et al. | Oct 2008 | A1 |
| 20080253390 | Das et al. | Oct 2008 | A1 |
| 20080263209 | Pisharody et al. | Oct 2008 | A1 |
| 20080271130 | Ramamoorthy | Oct 2008 | A1 |
| 20080282254 | Blander et al. | Nov 2008 | A1 |
| 20080291911 | Lee et al. | Nov 2008 | A1 |
| 20080298303 | Tsirtsis | Dec 2008 | A1 |
| 20090024722 | Sethuraman et al. | Jan 2009 | A1 |
| 20090031415 | Aldridge et al. | Jan 2009 | A1 |
| 20090049198 | Blinn et al. | Feb 2009 | A1 |
| 20090070470 | Bauman et al. | Mar 2009 | A1 |
| 20090077651 | Poeluev | Mar 2009 | A1 |
| 20090092124 | Singhal et al. | Apr 2009 | A1 |
| 20090106830 | Maher | Apr 2009 | A1 |
| 20090138606 | Moran et al. | May 2009 | A1 |
| 20090138945 | Savchuk | May 2009 | A1 |
| 20090141634 | Rothstein et al. | Jun 2009 | A1 |
| 20090164614 | Christian et al. | Jun 2009 | A1 |
| 20090172093 | Matsubara | Jul 2009 | A1 |
| 20090213858 | Dolganow et al. | Aug 2009 | A1 |
| 20090222583 | Josefsberg et al. | Sep 2009 | A1 |
| 20090227228 | Hu et al. | Sep 2009 | A1 |
| 20090228547 | Miyaoka et al. | Sep 2009 | A1 |
| 20090262741 | Jungck et al. | Oct 2009 | A1 |
| 20090271472 | Scheifler et al. | Oct 2009 | A1 |
| 20090285196 | Lee et al. | Nov 2009 | A1 |
| 20090313379 | Rydnell et al. | Dec 2009 | A1 |
| 20100008229 | Bi et al. | Jan 2010 | A1 |
| 20100023621 | Ezolt et al. | Jan 2010 | A1 |
| 20100036952 | Hazlewood et al. | Feb 2010 | A1 |
| 20100042869 | Szabo et al. | Feb 2010 | A1 |
| 20100054139 | Chun et al. | Mar 2010 | A1 |
| 20100061319 | Aso et al. | Mar 2010 | A1 |
| 20100064008 | Yan et al. | Mar 2010 | A1 |
| 20100082787 | Kommula et al. | Apr 2010 | A1 |
| 20100083076 | Ushiyama | Apr 2010 | A1 |
| 20100094985 | Abu-Samaha et al. | Apr 2010 | A1 |
| 20100095018 | Khemani et al. | Apr 2010 | A1 |
| 20100098417 | Tse-Au | Apr 2010 | A1 |
| 20100106833 | Banerjee et al. | Apr 2010 | A1 |
| 20100106854 | Kim et al. | Apr 2010 | A1 |
| 20100128606 | Patel et al. | May 2010 | A1 |
| 20100162378 | Jayawardena et al. | Jun 2010 | A1 |
| 20100205310 | Altshuler et al. | Aug 2010 | A1 |
| 20100210265 | Borzsei et al. | Aug 2010 | A1 |
| 20100217793 | Preiss | Aug 2010 | A1 |
| 20100217819 | Chen et al. | Aug 2010 | A1 |
| 20100223630 | Degenkolb et al. | Sep 2010 | A1 |
| 20100228819 | Wei | Sep 2010 | A1 |
| 20100235507 | Szeto et al. | Sep 2010 | A1 |
| 20100235522 | Chen et al. | Sep 2010 | A1 |
| 20100235880 | Chen et al. | Sep 2010 | A1 |
| 20100238828 | Russell | Sep 2010 | A1 |
| 20100265824 | Chao et al. | Oct 2010 | A1 |
| 20100268814 | Cross et al. | Oct 2010 | A1 |
| 20100293296 | Hsu et al. | Nov 2010 | A1 |
| 20100312740 | Clemm et al. | Dec 2010 | A1 |
| 20100318631 | Shukla | Dec 2010 | A1 |
| 20100322252 | Suganthi et al. | Dec 2010 | A1 |
| 20100330971 | Selitser et al. | Dec 2010 | A1 |
| 20100333101 | Pope et al. | Dec 2010 | A1 |
| 20110007652 | Bai | Jan 2011 | A1 |
| 20110019550 | Bryers et al. | Jan 2011 | A1 |
