Abstract: Disclosed are various examples for threat detection and security for edge devices in communication with Internet-of-Things (IoT) devices. In one example, a baseline behavior profile for a gateway virtual machine is transmitted from a management service to a gateway security process executed in a gateway device. The management service receives an anomaly notification including an indication of an anomaly from the baseline behavior profile. The managements service generates a user interface that shows a description of the anomaly.

Abstract: Disclosed are various examples for threat detection and security for edge devices in communication with Internet-of-Things (IoT) devices. In one example, a baseline behavior profile for a gateway virtual machine is transmitted from a management service to a gateway security process executed in a gateway device. The management service receives an anomaly notification including an indication of an anomaly from the baseline behavior profile. The managements service generates a user interface that shows a description of the anomaly.

Abstract: Disclosed are various examples for threat detection and security for edge devices in communication with Internet-of-Things (IoT) devices. In one example, a profile is associated with a virtual machine of a gateway device. The profile includes an expected behavior for the virtual machine. The virtual machine is executed by a hypervisor of the gateway device. An actual behavior for the virtual machine is determined. A remedial action is performed. The remedial action is based on an anomaly between the expected behavior and the actual behavior.

Abstract: Disclosed are various examples for threat detection and security for edge devices in communication with Internet-of-Things (IoT) devices. In one example, a profile is associated with a virtual machine of a gateway device. The profile includes an expected behavior for the virtual machine. The virtual machine is executed by a hypervisor of the gateway device. An actual behavior for the virtual machine is determined. A remedial action is performed. The remedial action is based on an anomaly between the expected behavior and the actual behavior.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: A method of modifying network identifiers at data servers is disclosed. A virtual private network (VPN) gateway server generates a Hypertext Transfer Protocol (HTTP) request. The HTTP request not only requests data from a data server that is within a VPN, but also instructs the data server to modify (“mangle”) URLs that are contained within the requested data so that the URLs refer to the VPN gateway server. The VPN gateway server sends the HTTP request toward the data server. As a result, the data server modifies the URLs so that the VPN gateway server does not need to. When such a modified URLs is selected in a web browser, the web browser generates an HTTP request that is directed to the VPN gateway server's URL, which, unlike the unmodified URLs, can be resolved by domain name servers that are outside of the VPN.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: A system and method supporting efficient, scalable stateful switchover of transport layer connections in a telecommunications network element. One method involves receiving, at a network element comprising an active transport protocol process coupled to a standby protocol process, a request to configure a first transport layer connection maintained at the active transport protocol process for stateful switchover; receiving an event associated with the first transport layer connection; creating a message containing replicated event information based on the received event; sending the message to the standby transport protocol process; and processing the message at the standby transport protocol process, wherein the standby transport protocol process replicates state information for the first connection.

Abstract: A method of preventing an attack on a network, the method comprising the computer-implemented steps of receiving an ICMP packet that includes a copy of a header associated with a connection in a connection-oriented transport protocol; obtaining a packet sequence value from the header; determining if the packet sequence value is valid; and updating a parameter value associated with the transport protocol connection only if the packet sequence value is determined to be valid. Use of the disclosed method enables authenticating ICMP packets so that responsive measures of a network element, such as adjusting an MTU value, are performed only when the ICMP packet is determined to be authentic.

Abstract: A method detects a change in TCP receive window size while preventing fragmentation of data. A TCP stack receives a segment that advertises a receive window size of zero. If data needs to be sent, and only if so, a timer is started. When the timer expires, a TCP segment that contains a first sequence number value equal to second sequence number representing sent but unacknowledged data minus one, and a segment length value of zero, is sent. Without sending a fragment of data, this triggers a peer TCP process to send an updated window size. A TCP ACK segment is received and contains an updated receive window size. If the updated receive window size is greater than a specified value, then the data is sent. Otherwise, a counter is incremented, and the steps are re-performed if the counter is less than a specified value.

Abstract: Techniques are provided for updating best path based on real-time congestion feedback. A method comprises monitoring packets received from an internetworked system, wherein the packets are received on one of a plurality of external interfaces of a networking device; detecting that a received packet includes real-time information that signals a present or pending congestion condition on a path from the external interfaces of the networking device to the internetworked system; notifying a control logic of the real-time information; receiving from the control logic control information defining a change in one or more paths from the external interfaces to the internetworked system; and changing the one or more paths from the external interfaces to the internetworked system. Examining ingress traffic on external interfaces of an internetworked system can cause changes to routes, routing policies and PBRs in routers of the first internetworked system in response to real-time congestion.

Abstract: Approaches for preventing TCP RST attacks intended to cause denial of service in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, an endpoint node determines whether the TCP segment contains valid authentication information. The TCP RST segment is accepted and the TCP connection is closed only when the authentication information is valid. Authentication information may comprise a reset type values, and either initial sequence numbers of both endpoints, or a copy of a TCP header and options values previously sent by the endpoint node that is performing the authentication. Thus, attacks are thwarted because an attacker cannot know or reasonably guess the required authentication information.

Abstract: Approaches for preventing TCP RST attacks and TCP SYN attacks in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, a first endpoint node challenges the second endpoint node in the then-current connection using an acknowledgement message. If the connection is genuinely closed, the second endpoint node responds with a RST packet carrying an expected next sequence value. The first endpoint node takes no action if no RST packet is received. Thus, attacks are thwarted because an attacker does not receive the acknowledgment message and therefore cannot provide the exact expected next sequence value.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.

Abstract: A network element implementing a method for determining an optimal maximum transmission unit (MTU) value on a path between two nodes in a network is described. A sending node interested in learning the optimal MTU path value allows fragmentation of datagrams sent on the path, selects an initial MTU, and sends one or more data packets to a receiving node. Upon receiving the data the receiver determines if fragmentation occurred. If no fragmentation occurred then the MTU path selected is the optimal MTU for the given path between the nodes. If fragmentation did occur then the sender is notified that the selected MTU was not the optimal MTU for the path. Either the receiver proposes a new MTU for the path, or the sender selects a new, smaller MTU. The process repeats until the receiver detects no fragmentation.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.

Abstract: Approaches for preventing TCP RST attacks and TCP SYN attacks in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, a first endpoint node challenges the second endpoint node in the then-current connection using an acknowledgement message. If the connection is genuinely closed, the second endpoint node responds with a RST packet carrying an expected next sequence value. The first endpoint node takes no action if no RST packet is received. Thus, attacks are thwarted because an attacker does not receive the acknowledgment message and therefore cannot provide the exact expected next sequence value.

Abstract: Techniques are provided for updating best path based on real-time congestion feedback. A method comprises monitoring packets received from an internetworked system, wherein the packets are received on one of a plurality of external interfaces of a networking device; detecting that a received packet includes real-time information that signals a present or pending congestion condition on a path from the external interfaces of the networking device to the internetworked system; notifying a control logic of the real-time information; receiving from the control logic control information defining a change in one or more paths from the external interfaces to the internetworked system; and changing the one or more paths from the external interfaces to the internetworked system. Examining ingress traffic on external interfaces of an internetworked system can cause changes to routes, routing policies and PBRs in routers of the first internetworked system in response to real-time congestion.