Abstract: This disclosure describes systems, methods, and devices related to activating services and devices in a telecommunications network. A method may include receiving a user request for a service facilitated by a telecommunications network; identifying, based on the service, a device or port to which the user connects to access the telecommunications network; sending, based on the device or port, discovery commands to retrieve information from one or more additional devices in the telecommunications network; retrieving, based on the discovery commands, the information from the one or more additional devices; identifying, based on the information, a second device to which the device or port may connect to generate a path to an endpoint of the telecommunications network; generating, based on the device or port and the second device, a path from a location of the user to the endpoint; and provisioning the service for the user based on the path.

Abstract: Automatic testing/analysis of local loops of telecommunications networks includes obtaining bits-per-tone data for a local loop of a telecommunications network and generating a bit value string from the bits-per-tone data. The bit value string is then analyzed to determine whether it includes a bit pattern indicative of an impairment of the local loop. Further approaches for automatically testing local loops of telecommunications networks include obtaining attenuation data for multiple tones carried by the local loop and determining whether the attenuation data falls below thresholds for providing a service using the local loop.

Abstract: This disclosure describes systems, methods, and devices related to automating and testing communication network topologies.

Abstract: The present disclosure is directed to consolidation of STP pairs without deploying new STP pairs and without making changes at a Service Switching Point to reflect the consolidation. In one aspect, a method includes identifying a first pair of signal transfer point devices to be decommissioned from a telecommunication network; identifying a second pair of signal transfer point devices to assume, in part, functionalities of the first pair of signal transfer point devices, each signal transfer point device of the first pair and the second pair having at least one primary point code and at least one secondary point code assigning a temporary secondary point code to each signal transfer point device of the first pair; and modifying at least one secondary point code of each signal transfer point device of the second pair with a primary point code of at least one signal transfer point device of the first pair.

Abstract: A server configuration tool is presented for autonomously configuring servers located in a network. The tool may autonomously configure multiple servers in parallel based on individual states of the servers, which may be periodically and simultaneously determined. For example, the tool may determine which action to take to begin or continue configuring the server based on the present state of each server. Server states (and corresponding actions) can be edited through a user interface to alter the server configuration process without code changes. At any one time, multiple servers may be in different states requiring different configuration operations to configure the servers to be ready for use. The present systems and methods can be used to move multiple servers iteratively through different configuration actions based on the individual state of each server and to perform non-conflicting configuration operations for multiple servers in parallel.

Abstract: Novel tools and techniques are provided for implementing web-based monitoring and detection of fraudulent or unauthorized use of voice calling service. In various embodiments, a computing system might receive, from a user device associated with an originating party, a request to initiate a call session with a destination party, the request comprising user information associated with the originating party and a destination number associated with the destination party; might query a database with session data (including user information) to access permission data and configuration data; and might configure fraud logic using received configuration data from the database. The computing system might analyze the session data and permission data using the configured fraud logic to determine whether the originating party is permitted to establish the requested call session with the destination party; if so, might initiate one or more first actions; and, if not, might initiate one or more second actions.

Abstract: The present disclosure describes providing an attestation level to a received communication. The attestation level may be used to communicate a level of security to a network or a called party that receives the communication. The attestation level associated with the communication may indicate to a destination network and/or recipient that the phone number associated with the communication is secure and/or the telephone number has not been spoofed. Determining the attestation level comprises comparing information associated with the communication with stored information and assigning a code based on the comparison. The code may be translated to a tag value that is used to direct the communication to a signing server for attesting the communication at the determined attestation level.

Abstract: Authorization for a user may be dynamically tailored per application or per application function, rather than globally managed by an administrator. For example, in some embodiments, an identity access management system may generate a suitable authorization token (or authorization token information) to enable a user to login to an application or perform a particular function. The authorization token may be dynamically generated and tailored based on filtering various identity information otherwise available from an identity system, access boundaries of applicable application functions, or other factors.

Abstract: The present application describes systems and methods for filtering of malicious domain name system (DNS) queries. A DNS filter inspects a DNS query and drops the DNS query if the DNS query is deemed invalid. The DNS filter allows or drops the DNS query based on a set of rules. The set of rules includes one or more criteria for the validity or invalidity one or more DNS query attributes. The DNS filter logs the dropped DNS queries and provides them to the security analysis service for further investigation. In some examples, the DNS filter runs in a container or a virtual machine (VM) on the same system as the DNS server, or on a separate system in-line with the DNS servers.

Abstract: A network filter request arbiter is provided. An interface (e.g., user interface and/or programmatic interface, such as an application programming interface (API)), is for configuring and automatically implementing one or more filters in an internal and/or external network. The filters may be used to stop distributed denial of service (DDOS) attacks and/or prevent malicious network traffic from reaching a target network or target device(s) within the target network. Filters implemented in a target network may also be distributed to other (e.g., upstream) networks. The distributed filters may similarly be used to stop DDOS attacks and/or prevent malicious network traffic from being carried by the networks and from reaching a target network or target device(s) within the target network.

Abstract: The present application describes systems and methods for secured network information transmission. A network tunnel may be established from a customer premises equipment (CPE) to a routing device at a provider site. The network tunnel may traverse over one or more networks while maintaining a secure path for data. A customer may indicate a chosen configuration for a CPE, and a device at a provider site, a customer device, and/or the CPE itself may automatically, or manually, configure the CPE based on the chosen configuration to allow and/or disallow certain customer network information from being received and/or transmitted through the network tunnel.

