Abstract: The disclosed method and system increase routing efficiency by identifying a set of candidate Autonomous Systems (ASes) able to reduce average AS distances towards a set of target ASes. Starting from a list of Routing Information Base (RIB) snapshots and a set of target ASes, candidate ASes are ranked based on the gain they would provide in terms of AS distance if they were connected to the network administrator AS. A set of starting ASes may represent the ASes to which the administrator is already connected, and a set of forbidden ASes may represent the ASes to which the administrator does not want to connect. An exemplary web-based interface may show gains of candidate ASes, allowing the administrator to better understand how much an average AS distance toward the set of target ASes would improve.

Abstract: The disclosed method and system increase routing efficiency by identifying a set of candidate Autonomous Systems (ASes) able to reduce average AS distances towards a set of target ASes. Starting from a list of Routing Information Base (RIB) snapshots and a set of target ASes, candidate ASes are ranked based on the gain they would provide in terms of AS distance if they were connected to the network administrator AS. A set of starting ASes may represent the ASes to which the administrator is already connected, and a set of forbidden ASes may represent the ASes to which the administrator does not want to connect. An exemplary web-based interface may show gains of candidate ASes, allowing the administrator to better understand how much an average AS distance toward the set of target ASes would improve.

Abstract: The disclosed method and system increase routing efficiency by identifying a set of candidate Autonomous Systems (ASes) able to reduce average AS distances towards a set of target ASes. Starting from a list of Routing Information Base (RIB) snapshots and a set of target ASes, candidate ASes are ranked based on the gain they would provide in terms of AS distance if they were connected to the network administrator AS. A set of starting ASes may represent the ASes to which the administrator is already connected, and a set of forbidden ASes may represent the ASes to which the administrator does not want to connect. An exemplary web-based interface may show gains of candidate ASes, allowing the administrator to better understand how much an average AS distance toward the set of target ASes would improve.

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

Abstract: Methods and systems for improving performance of an HTTP cache are provided. According to one embodiment, an HTTP request is received by an ADC for a resource associated with a server on behalf of which the ADC is performing load balancing. The ADC determines based on a local HTTP cache whether it can service the request. The request is parsed to identify a header. The existence or non-existence of locally cached content matching the request is identified by comparing portions of the identified header with corresponding portions of header information of cached content based on a vary rule defining when two headers are meaningfully different. Therefore, the identified header need not exactly match an entirety of the cached information for a cache hit to be found. Responsive to a cache hit, the ADC responds to the request with an HTTP response containing the identified locally cached content.

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

Abstract: Systems and methods for improving the performance of DDoS mitigation by monitoring the health of a protected network resource are provided. According to one embodiment, health of a network device protected by DoS mitigation device can be evaluated and packet/traffic received on the DoS mitigation device can be selectively/conditionally forwarded to the protected network device or can be dropped based on the health of the protected network device. According to one embodiment, at-least a part of the traffic is blocked when the health of the protected network device is below a predetermined health threshold. In an exemplary implementation, a measure of volume of traffic originated by different computing devices and handled by the protected network device can be computed, and packet filtering or conditional forwarding can be enabled when the computed measure of volume of traffic exceeds a predetermined traffic volume threshold.

Abstract: Systems and methods for a cache replacement policy that takes into consideration factors relating to the replacement cost of currently cached data and/or the replacement cost of received data. According to one embodiment, data is received by a network device responsive to a request issued on behalf of a client device. A cache management system running on the network device estimates, for each of multiple cache entries of a cache managed by the cache management system, a computational cost of reproducing data cached within each of the cache entries by respective origin storage devices from which the respective cached data originated. The cache management system estimates a communication latency between the cache and the respective origin storage devices. The cache management system enables the cache to replace data cached within a selected cache entry with the received data based on the estimated computational costs and the estimated communication latencies.

Abstract: Systems and methods for an improved DDoS mitigation approach are provided. According to one embodiment, a current threshold for a network connection characteristic is established within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network and multiple client devices residing external to the private network. A number of connections between the client devices and the protected network resource are tracked. During a period of time in which the number of connections exceeds a connection count threshold: (i) for each of the connections, a measured value for the network connection characteristic is compared to the current threshold; (ii) responsive to a determination that the measured value exceeds the current threshold, the connection is dropped; and (iii) the current threshold is periodically reduced, such that only those connections complying with the current threshold are maintained.