| 20110023071 | Li et al. | Jan 2011 | A1 |
| 20110029599 | Pulleyn et al. | Feb 2011 | A1 |
| 20110032941 | Quach et al. | Feb 2011 | A1 |
| 20110040826 | Chadzelek et al. | Feb 2011 | A1 |
| 20110047294 | Singh et al. | Feb 2011 | A1 |
| 20110060831 | Ishii et al. | Mar 2011 | A1 |
| 20110083174 | Aldridge et al. | Apr 2011 | A1 |
| 20110093522 | Chen et al. | Apr 2011 | A1 |
| 20110099403 | Miyata et al. | Apr 2011 | A1 |
| 20110099623 | Garrard et al. | Apr 2011 | A1 |
| 20110110294 | Valluri et al. | May 2011 | A1 |
| 20110145324 | Reinart et al. | Jun 2011 | A1 |
| 20110149879 | Noriega et al. | Jun 2011 | A1 |
| 20110153834 | Bharrat | Jun 2011 | A1 |
| 20110178985 | San Martin Arribas et al. | Jul 2011 | A1 |
| 20110185073 | Jagadeeswaran et al. | Jul 2011 | A1 |
| 20110191773 | Pavel et al. | Aug 2011 | A1 |
| 20110196971 | Reguraman et al. | Aug 2011 | A1 |
| 20110276695 | Maldaner | Nov 2011 | A1 |
| 20110276982 | Nakayama et al. | Nov 2011 | A1 |
| 20110289496 | Steer | Nov 2011 | A1 |
| 20110292939 | Subramaian et al. | Dec 2011 | A1 |
| 20110302256 | Sureshehandra et al. | Dec 2011 | A1 |
| 20110307541 | Walsh et al. | Dec 2011 | A1 |
| 20120008495 | Shen et al. | Jan 2012 | A1 |
| 20120023231 | Ueno | Jan 2012 | A1 |
| 20120026897 | Guichard et al. | Feb 2012 | A1 |
| 20120030341 | Jensen et al. | Feb 2012 | A1 |
| 20120066371 | Patel et al. | Mar 2012 | A1 |
| 20120084419 | Kannan et al. | Apr 2012 | A1 |
| 20120084460 | McGinnity et al. | Apr 2012 | A1 |
| 20120106355 | Ludwig | May 2012 | A1 |
| 20120117382 | Larson et al. | May 2012 | A1 |
| 20120117571 | Davis et al. | May 2012 | A1 |
| 20120144014 | Natham et al. | Jun 2012 | A1 |
| 20120144015 | Jalan et al. | Jun 2012 | A1 |
| 20120151353 | Joanny | Jun 2012 | A1 |
| 20120170548 | Rajagopalan et al. | Jul 2012 | A1 |
| 20120173759 | Agarwal et al. | Jul 2012 | A1 |
| 20120179770 | Jalan et al. | Jul 2012 | A1 |
| 20120191839 | Maynard | Jul 2012 | A1 |
| 20120215910 | Wada | Aug 2012 | A1 |
| 20120239792 | Banerjee et al. | Sep 2012 | A1 |
| 20120240185 | Kapoor et al. | Sep 2012 | A1 |
| 20120290727 | Tivig | Nov 2012 | A1 |
| 20120297046 | Raja et al. | Nov 2012 | A1 |
| 20120311116 | Jalan et al. | Dec 2012 | A1 |
| 20130046876 | Narayana et al. | Feb 2013 | A1 |
| 20130058335 | Koponen et al. | Mar 2013 | A1 |
| 20130074177 | Varadhan et al. | Mar 2013 | A1 |
| 20130083725 | Mallya et al. | Apr 2013 | A1 |
| 20130100958 | Jalan et al. | Apr 2013 | A1 |
| 20130124713 | Feinberg et al. | May 2013 | A1 |
| 20130135996 | Torres et al. | May 2013 | A1 |
| 20130136139 | Zheng et al. | May 2013 | A1 |
| 20130148500 | Sonoda et al. | Jun 2013 | A1 |
| 20130166762 | Jalan et al. | Jun 2013 | A1 |
| 20130173795 | McPherson | Jul 2013 | A1 |
| 20130176854 | Chisu et al. | Jul 2013 | A1 |
| 20130191486 | Someya et al. | Jul 2013 | A1 |
| 20130198385 | Han et al. | Aug 2013 | A1 |
