POLLUTING RESULTS OF VULNERABILITY SCANS
Granted: April 2, 2015
Application Number:
20150096035
A security device may receive, from a server device, a response to a request. The request may be provided by an attacker device and may include a plurality of input values. The security device may determine the plurality of input values, included in the request, based on receiving the response. The security device may modify the response to form a modified response. The response may be modified to include information associated with the plurality of input values. The response may be…
LIMITING THE EFFICACY OF A DENIAL OF SERVICE ATTACK BY INCREASING CLIENT RESOURCE DEMANDS
Granted: April 2, 2015
Application Number:
20150096020
A device may detect an attack. The device may receive, from a client device, a request for a resource. The device may determine, based on detecting the attack, a computationally expensive problem to be provided to the client device, where the computationally expensive problem requires a computation by the client device to solve the computationally expensive problem. The device may instruct the client device to provide a solution to the computationally expensive problem. The device may…
BLOCKING VIA AN UNSOLVABLE CAPTCHA
Granted: April 2, 2015
Application Number:
20150095981
A security device may receive a request from an attacker device and intended for a server device. The security device may identify the request as being associated with a malicious activity. The malicious activity may include one or more undesirable tasks directed to the server device. The security device may generate an unsolvable challenge-response test based on identifying the request as being associated with the malicious activity. The unsolvable challenge-response test may be…
ENCRYPTING IMAGES ON A CLIENT DEVICE FOR SECURE TRANSMISSION AND STORAGE ON A STORAGE DEVICE
Granted: April 2, 2015
Application Number:
20150095643
A device may identify an image to be encrypted, and may convert the image to a first string in a first format. The first string may represent the image. The device may receive information that identifies a key for encrypting the first string, and may generate a first encrypted string by encrypting the first string using the key. The device may convert the first encrypted string, in the first format, to a second encrypted string in a second format. The device may provide the second…
FUZZING SERVER RESPONSES TO MALICIOUS CLIENT DEVICES
Granted: April 2, 2015
Application Number:
20150095507
A security device may receive a request, from a client device and intended for a server device, to provide a resource. The resource may be associated with information stored by the server device. The security device may identify the request as being associated with a malicious script. The malicious script may execute on the client device and may include a script that performs one or more undesirable tasks directed to the server device. The security device may receive, from the server…
DYNAMIC AREA FILTERING FOR LINK-STATE ROUTING PROTOCOLS
Granted: April 2, 2015
Application Number:
20150092785
In general, techniques are described for dynamically filtering, at area border routers (ABRs) of a multi-area autonomous system, routes to destinations external to an area by advertising to routers of the area only those routes associated with a destination address requested by at least one router of the area. In one example, a method includes receiving, by an ABR that borders a backbone area and a non-backbone area of a multi-area autonomous system that employs a hierarchical link state…
METHODS AND APPARATUS FOR CONFIGURING A VIRTUAL NETWORK SWITCH
Granted: April 2, 2015
Application Number:
20150092605
In one embodiment, a method includes sending a configuration signal to a virtual network switch module within a control plane of a communications network. The configuration signal is configured to define a first network rule at the virtual network switch module. The method also includes configuring a packet forwarding module such that the packet forwarding module implements a second network rule, and receiving status information from the virtual network switch module and status…
TWO-PART METRIC FOR LINK STATE ROUTING PROTOCOLS
Granted: April 2, 2015
Application Number:
20150092594
Techniques are described for utilizing two-part metrics with link state routing protocols of computer networks. For example, link state advertisements communicated by a router convey outbound cost metrics representative of outbound costs for the router to send network traffic to a network, and inbound cost metrics representative of inbound costs to receive network traffic from the network. The techniques may be particularly useful with respect to shared access networks, including…
SESSION-AWARE SERVICE CHAINING WITHIN COMPUTER NETWORKS
Granted: April 2, 2015
Application Number:
20150092551
Techniques are described for providing session-aware, stateful network services to subscriber packet flows. Devices within a service provider network direct subscriber packets along service chains. Each tunnel is established to direct traffic according a particular ordered set of network services for the corresponding service chain. An ingress device for the tunnels encapsulate the subscriber packets and embed opaque session cookies that each uniquely identifies a collection of packet…
IDENTIFYING MALICIOUS DEVICES WITHIN A COMPUTER NETWORK
Granted: March 5, 2015
Application Number:
20150067866
This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for…
DYNAMIC END-TO-END NETWORK PATH SETUP ACROSS MULTIPLE NETWORK LAYERS
Granted: March 5, 2015
Application Number:
20150063802
