Abstract: The current document is directed to methods and subsystems incorporated in computer systems that automatically detect denial-of-service (“DoS”) attacks directed to the computer systems and that deflect the denial-of-service attacks with minimal impact to legitimate network traffic. In the described implementation, an automated subsystem is incorporated into a computer system, such as a server, to automatically detect onset of high inbound network traffic symptomatic of a DoS attack and to automatically deflect the attack at the edge-router interface, or at another similar network boundary, between a distributed computer system and a wide-area network (“WAN”) and/or the Internet. DoS-attack deflection at the network boundary decreases the chance of failure and degradation within the distributed computer system by preserving network bandwidth in internal networks within the distributed computer system.

Abstract: Embodiments of the present invention are directed to computationally efficient methods and systems for managing connection-associated and exchange-associated resources within network proxies. In one embodiment of the present invention, a circular connection-switch queue is employed for allocating, de-allocating, and maintaining connection-based or exchange-based data resources within a proxy. The connection-switch queue includes a free pointer that identifies a next connection-switch queue entry for allocation, and an idle pointer that is incremented continuously or at fixed intervals as timers associated with connection-switch entries expire. In an alternate embodiment, the connection-switch queue includes a free pointer, an idle pointer, and a clear pointer.

Abstract: Operating system methods and techniques for supporting one or more custom execution environments (CE2s) are provided. According to one embodiment, a determination is made with respect to which system resources of a computer system, if any, are to remain under control of a resident operating system of the computer system and which of the system resources are to be placed under control of one or more CE2s. The system resources are then partitioned among the resident operating system and the one or more CE2s by associating one or more partitions of the system resources with the one or more CE2s. Such partitioning may be performed by the resident operating system by employing hardware-based isolation techniques provided by a processor of the computer system, performed by the resident operating system by employing a secure-platform interface, or configured by a system administrator via hardware partitioning capability provided by the computer system platform.

Abstract: Methods and techniques for implementing a custom execution environment (CE2) and a related loader are provided. According to one embodiment, the CE2 includes code and data sections of an application and code and data sections of a set of system services. The set of system services has direct and full control of a set of hardware resources of a computer system containing one or more processors implementing a parallel protected architecture. According to one embodiment, the system services are designed for maximum simplicity, fastest possible speed, and elimination of security vulnerabilities.