Abstract: A security device may receive a request from a client device and intended for a server device. The security device may identify the request as being associated with a malicious activity. The malicious activity may include one or more undesirable tasks directed to the server device. The security device may generate a challenge-response test based on identifying the request as being associated with the malicious activity. The challenge-response test may be generated using one or more construction techniques. The security device may provide the challenge-response test to the client device. The security device may receive, from the client device, a proposed solution to the challenge-response test. The security device may identify the proposed solution as being generated using an optical character recognition (OCR) program. The security device may protect the server device from the client device based on identifying the solution as being generated using an OCR program.

Abstract: Techniques are described for wavelength and spectrum assignment within a packet-optical transport system. A controller, for example, dynamically controls wavelength and spectrum assignment to suppress or generally avoid optical effects that can degrade communication performance. For example, the controller provides closed-loop control over dynamic partitioning of the spectral range of an optical transport system into channel groups and assignment of the groups to respective packet-optical transport devices based on current or future bandwidth requirements at each device. Moreover, for each packet-optical transport device, the controller controls assignment of individual wavelengths within each channel group so as to balance channel utilization around a center of the spectral range associated with each channel group and to maintain spectral separation of the channels within the channel group.

Abstract: In one example, a network device includes a plurality of interface cards to send and receive packets over a network, a primary control unit of the network device, and a secondary control unit of the network device configured to detect a failover event that causes the network device to failover from the primary control unit to the secondary control unit. An operating system of the secondary control unit may be configured to send, in response to detecting the failover event, a session maintenance message on each of a plurality of application-level communication sessions in accordance with a prioritized data structure having a plurality of hierarchically arranged nodes, each of the nodes associated with a different subset of the communication sessions having a common session timeout value.

Abstract: Multicast traffic received by a subnet that uses IGMP/PIM snooping may be efficiently processed so that only required multicast router interfaces are used. A router may, for example, receive a source-specific PIM join/prune message indicating that a multicast receiver of the multicast traffic is to join/leave a multicast group to receive/stop traffic from a multicast source; determine whether the router is a first hop router relative to a subnet of the multicast source; and forward, when the router is a first hop router relative to the subnet of the multicast source and is a non-designated router, the source-specific PIM join/prune message towards the subnet.

Abstract: Techniques are described for blocking unidentified encrypted communication sessions. In one embodiment, a device includes an interface to receive a packet, an application identification module to attempt to identify an application associated with the packet, an encryption detection module to determine whether the packet is encrypted when the application identification module is unable to identify an application associated with the packet, and an attack detection module to determine whether the packet is associated with a network attack, to forward the packet when the packet is not associated with a network attack, and to take a response when the packet is associated with a network attack, wherein the encryption detection module sends a message to the attack detection module that indicates whether the packet is encrypted, wherein when the message indicates that packet is encrypted, the attack detection module determines that the packet is associated with a network attack.

Abstract: In one embodiment, a method can include receiving at an egress schedule module a request to schedule transmission of a group of cells from an ingress queue through a switch fabric of a multi-stage switch. The ingress queue can be associated with an ingress stage of the multi-stage switch. The egress schedule module can be associated with an egress stage of the multi-stage switch. The method can also include determining, in response to the request, that an egress port at the egress stage of the multi-stage switch is available to transmit the group of cells from the multi-stage switch.

Abstract: In response to receiving a reply message for reserving bandwidth along a primary path for a first label switched path (LSP) for carrying data traffic from an ingress network device to an egress network device, a point of local repair (PLR) network device establishes a second LSP from the PLR to a merge point (MP) network device along a subset of the primary path. The second LSP is dedicated to carrying operations, administration and management (OAM) messages to verify connectivity of the subset of the primary path, and is not used for sending data traffic. The PLR sends an OAM message to verify connectivity of at least one protected resource along the subset of the primary path to a next hop along the second LSP, wherein the OAM message is encapsulated by a second label associated with the second LSP.

Abstract: A forwarding node decapsulates and encapsulates data. The decapsulation may be performed using pattern matching techniques and the encapsulation may be performed using pattern insertion techniques. The decapsulation and encapsulation are preferably performed by hardware devices such as application specific integrated circuits (ASICs) to enhance the speed of such operations. The decapsulation and encapsulation may be independent of each other and performed on a per virtual circuit basis.

Abstract: An egress network device of a point-to-point (P2P) tunnel can receive an LSP Ping message via the P2P tunnel from an ingress network device of the P2P LSP, wherein the LSP Ping message specifies a label that the egress network device associates with a service provided to the egress network device via the P2P tunnel. In response to receiving the LSP Ping message, the egress network device can store an association between the label and the P2P tunnel. The egress network device also uses a fault detection network protocol session over the P2P tunnel to monitor a state of the P2P tunnel. In response to detecting based on the fault detection network protocol session that the state of the P2P tunnel is down, the egress network device determines the service is unavailable from the ingress network device via the P2P tunnel, and selects a new source to provide the service.

