Abstract: A security device may receive a request, from a client device and intended for a server device, to provide a resource. The resource may be associated with information stored by the server device. The security device may identify the request as being associated with a malicious script. The malicious script may execute on the client device and may include a script that performs one or more undesirable tasks directed to the server device. The security device may receive, from the server device, a response to the request. The response may include information associated with the requested resource. The security device may modify the response to form a modified response. The response may be modified in an attempt to cause the malicious script to experience an error. The security device may provide the modified response to the client device.

Abstract: A network device may receive an instruction to update a data structure implemented by the network device and update the data structure based on receiving the instruction. The data structure may include a routing instruction to direct the network device to provide a data flow to a server device for processing. The network device may receive the data flow destined for a destination device; determine the routing instruction based on at least a portion of an internet protocol (IP) address associated with the data flow and based on the data structure; execute the routing instruction to provide the data flow to the server device and to cause the data flow to be processed by the server device to form a processed data flow; and receive the processed data flow and provide the processed data flow towards the destination device.

Abstract: In one example, an autonomous system boundary router (ASBR) forms part of a first autonomous system (AS). The ASBR is between a first provider edge (PE) router of the first AS and a second PE router of a second, different AS. The first PE router and the second PE router form a Multiprotocol Label Switching (MPLS) path. The ASBR includes an interface communicatively coupled to a routing device external to the first AS, a memory configured to store a forwarding table associated with the interface, and one or more processing units configured to receive a packet via the interface, determine that the packet is encapsulated by an MPLS label, select a forwarding table based on the interface by which the packet was received, and forward the packet according to forwarding information of the forwarding table when the forwarding table includes the MPLS label.

Abstract: An intrusion detection system is described that is capable of applying a plurality of stacked (layered) application-layer decoders to extract encapsulated application-layer data from a tunneled packet flow produced by multiple applications operating at the application layer, or layer seven (L7), of a network stack. In this way, the IDS is capable of performing application identification and decoding even when one or more software applications utilize other software applications as for data transport to produce packet flow from a network device. The protocol decoders may be dynamically swapped, reused and stacked (layered) when applied to a given packet or packet flow.

Abstract: The disclosed computer-implemented method for facilitating atomic delivery of bundled data sets to applications within distributed systems may include (1) receiving, at a queue of an application, a data set from at least one other application, (2) determining that the data set is incorporated in a bundle whose contents have yet to completely arrive at the queue, (3) gating the data set at the queue until the bundle's contents have completely arrived at the queue, (4) receiving, at the queue, another data set incorporated in the bundle, (5) determining that the bundle's contents have completely arrived at the queue based at least in part on receiving the other data set, and then (6) notifying the application that the bundle is ready for atomic delivery such that the application is able to consume the bundle's contents on an as-needed basis. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In general, techniques of this disclosure may enable a remote provider edge (PE) router to improve convergence time in response to a link failure in an Ethernet Virtual Private Network (EVPN) by establishing per-Ethernet Segment Identifier (ESI) Bidirectional Forwarding Detection (BFD) sessions with other PE routers that are coupled to the PE router in an EVPN. The remote PE may determine that at least two PE routers with the remote PE are locally connected to a multi-homed customer network by a particular Ethernet Segment. The remote PE may send, based on determining that the at least two PE routers are connected to the multi-homed customer network by the particular Ethernet Segment, an ESI Ping request packet through the intermediate network to one of the at least two PE routers, wherein the ESI Ping request packet includes at least a BFD discriminator and an ESI for the particular Ethernet Segment.

Abstract: Techniques are described for enhancements to Protocol Independent Multicast (PIM) to support multicast only fast re-route (MoFRR) over a remote loop free alternate (RLFA) backup path in a network. This disclosure describes a modified PIM control message having a new PIM message type and an additional field to indicate an address of a RLFA network device in the RLFA backup path. According to techniques of this disclosure, network devices along the RLFA backup path are configured to forward the modified PIM control message toward the RLFA network device instead of toward a source of a requested multicast group. When the RLFA network device receives the modified PIM control message, the RLFA network device is configured to forward a conventional PIM control message towards the source of the requested multicast group. In this way, PIM can be used to provide MoFRR over a RLFA backup path.