| 20130250765 | Ehsan et al. | Sep 2013 | A1 |
| 20130258846 | Damola | Oct 2013 | A1 |
| 20130282791 | Kruglick | Oct 2013 | A1 |
| 20140012972 | Han | Jan 2014 | A1 |
| 20140089500 | Sankar et al. | Mar 2014 | A1 |
| 20140164617 | Jalan et al. | Jun 2014 | A1 |
| 20140169168 | Jalan et al. | Jun 2014 | A1 |
| 20140207845 | Han et al. | Jul 2014 | A1 |
| 20140258465 | Li | Sep 2014 | A1 |
| 20140258536 | Chiong | Sep 2014 | A1 |
| 20140269728 | Jalan et al. | Sep 2014 | A1 |
| 20140286313 | Fu et al. | Sep 2014 | A1 |
| 20140298091 | Carlen et al. | Oct 2014 | A1 |
| 20140330982 | Jalan et al. | Nov 2014 | A1 |
| 20140334485 | Jain et al. | Nov 2014 | A1 |
| 20140359052 | Joachimpillai et al. | Dec 2014 | A1 |
| 20150026794 | Zuk et al. | Jan 2015 | A1 |
| 20150039671 | Jalan et al. | Feb 2015 | A1 |
| 20150156223 | Xu et al. | Jun 2015 | A1 |
| 20150215436 | Kancherla | Jul 2015 | A1 |
| 20150237173 | Virkki et al. | Aug 2015 | A1 |
| 20150244566 | Puimedon | Aug 2015 | A1 |
| 20150281087 | Jalan et al. | Oct 2015 | A1 |
| 20150281104 | Golshan et al. | Oct 2015 | A1 |
| 20150296058 | Jalan et al. | Oct 2015 | A1 |
| 20150312092 | Golshan et al. | Oct 2015 | A1 |
| 20150312268 | Ray | Oct 2015 | A1 |
| 20150333988 | Jalan et al. | Nov 2015 | A1 |
| 20150350048 | Sampat et al. | Dec 2015 | A1 |
| 20150350379 | Jalan et al. | Dec 2015 | A1 |
| 20160014052 | Han | Jan 2016 | A1 |
| 20160014126 | Jalan et al. | Jan 2016 | A1 |
| 20160036778 | Chen et al. | Feb 2016 | A1 |
| 20160042014 | Jalan et al. | Feb 2016 | A1 |
| 20160043901 | Sankar et al. | Feb 2016 | A1 |
| 20160044095 | Sankar et al. | Feb 2016 | A1 |
| 20160050233 | Chen et al. | Feb 2016 | A1 |
| 20160088074 | Kannan et al. | Mar 2016 | A1 |
| 20160105395 | Chen et al. | Apr 2016 | A1 |
| 20160105446 | Chen et al. | Apr 2016 | A1 |
| 20160119382 | Chen et al. | Apr 2016 | A1 |
| 20160156708 | Jalan et al. | Jun 2016 | A1 |
| 20160173579 | Jalan et al. | Jun 2016 | A1 |
| 20170048107 | Dosovitsky et al. | Feb 2017 | A1 |
| 20170048356 | Thompson et al. | Feb 2017 | A1 |
| Number | Date | Country |
|---|---|---|
| 1372662 | Oct 2002 | CN |
| 1449618 | Oct 2003 | CN |
| 1473300 | Feb 2004 | CN |
| 1529460 | Sep 2004 | CN |
| 1575582 | Feb 2005 | CN |
| 1714545 | Dec 2005 | CN |
| 1725702 | Jan 2006 | CN |
| 1910869 | Feb 2007 | CN |
| 101004740 | Jul 2007 | CN |
| 101094225 | Dec 2007 | CN |
| 101163336 | Apr 2008 | CN |
| 101169785 | Apr 2008 | CN |
| 101189598 | May 2008 | CN |
| 101193089 | Jun 2008 | CN |
| 101247349 | Aug 2008 | CN |
| 101261644 | Sep 2008 | CN |
| 101442425 | May 2009 | CN |
| 101495993 | Jul 2009 | CN |
| 101682532 | Mar 2010 | CN |
| 101878663 | Nov 2010 | CN |
| 102123156 | Jul 2011 | CN |
| 102143075 | Aug 2011 | CN |
| 102546590 | Jul 2012 | CN |
| 102571742 | Jul 2012 | CN |
| 102577252 | Jul 2012 | CN |
| 102918801 | Feb 2013 | CN |
| 103533018 | Jan 2014 | CN |
| 103944954 | Jul 2014 | CN |