Abstract: A network management system monitors malware within a mobile network. The system comprises a receiver component that obtains data regarding malware in the mobile network. The data is obtained from a first source and a second source, where the first source is of a different type than the second source. The monitoring system also includes an analysis component that generates a malware analysis of the mobile network as a function of the data.

Abstract: Routers balance network traffic among multiple paths through a network according to an amount of bandwidth that can be sent on an outgoing interface computed for each of the paths. For example, a router receives a link bandwidth for network links that are positioned between the first router and a second router of the network, and selects a plurality of forwarding paths from the first router to the second router. Upon determining that one of the network links is shared by multiple of the plurality of forwarding paths, the router computes a path bandwidth for each of the plurality of forwarding paths so as to account for splitting of link bandwidth of the shared network link across the multiple forwarding paths that share the network link. The router assigns packet flows to the forwarding paths based at least on the computed amount of bandwidth for each of the forwarding paths.

Abstract: In some embodiments, an apparatus includes an optical detector that can sample asynchronously an optical signal from an optical component that can be either an optical transmitter or an optical receiver. In such embodiments, the apparatus also includes a processor operatively coupled to the optical detector, where the processor can calculate a metric value of the optical signal without an extinction ratio of the optical signal being measured. The metric value is proportional to the extinction ratio of the optical signal. In such embodiments, the processor can define an error signal based on the metric value of the optical signal and the processor can send the error signal to the optical transmitter such that the optical transmitter modifies an output optical signal.

Abstract: A system includes a module associated with a first stage of a switch fabric directly coupled to a module associated with a second stage of the switch fabric via a single physical hop having multiple virtual channels. The module associated with the first stage is configured to assign a virtual channel identifier associated with a virtual channel with a data packet using a hash function and to send the data packet through the virtual channel based on the virtual channel identifier. The module associated with the second stage is configured to send a flow control signal to the module associated with the first stage when an available capacity of a queue is less than a predetermined threshold. The module associated with the first stage is configured to suspend sending data packets via the virtual channel in response to the flow control signal.

Abstract: In one aspect, a computer-implemented method includes generating a workload using at least one schema defined by combinations of ranges of each of at least two attributes. The computer-implemented method also includes receiving a request to provide content. The computer-implemented method further includes provisioning the content based upon the workload.

Abstract: A device may include a flow table to store, in flow table records, statistics associated with a number of data flows, and a flow type table to store, in flow type table records, information that indicates whether to store statistics in the flow table for each of a number of types of data flows, information that indicates a manner for sampling data units associated with the data flows, and/or information that indicates when to delete flow table records from the flow table.

Abstract: A laser system includes an array of lasers that emit light at a number of different, fixed wavelengths. A group of optical transport systems connect to the laser system. Each of the optical transport systems is configured to modulate data signals onto the light from the laser system to create optical signals and transmit the optical signals on one or more optical fibers.

Abstract: In general, techniques are described for automatically identifying likely faulty components in massively distributed complex systems. In some examples, snapshots of component parameters are automatically repeatedly fed to a pre-trained classifier and the classifier indicates whether each received snapshot is likely to belong to a fault and failure class or to a non-fault/failure class. Components whose snapshots indicate a high likelihood of fault or failure are investigated, restarted or taken off line as a pre-emptive measure. The techniques may be applied in a massively distributed complex system such as a data center.

Abstract: In one embodiment, a method includes sending a first flow control signal to a first stage of transmit queues when a receive queue is in a congestion state. The method also includes sending a second flow control signal to a second stage of transmit queues different from the first stage of transmit queues when the receive queue is in the congestion state.

Abstract: An apparatus includes an access switch having a set of ports and configured to be operatively coupled to a multicast router via a first port from the set of ports. The access switch is configured to be associated with a network associated with the multicast router, and designate the first port as a multicast-router interface during a time period. The access switch is configured to send a message to the multicast router via each port from the set of ports in response to an indication of a change in a topology of the network after the time period. The access switch is configured to designate a second port from the set of ports as the multicast-router interface and dedesignate the first port as the multicast-router interface in response to receiving, via the second port and in response to the message, a signal from the multicast router.

Abstract: In one embodiment, edge devices can be configured to be coupled to a multi-stage switch fabric and peripheral processing devices. The edge devices and the multi-stage switch fabric can collectively define a single logical entity. A first edge device from the edge devices can be configured to be coupled to a first peripheral processing device from the peripheral processing devices. The second edge device from the edge devices can be configured to be coupled to a second peripheral processing device from the peripheral processing devices. The first edge device can be configured such that virtual resources including a first virtual resource can be defined at the first peripheral processing device. A network management module coupled to the edge devices and configured to provision the virtual resources such that the first virtual resource can be migrated from the first peripheral processing device to the second peripheral processing device.