Abstract: Systems and methods for dynamically mitigating a DDOS attack. In an aspect, the technology relates to a computer-implemented method for dynamically mitigating a distributed-denial-of-service (DDOS) attack. The computer-implemented method may include detecting a DDOS attack directing malicious traffic to a target, identifying one or more source locations of the malicious traffic, and in response to detecting the DDOS attack, activating one or more scrub clusters in the identified one or more source locations of the malicious traffic. The method may further include directing traffic intended for the target to the to the activated one or more scrub clusters, detecting an end of the DDOS attack, and in response to detecting the end of the DDOS attack, deactivating the one or more scrub clusters to release hardware resources.

Abstract: This disclosure describes systems, methods, and devices related to managing egress traffic from a network to one or more peer networks. A method may include generating, using a load balancer of a network, a dynamic logical egress traffic threshold for a peer network; determining, using the load balancer, that first traffic from the network to the peer network is below the logical egress traffic threshold; directing second traffic from the network to the peer network based on the determination that the first traffic is below the logical egress traffic threshold; determining, using the load balancer, that the second traffic from the network to the peer network has reached the logical egress traffic threshold; and directing third traffic from the network away from the peer network based on the determination that the second traffic has reached the logical egress traffic threshold.

Abstract: The present application describes systems and methods for network-based blocking threat intelligence. An access control list (ACL) generator may modify ACLs and provide modified ACLs to provider edge routers based on the capabilities of the provider edge routers. In some cases, an additional provider edge router that is more capable of implementing longer ACLs may be used. In some cases, a collector may identify when threat communications are bypassing provider edge routers with limited ACL lengths and provide the customer an opportunity to buy a better router or access to an additional router that supports longer or additional ACLs. A threat intelligence system may update (e.g., continuously update) the ACL provided to the ACL generator, and the ACL generator may accordingly update the modified ACLs provided to the provider edge routers.

Abstract: This disclosure describes systems, methods, and devices related to managing network capacity using cloud edge providers. A method may include identifying, by an edge device of a network, a request for network capacity received via an application programming interface (API), from a user of the network; identifying offers received via the API by cloud edge providers; determining that the network capacity is available at at least one of the cloud edge providers based on the offers; deploying an edge server at the at least one of the cloud edge providers based on the network capacity being available at the at least one of the cloud edge providers; and directing traffic between the user and the edge server based on the deployment.

Abstract: A route viewing system includes a computing system that receives information associated with one or more routes through a network, and identifies the routes that are associated with at least one illicit user computer used by an illicit user. The computing system then obtains a source location of a source address of the routes and a destination location of a destination address of the routes, and displays the routes on a geographical display at the source location of the source address and the destination location of the destination address of each of the routes.

Abstract: Novel tools and techniques are provided for implementing cloud-based voice calling service, video calling service, and/or over-the-top (“OTT”) services. In various embodiments, with a unified communications and collaboration interconnection (“UCCI”) interconnection established between separate hyperscalers or communication service providers that have separate administrative domains, Internet Protocol (“IP”) based communications services may be instantiated between a first user device or a first telephone number (or call identifier (“ID”)) via a first hyperscaler and a second user device or a second telephone number (or call ID) via a second hyperscaler, without touching or traversing the public switched telephone network (“PSTN”).

Abstract: Implementations described and claimed herein provide systems and methods for custom-defined network routing. In one implementation, a set of custom defined network flow rules is received at an edge router of a primary network, which is in communication with a customer network. The set of custom defined network flow rules correspond to network traffic associated with the customer network. The set of custom defined network flow rules is stored in a forwarding table on the edge router. A packet of data is received at the edge router. The packet of data is attributed to the customer network. The set of custom defined network flow rules is applied to the pack of data using the forwarding table.

Abstract: Embodiments provide system and methods for a DDoS service using a mix of mitigation systems (also called scrubbing centers) and non-mitigation systems. The non-mitigation systems are less expensive and thus can be placed at or near a customer's network resource (e.g., a computer, cluster of computers, or entire network). Under normal conditions, traffic for a customer's resource can go through a mitigation system or a non-mitigation system. When an attack is detected, traffic that would have otherwise gone through a non-mitigation system is re-routed to a mitigation system. Thus, the non-mitigation systems can be used to reduce latency and provide more efficient access to the customer's network resource during normal conditions. Since the non-mitigation servers are not equipped to respond to an attack, the non-mitigation systems are not used during an attack, thereby still providing protection to the customer network resource using the mitigation systems.

Abstract: Novel tools and techniques are provided for implementing emergency call record and address validation. In various embodiments, a computing system may simultaneously initiate two or more test calls among a plurality of test calls to an emergency service provider system. Each test call may simulate an emergency services validation call initiated from a telephone number among a plurality of telephone numbers associated with a corresponding plurality of users to request a determination as to whether a 911 or enhanced 911 (“E911”) address associated with the telephone number is an accurate 911 or E911 address. In response to receiving a corresponding plurality of call responses from the emergency service provider system, the computing system may analyze each call response to determine a result of each corresponding simulated emergency services validation call; and may send each determined result to a corresponding requesting party.