| 104040990 | Sep 2014 | CN |
| 104067569 | Sep 2014 | CN |
| 104106241 | Oct 2014 | CN |
| 104137491 | Nov 2014 | CN |
| 104796396 | Jul 2015 | CN |
| 102577252 | Mar 2016 | CN |
| 102918801 | May 2016 | CN |
| 1209876 | May 2002 | EP |
| 1770915 | Apr 2007 | EP |
| 1885096 | Feb 2008 | EP |
| 02296313 | Mar 2011 | EP |
| 2577910 | Apr 2013 | EP |
| 2622795 | Aug 2013 | EP |
| 2647174 | Oct 2013 | EP |
| 2760170 | Jul 2014 | EP |
| 2772026 | Sep 2014 | EP |
| 2901308 | Aug 2015 | EP |
| 2760170 | Dec 2015 | EP |
| 1182560 | Nov 2013 | HK |
| 1183569 | Dec 2013 | HK |
| 1183996 | Jan 2014 | HK |
| 1189438 | Jun 2014 | HK |
| 1198565 | May 2015 | HK |
| 1198848 | Jun 2015 | HK |
| 1199153 | Jun 2015 | HK |
| 1199779 | Jul 2015 | HK |
| 1200617 | Aug 2015 | HK |
| 392015 | Sep 2015 | IN |
| CHE2014 | Jul 2016 | IN |
| H09-097233 | Apr 1997 | JP |
| 1999096128 | Apr 1999 | JP |
| H11-338836 | Oct 1999 | JP |
| 2000276432 | Oct 2000 | JP |
| 2000307634 | Nov 2000 | JP |
| 2001051859 | Feb 2001 | JP |
| 2001298449 | Oct 2001 | JP |
| 2002091936 | Mar 2002 | JP |
| 2003141068 | May 2003 | JP |
| 2003186776 | Jul 2003 | JP |
| 2005141441 | Jun 2005 | JP |
| 2006332825 | Dec 2006 | JP |
| 2008040718 | Feb 2008 | JP |
| 2009500731 | Jan 2009 | JP |
| 2013528330 | Jul 2013 | JP |
| 2014504484 | Feb 2014 | JP |
| 2014143686 | Aug 2014 | JP |
| 2015507380 | Mar 2015 | JP |
| 5855663 | Dec 2015 | JP |
| 5906263 | Mar 2016 | JP |
| 5913609 | Apr 2016 | JP |
| 10-0830413 | May 2008 | KR |
| 1020120117461 | Aug 2013 | KR |
| 101576585 | Dec 2015 | KR |
| 269763 | Feb 1996 | TW |
| 425821 | Mar 2001 | TW |
| 444478 | Jul 2001 | TW |
| WO2001013228 | Feb 2001 | WO |
| WO2001014990 | Mar 2001 | WO |
| WO2001045349 | Jun 2001 | WO |
| WO2003103237 | Dec 2003 | WO |
| WO2004084085 | Sep 2004 | WO |
| WO2006098033 | Sep 2006 | WO |
| WO2008053954 | May 2008 | WO |
| WO2008078593 | Jul 2008 | WO |
| WO2011049770 | Apr 2011 | WO |
| WO2011079381 | Jul 2011 | WO |
| WO2011149796 | Dec 2011 | WO |
| WO2012050747 | Apr 2012 | WO |
| WO2012075237 | Jun 2012 | WO |
| WO2012083264 | Jun 2012 | WO |
| WO2012097015 | Jul 2012 | WO |
| WO2013070391 | May 2013 | WO |
| WO2013081952 | Jun 2013 | WO |
| WO2013096019 | Jun 2013 | WO |
| WO2013112492 | Aug 2013 | WO |
| WO2014031046 | Feb 2014 | WO |
| WO2014052099 | Apr 2014 | WO |
| WO2014088741 | Jun 2014 | WO |
| WO2014093829 | Jun 2014 | WO |
| WO2014138483 | Sep 2014 | WO |
| WO2014144837 | Sep 2014 | WO |
| WO2014179753 | Nov 2014 | WO |
| WO2015153020 | Oct 2015 | WO |
| WO2015164026 | Oct 2015 | WO |
| Entry |
|---|
| Cardellini et al., “Dynamic Load Balancing on Web-server Systems”, IEEE Internet Computing, vol. 3, No. 3, pp. 28-39, May-Jun. 1999. |
| Spatscheck et al., “Optimizing TCP Forwarder Performance”, IEEE/ACM Transactions on Networking, vol. 8, No. 2, Apr. 2000. |