Abstract: The techniques described herein may enable a particular PE router configured in an EVPN to share, rather than immediately discard, a CE router MAC address that is included in an IPv6 neighbor advertisement even though the particular PE router does not include a neighbor cache entry corresponding to the CE router. The techniques may include receiving, from a CE router that is locally coupled to the first PE router, an IPv6 neighbor advertisement from the CE router in response to an IPv6 neighbor solicitation from a second PE router that requested a MAC address of the CE router; determining whether an L2 destination addresses of the IPv6 neighbor advertisement match the L2 address of the bridging interface second PE router; and in response to determining a match, sending, to the second PE router, an EVPN route advertisement specifying at least the MAC address of the CE router.

Abstract: In some embodiments, a non-transitory processor-readable medium includes code to cause a processor to receive at a tunnel server, a data unit addressed to a communication device, and define, a first instance of the data unit and a second instance of the data unit. The first instance of the data unit is sent to the communication device via a first tunnel defined between at least the tunnel server and a first base station associated with a first network. The second instance of the data unit is sent to the communication device via a second tunnel defined between at least the tunnel server and a second base station associated with a second network. The second instance of the data unit is dropped by the communication device when the first instance of the data unit is received before the second instance of the data unit.

Abstract: An example method includes selecting, by a network device, a remote LFA next hop as an alternate next hop for forwarding network traffic from the network device to a destination, wherein the selected remote LFA next hop provides node protection to a primary next hop node on the shortest path from the network device to the destination. The method includes, for each candidate remote LFA next hop, performing a forward shortest path first (SPF) computation having the respective candidate remote LFA next hop as a root to compute a path segment between the respective candidate remote LFA next hop and the destination, wherein each of the candidate remote LFA next hops is the egress of a respective potential repair tunnel between the network device and candidate remote LFA next hop, and selecting the remote LFA next hop based at least in part on the computed path segments.

Abstract: In general, techniques are described for steering data traffic for a subscriber session from a network interface of a wireless access gateway to an anchoring one of a plurality of forwarding units of the wireless access gateway using a layer 2 (L2) address of the data traffic. For example, a wireless access gateway for a wireless local area network (WLAN) access network is described as having a decentralized data plane that includes multiple forwarding units for implementing subscriber sessions. Each forwarding unit may present a network interface for sending and receiving network packets and includes packet processing capabilities to enable subscriber data packet processing to perform the functionality of the wireless access gateway. The techniques enable steering data traffic for a given subscriber session to a particular one of the forwarding units of the wireless access gateway using an L2 address of the data traffic.

Abstract: In general, techniques for dynamically provisioning service chains are described. In one example a network device comprises a control unit having at least one processor coupled to a memory, wherein the control unit is configured to receive a services list comprising an ordered list of services, the ordered list of services specifying at least a first service and a second service. The network device also comprises a forwarding unit coupled to the control unit and configured to receive a packet of a packet flow from a first service node that has applied the first service to the packet, wherein the forwarding unit is configured to send, based at least on the ordered list of services, the packet to a second service node that applies the second service.

Abstract: The disclosed system may include (1) a modular port concentrator that connects as a modular line card within a router to forward network packets, (2) a profile module, stored in memory, that stores an allowed port configuration profile that defines supported port configurations for the modular port concentrator, (3) a configuration module, stored in memory, that receives an attempted port configuration for the modular line card, (4) an enforcement module, stored in memory, that enforces the allowed port configuration profile by taking remedial action in response to determining that the allowed port configuration profile does not allow the attempted port configuration, and (5) at least one physical processor configured to execute the modular port concentrator, the profile module, the configuration module, and the enforcement module. Various other systems and methods are also disclosed.