A centralized controller provides dynamic end-to-end network path setup across multiple network layers. In particular, the centralized controller manages end-to-end network path setup that provisions a path at both the transport network layer (e.g., optical) and the service network layer (e.g., IP/MPLS). The centralized controller performs path computation for an optical path at the transport network layer and for a path at the service network layer that transports network traffic on the…
PREVENTING EXTRACTION OF SECRET INFORMATION OVER A COMPROMISED ENCRYPTED CONNECTION
Granted: February 26, 2015
Application Number:
20150058493
A device may receive, from a first device, a first message that includes a first random cookie and a session cookie. The device may provide the first message to a second device. The device may receive, from the second device, a second message that includes a response to the first message. The device may generate a second random cookie. The second random cookie may be different from the first random cookie. The device may provide, to the first device, the second random cookie, the session…
METHODS AND APPARATUS FOR ENFORCING A COMMON USER POLICY WITHIN A NETWORK
Granted: November 27, 2014
Application Number:
20140348111
In some embodiments, an apparatus includes a core network node configured to be operatively coupled to a set of wired network nodes and a set of wireless network nodes. The core network node is configured to receive, at a first time, a first data packet to be sent to a wired device operatively coupled to a wired network node from the set of wired network nodes. The core network node is configured to also receive, at a second time, a second data packet to be sent to a wireless device…
METHODS AND APPARATUS FOR STANDARD PROTOCOL VALIDATION MECHANISMS DEPLOYED OVER A SWITCH FABRIC SYSTEM
Granted: November 20, 2014
Application Number:
20140341045
An apparatus includes a destination edge device configured to receive a first validation packet according to a switch fabric validation protocol. The destination edge device is configured to validate multiple data paths through a distributed switch fabric from a source edge device to the destination edge device based on the first validation packet. The destination edge device is configured to send, in response to receiving the first validation packet, a second validation packet to a…
APPARATUS, SYSTEM, AND METHOD FOR CONTROLLING POWER WITHIN A POWER-REDUNDANT SYSTEM
Granted: November 20, 2014
Application Number:
20140339901
An apparatus may include a bus that electrically couples an electrical load to redundant power feeds. The apparatus may also include at least one capacitive component electrically coupled between first and second rails of the bus via both a conductive path and a resistive path that has substantially greater resistance than the conductive path. In addition, the apparatus may include a switching mechanism electrically coupled between the first and second rails of the bus that causes the…
METHODS AND APPARATUS FOR REDUCING ENERGY CONSUMPTION OF NETWORK EQUIPMENT
Granted: October 2, 2014
Application Number:
20140298067
In some embodiments, an equipment unit has a set of visual indicators, a power switch, and a set of compute components. The power switch receives a signal representing a status such that when the status is in a first mode, the power switch provides power to the set of visual indicators and when the status is in a second mode the power switch does not provide power to the set of visual indicators. The compute components are configured to receive power when the power switch does not…
SELECTION OF MULTICAST ROUTER INTERFACES IN AN L2 SWITCH CONNECTING END HOSTS AND ROUTERS, WHICH IS RUNNING IGMP AND PIM SNOOPING
Granted: September 18, 2014
Application Number:
20140269707
Multicast traffic received by a subnet that uses IGMP/PIM snooping may be efficiently processed so that only required multicast router interfaces are used. A router may, for example, receive a source-specific PIM join/prune message indicating that a multicast receiver of the multicast traffic is to join/leave a multicast group to receive/stop traffic from a multicast source; determine whether the router is a first hop router relative to a subnet of the multicast source; and forward, when…
CONNECTIVITY SCHEME AND COOLING SCHEME FOR A LARGE RACK SYSTEM
Granted: September 11, 2014
Application Number:
20140254074
A rack system may include a first plurality of line cards, where a particular one of the first plurality of line cards receives or sends packets via ports; a plurality of fabric cards, where a particular one of the plurality of fabric cards includes a switching fabric; a second plurality of line cards, where a particular one of the second plurality of line cards receives or sends packets via ports; a first backplane that connects the first plurality of line cards to the plurality of…
INTELLIGENT INTEGRATED NETWORK SECURITY DEVICE
Granted: September 11, 2014
Application Number:
20140259146
Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.
TRAFFIC CLASSIFICATION AND CONTROL ON A NETWORK NODE
Granted: September 11, 2014
Application Number:
20140254379
A system is configured to receive traffic being transported via a network; obtain, as a result of receiving the traffic, content from one or more packets associated with the traffic; analyze the content to identify one or more attributes associated with the content, where the one or more attributes correspond to at least one of: a network address, information associated with an application with which the traffic is associated, information associated with message content, or information…
