Abstract: A computing system and related method protect a computer network connection manager's resources from attempted resource attacks by extracting SrcIP and TTL values from received data packet headers. Extracted SrcIP and TTL values are analyzed to determine the probability that a received data packet is malicious. If the probability exceeds a specified threshold, resources are denied, and the packet is dropped. If the specified threshold is not exceeded, resources are allocated to the received data packet. The SrcIP reputation score, TTL value frequency, SrcIP frequency, SrcIP geo-location, and resource occupancy may all be used in computing the probability of a malicious data packet. These factors may be weighted and summed to calculate the probability of a malicious data packet.

Abstract: A computing system and related method protect a computer network connection manager's resources from attempted resource attacks by extracting SrcIP and TTL values from received data packet headers. Extracted SrcIP and TTL values are analyzed to determine the probability that a received data packet is malicious. If the probability exceeds a specified threshold, resources are denied, and the packet is dropped. If the specified threshold is not exceeded, resources are allocated to the received data packet. The SrcIP reputation score, TTL value frequency, SrcIP frequency, SrcIP geo-location, and resource occupancy may all be used in computing the probability of a malicious data packet. These factors may be weighted and summed to calculate the probability of a malicious data packet.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a plurality of servers interconnected by a switch fabric comprising a plurality of switches interconnected to form a physical network. Each of the servers comprises an operating environment executing one or more virtual machines in communication via one or more virtual networks. The servers comprise a set of virtual routers configured to extend the virtual networks to the operating environments of the virtual machines. A virtual router of the set of virtual routers is configured to aggregate a plurality of inbound tunnel packets according to a same virtual network identifier in order to generate an aggregate tunnel packet. The virtual router is further configured to route the aggregate tunnel packet to a host associated with a virtual network identified by the same virtual network identifier.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a network interface card of a server configured to receive a tunnel packet associated with a virtual network. The tunnel packet comprises an outer header associated with the physical network, the outer header encapsulating an inner packet comprising an inner header associated with the virtual network and a payload. A first processing core of the server is configured to perform, based at least on one of the outer header and inner header of the tunnel packet, a first packet steering operation to identify the second processing core. The second processing core is configured to forward the inner packet to a virtual machine of the virtual machines.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a plurality of servers interconnected by a switch fabric comprising a plurality of switches interconnected to form a physical network. Each of the servers comprises an operating environment executing one or more virtual machines in communication via one or more virtual networks. The servers comprise a set of virtual routers configured to extend the virtual networks to the operating environments of the virtual machines. A virtual router of the set of virtual routers is configured to aggregate a plurality of inbound tunnel packets according to a same virtual network identifier in order to generate an aggregate tunnel packet. The virtual router is further configured to route the aggregate tunnel packet to a host associated with a virtual network identified by the same virtual network identifier.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a server that executes a virtual router configured to receive, from a switch fabric, a tunnel packet for a virtual network of the virtual networks, wherein the tunnel packet comprises an outer header and an inner packet that defines a packet flow. The virtual router is also configured to determine, based at least on the outer header, that the packet is associated with a virtual network of the one or more virtual networks, determine a packet flow defined by the inner packet does not match any flow table entry of a flow table that identifies active flows only for virtual network and, in response, add a flow table entry for a reverse packet flow of the packet flow to the flow table.

Abstract: In general, techniques are described for enhancing operations of virtual networks. In some examples, a network system includes a network interface card of a server configured to receive a tunnel packet associated with a virtual network. The tunnel packet comprises an outer header associated with the physical network, the outer header encapsulating an inner packet comprising an inner header associated with the virtual network and a payload. A first processing core of the server is configured to perform, based at least on one of the outer header and inner header of the tunnel packet, a first packet steering operation to identify the second processing core. The second processing core is configured to forward the inner packet to a virtual machine of the virtual machines.