| Kjaer et al. “Resource allocation and disturbance rejection in web servers using SLAs and virtualized servers”, IEEE Transactions on Network and Service Management, IEEE, US, vol. 6, No. 4, Dec. 1, 2009. |
| Sharifian et al. “An approximation-based load-balancing algorithm with admission control for cluster web servers with dynamic workloads”, The Journal of Supercomputing, Kluwer Academic Publishers, BO, vol. 53, No. 3, Jul. 3, 2009. |
| Hunt et al. NetDispatcher: A TCP Connection Router, IBM Research Report RC 20853 May 19, 1997. |
| Noguchi, “Realizing the Highest Level “Layer 7” Switch”= Totally Managing Network Resources, Applications, and Users =, Computer & Network LAN, Jan. 1, 2000, vol. 18, No. 1, p. 109-112. |
| Takahashi, “The Fundamentals of the Windows Network: Understanding the Mystery of the Windows Network from the Basics”, Network Magazine, Jul. 1, 2006, vol. 11, No. 7, p. 32-35. |
| Ohnuma, “AppSwitch: 7th Layer Switch Provided with Full Setup and Report Tools”, Interop Magazine, Jun. 1, 2000, vol. 10, No. 6, p. 148-150. |
| Koike et al., “Transport Middleware for Network-Based Control,” IEICE Technical Report, Jun. 22, 2000, vol. 100, No. 53, pp. 13-18. |
| Yamamoto et al., “Performance Evaluation of Window Size in Proxy-based TCP for Multi-hop Wireless Networks,” IPSJ SIG Technical Reports, May 15, 2008, vol. 2008, No. 44, pp. 109-114. |
| Abe et al., “Adaptive Split Connection Schemes in Advanced Relay Nodes,” IEICE Technical Report, Feb. 22, 2010, vol. 109, No. 438, pp. 25-30. |
| Gite, Vivek, “Linux Tune Network Stack (Buffers Size) To Increase Networking Performance,” accessed Apr. 13, 2016 at URL: «http://www.cyberciti.biz/faq/linux-tcp-tuning/», Jul. 8, 2009, 24 pages. |
| “Tcp—TCP Protocol”, Linux Programmer's Manual, accessed Apr. 13, 2016 at URL: «https://www.freebsd.org/cgi/man.cgi?query=tcp&apropos=0&sektion=7&manpath=SuSE+Linux%2Fi386+11.0&format=asci», Nov. 25, 2007, 11 pages. |
| “Enhanced Interior Gateway Routing Protocol”, Cisco, Document ID 16406, Sep. 9, 2005 update, 43 pages. |
| Crotti, Manuel et al., “Detecting HTTP Tunnels with Statistical Mechanisms”, IEEE International Conference on communications, Jun. 24-28, 2007, pp. 6162-6168. |
| Haruyama, Takahiro et al., “Dial-to-Connect VPN System for Remote DLNA Communication”, IEEE Consumer Communications and Networking Conference, CCNC 2008. 5th IEEE, Jan. 10-12, 2008, pp. 1224-1225. |
| Chen, Jianhua et al., “SSL/TLS-based Secure Tunnel Gateway System Design and Implementation”, IEEE International Workshop on Anti-counterfeiting, Security, Identification, Apr. 16-18, 2007, pp. 258-261. |
| “EIGRP MPLS VPN PE-CE Site of Origin (SoO)”, Cisco Systems, Feb. 28, 2006, 14 pages. |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 13413191 | Mar 2012 | US |
| Child | 11358245 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 11358245 | Feb 2006 | US |
| Child | 14151803 | US | |
| Parent | 11358245 | Feb 2006 | US |
| Child | 13413191 | US |
