Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.

Abstract: A method for error detection includes storing in an associative memory multiple data entries, each data entry including a data item together with one or more check symbols computed with respect to the data item. A predetermined sequence of search keys is applied to the memory, thereby causing the memory to generate, in parallel, match results with respect to the data entries. The match results are processed in order to identify an error in at least one of the data entries.

Abstract: A method for processing data includes encoding a finite automaton, which includes states and transitions between the states that express a plurality of predefined patterns, by grouping the states of the automaton into sets according to a common property shared by the states in each set, and assigning codes to the states according to the grouping. The codes are stored in an electronic memory, along with rules that are associated with the patterns. The automaton is traversed in order to identify one or more of the patterns in an input sequence of data elements by iteratively reading out the codes from the memory responsively to the data elements and to the codes that have been previously read out. Upon identifying a given pattern in the input sequence, an associated action is performed.

Abstract: A method for processing data includes accepting a specification of a plurality of patterns, each pattern defining a respective uncompressed sequence of symbols. Multi-pattern matching is applied to an incoming stream of compressed communication traffic containing compression metadata so as to identify the patterns occurring in the stream while using the compression metadata to skip over parts of the stream.

Abstract: A method for processing communication traffic includes receiving an incoming stream of compressed data conveyed by a sequence of data packets, each containing a respective portion of the compressed data. The respective portion of the compressed data contained in the first packet is stored in a buffer, having a predefined buffer size. Upon receiving a subsequent packet, at least a part of the compressed data stored in the buffer and the respective portion of the compressed data contained in the subsequent packet are decompressed, thereby providing decompressed data. A most recent part of the decompressed data that is within the buffer size is recompressed and stored in the buffer.

Abstract: A method for error detection includes storing in an associative memory (24, 50, 70) multiple data entries (30), each data entry including a data item (28) together with one or more check symbols (40) computed with respect to the data item. A predetermined sequence of search keys (32) is applied to the memory, thereby causing the memory to generate, in parallel, match results with respect to the data entries. The match results are processed in order to identify an error in at least one of the data entries.

Abstract: A method for processing data includes accepting a specification of a plurality of patterns, each pattern defining a respective uncompressed sequence of symbols. Multi-pattern matching is applied to an incoming stream of compressed communication traffic containing compression metadata so as to identify the patterns occurring in the stream while using the compression metadata to skip over parts of the stream.

Abstract: A method for processing data includes encoding a finite automaton, which includes states and transitions between the states that express a plurality of predefined patterns, by grouping the states of the automaton into sets according to a common property shared by the states in each set, and assigning codes to the states according to the grouping. The codes are stored in an electronic memory, along with rules that are associated with the patterns. The automaton is traversed in order to identify one or more of the patterns in an input sequence of data elements by iteratively reading out the codes from the memory responsively to the data elements and to the codes that have been previously read out. Upon identifying a given pattern in the input sequence, an associated action is performed.

Abstract: A method for communication management includes detecting addresses of peer nodes (34) belonging to a service layer (30) of a distributed application running on a computer network (22). Responsively to the detected addresses, filtering of communication traffic transmitted by client computers (26) is actuated so as to limit access by the client computers to the distributed application.

Abstract: Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.

Abstract: An improved network device that controls throughput of packets received thereby, e.g., to downstream devices or to downstream logic contained within the same network device. The network device comprises a scheduler that schedules one or more packets of a selected class for throughput as a function of a weight of that class and weights of one or more other classes. The weight of at least the selected class is dynamic and is a function of a history of volume of packets received by the network device in the selected class. An apparatus for protecting against overload conditions on a network, e.g., of the type caused by DDoS attacks, has a scheduler and a token bucket mechanism, e.g., as described above. Such apparatus can also include a plurality of queues into which packets of the respective classes are placed on receipt by the apparatus. Those packets are dequeued by the scheduler, e.g., in the manner described above, for transmittal to downstream devices (e.g., potential victim nodes) on the network.

Abstract: A method for communication includes coupling a first port of a Layer-3 packet router to receive communication traffic from a network, the traffic including packets destined for a target address, which is accessible via a second port of the router. At the router, the packets that are destined for the target address are diverted to a traffic processor via a third port of the router. The diverted packets are processed at the traffic processor, and returning the processed packets to the router via the third port. At the router, the processed packets are conveyed from the third port to the second port for delivery to the target address.

Abstract: A method of routing a data packet from a forwarding router to a downstream router. The data packet header includes an address that includes a bit string. The forwarding router looks up, in a forwarding database, a prefix that best matches the bit string. The forwarding router then attaches to the data packet a clue that is related to the best matching prefix, and forwards the data packet to the downstream router. The downstream router looks up, in a downstream database, and with reference to the clue, another prefix that best matches the bit string. Because the databases of neighboring routers are similar, the clue either directly determines the best matching prefix at the downstream router or provides the downstream router with a good starting point for its lookup.

Abstract: An improved network device that controls throughput of packets received thereby, e.g., to downstream devices or to downstream logic contained within the same network device. The network device comprises a scheduler that schedules one or more packets of a selected class for throughput as a function of a weight of that class and weights of one or more other classes. The weight of at least the selected class is dynamic and is a function of a history of volume of packets received by the network device in the selected class. An apparatus for protecting against overload conditions on a network, e.g., of the type caused by DDoS attacks, has a scheduler and a token bucket mechanism, e.g., as described above. Such apparatus can also include a plurality of queues into which packets of the respective classes are placed on receipt by the apparatus. Those packets are dequeued by the scheduler, e.g., in the manner described above, for transmittal to downstream devices (e.g., potential victim nodes) on the network.

Abstract: Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.