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

Abstract: Systems and methods for a cache replacement policy that takes into consideration factors relating to the replacement cost of currently cached data and/or the replacement cost of received data. According to one embodiment, data is received by a network device responsive to a request issued on behalf of a client device. A cache management system running on the network device estimates, for each of multiple cache entries of a cache managed by the cache management system, a computational cost of reproducing data cached within each of the cache entries by respective origin storage devices from which the respective cached data originated. The cache management system estimates a communication latency between the cache and the respective origin storage devices. The cache management system enables the cache to replace data cached within a selected cache entry with the received data based on the estimated computational costs and the estimated communication latencies.

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.

Abstract: Systems and methods for an improved DDoS mitigation approach are provided. According to one embodiment, a current threshold for a network connection characteristic is established within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network and multiple client devices residing external to the private network. A number of connections between the client devices and the protected network resource are tracked. During a period of time in which the number of connections exceeds a connection count threshold: (i) for each of the connections, a measured value for the network connection characteristic is compared to the current threshold; (ii) responsive to a determination that the measured value exceeds the current threshold, the connection is dropped; and (iii) the current threshold is periodically reduced, such that only those connections complying with the current threshold are maintained.

Abstract: Systems and methods for improving the performance of DoS mitigation by monitoring the health of a protected network resource are provided. According to one embodiment, health of a network device protected by DoS mitigation device can be evaluated and packet/traffic received on the DoS mitigation device can be selectively/conditionally forwarded to the protected network device or can be dropped based on the health of the protected network device. According to one embodiment, at-least a part of the traffic is blocked when the health of the protected network device is below a predetermined health threshold. In an exemplary implementation, a measure of volume of traffic originated by different computing devices and handled by the protected network device can be computed, and packet filtering or conditional forwarding can be enabled when the computed measure of volume of traffic exceeds a predetermined traffic volume threshold.

Abstract: Systems and methods for a cache replacement policy that takes into consideration factors relating to the replacement cost of currently cached data and/or the replacement cost of requested data. According to one embodiment, a request for data is received by a network device. A cache management system running on the network device estimates, for each of multiple cache entries of a cache managed by the cache management system, a computational cost of reproducing data cached within each of the cache entries by respective origin storage devices from which the respective cached data originated. The cache management system estimates a communication latency between the cache and the respective origin storage devices. The cache management system enables the cache to replace data cached within a selected cache entry with the requested data based on the estimated computational costs and the estimated communication latencies.

Abstract: Systems and methods for a cache replacement policy that takes into consideration factors relating to the replacement cost of currently cached data and/or the replacement cost of requested data. According to one embodiment, a request for data is received by a network device. A cache management system running on the network device estimates, for each of multiple cache entries of a cache managed by the cache management system, a computational cost of reproducing data cached within each of the cache entries by respective origin storage devices from which the respective cached data originated. The cache management system estimates a communication latency between the cache and the respective origin storage devices. The cache management system enables the cache to replace data cached within a selected cache entry with the requested data based on the estimated computational costs and the estimated communication latencies.

Abstract: Methods and systems for improving performance of an HTTP cache are provided. According to one embodiment, an HTTP request is received by an ADC for a resource associated with a server on behalf of which the ADC is performing load balancing. The ADC determines based on a local HTTP cache whether it can service the request. The request is parsed to identify a header. The existence or non-existence of locally cached content matching the request is identified by comparing portions of the identified header with corresponding portions of header information of cached content based on a vary rule defining when two headers are meaningfully different. Therefore, the identified header need not exactly match an entirety of the cached information for a cache hit to be found. Responsive to a cache hit, the ADC responds to the request with an HTTP response containing the identified locally cached content.

Abstract: Methods and systems for an IPv4-IPv6 proxy mode for DNS servers are provided. According to one embodiment, a DNS query is received by a network device from a dual-stack client. A determination is made the network device whether a first record type containing an Internet Protocol (IP) address for a server associated with the query exists within a DNS database of the network device. If the first record type exists for the server, then communication is enabled between the client and the server based on the first record type; otherwise it is automatically determined whether a second record type usable by the client exists for the server. Responsive to a determination that the second record type exists, data associated with the second record type is shared with the client by the network device to enable communication between the client and the server.