Abstract: A method is disclosed for protecting a network against a denial-of-service attack by inspecting application layer messages at a network element. According to one aspect, when a network element intercepts data packets that contain an application layer message, the network element constructs the message from the payload portions of the packets. The network element determines whether the message satisfies specified criteria. The criteria may indicate characteristics of messages that are suspected to be involved in a denial-of-service attack, for example. If the message satisfies the specified criteria, then the network element prevents the data packets that contain the message from being received by the application for which the message was intended. The network element may accomplish this by dropping the packets, for example. As a result, the application's host does not waste processing resources on messages whose only purpose might be to deluge and overwhelm the application.

Abstract: Techniques are provided for performing security functions on a message payload in a network element. According to one aspect, a network element receives one or more data packets. The network element performs a security function on at least a portion of an application layer message that is contained in one or more payload portions of the one or more data packets. According to another aspect, a network element receives a first request that is destined for a first application. The network element sends, to a second application that sent the first request, a second request for authentication information. The network element receives the authentication information and determines whether the authentication information is valid. If the authentication information is not valid, then the network element prevents the first request from being sent to the first application.