Abstract: A device may receive information that identifies an attack signature for detecting an intrusion. The device may determine a device configuration that is vulnerable to the intrusion, may determine an endpoint device associated with the device configuration, and may determine a time period during which the endpoint device was associated with the device configuration. The device may determine an endpoint identifier associated with the endpoint device during the time period, and may identify network traffic information associated with the endpoint identifier during the time period. The device may apply the attack signature to the network traffic information, and may determine whether the endpoint device was subjected to the intrusion during the time period based on applying the attack signature to the network traffic information. The device may selectively perform an action based on determining whether the endpoint device was subjected to the intrusion.

Abstract: A computer-implemented method for increasing the scalability of software-defined networks may include (1) maintaining a set of databases collectively configured to (i) store a set of flow entries that direct network traffic within a software-defined network and (ii) facilitate searching the set of flow entries based at least in part on at least one key whose size remains substantially constant irrespective of the number of flow entries within the set of flow entries, (2) detecting a request to perform an operation in connection with a flow of data packets within the software-defined network, (3) identifying at least one attribute of the flow of data packets in the request, and then (4) searching, using the attribute of the flow of data packets as a database key, at least one database within the set of databases to facilitate performing the operation. Various other methods, systems, and apparatuses are also disclosed.

Abstract: In one embodiment, an apparatus includes a switch core that has a multi-stage switch fabric. A first set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have a protocol. Each peripheral processing device from the first set of peripheral processing devices is a storage node that has virtualized resources. The virtualized resources of the first set of peripheral processing devices collectively define a virtual storage resource interconnected by the switch core. A second set of peripheral processing devices coupled to the multi-stage switch fabric by a set of connections that have the protocol. Each peripheral processing device from the first set of peripheral processing devices is a compute node that has virtualized resources. The virtualized resources of the second set of peripheral processing devices collectively define a virtual compute resource interconnected by the switch core.

Abstract: This disclosure describes techniques for proactively identifying possible attackers based on a profile of a device. For example, a device includes one or more processors and network interface cards to receive, from a remote device, network traffic directed to one or more computing devices protected by the device, determine, based on content of the network traffic, a first set of data points for the device, send a response to the remote device to ascertain a second set of data points for the device, and receive, from the remote device, at least a portion of the second set of data points. The device also includes a security module operable by the processors to determine a maliciousness rating, and selectively manage, based on the maliciousness rating, additional network traffic directed to the one or more computing devices protected by the security device and received from the remote device.

Abstract: Techniques are described for reusing downstream-assigned labels when establishing a new instance of a label switched path (LSP) prior to tearing down an existing instance of the LSP using make-before-break (MBB) procedures for RSVP. The techniques enable a routing engine of any non-ingress router along a path of the new LSP instance to reuse a previously allocated label for the existing LSP instance as the downstream assigned label for the new LSP instance when the paths of the existing LSP instance and the new LSP instance overlap. In this way, the non-ingress router does not need to update a label route in its forwarding plane for the reused label. When the new LSP instance completely overlaps the existing LSP instance, an ingress router of the LSP may avoid updating an ingress route in its forwarding plane for applications that use the LSP.

Abstract: An example method includes exchanging targeted hello messages to establish a targeted neighbor connection between a first routing device and a second routing device, wherein one of the routing devices comprises a central routing device, and wherein another one of the routing devices comprises an ingress routing device. The example method further includes processing a source-active register message that specifies a source address and an identifier that are collectively associated with a multicast stream, and wherein the source-active register message further indicates whether the multicast stream is active or withdrawn.

Abstract: The disclosed apparatus may include (1) a reply-reception module, stored in memory, that receives, from a satellite device, an authentication reply that includes an original authentication message digitally signed by the aggregation device using a private key of the aggregation device and that is digitally signed by the satellite device using a private key of the satellite device, (2) a forwarding module, stored in memory, that forwards the authentication reply to a network management server, (3) a validation-reception module, stored in memory, that receives, from the network management server in response to forwarding the authentication reply, a validation message, and (4) an authentication module, stored in memory, that authenticates the satellite device based at least in part on receiving the validation message. Various other apparatuses, systems, and methods are also disclosed.