Abstract: A Virtual Router (VR) is described that can move freely from one physical router to another in a network. Embodiments enable a network operator to configure a network management primitive that supports live migration of VRs from one physical router to another. To minimize disruptions, VRs allow a migrated control plane from a source router to clone its data plane state from the source router at a destination router while continuing to update its data plane state at the source router. Embodiments temporarily forward packets using both router location data planes to support asynchronous migration of links.

Abstract: Systems and methods are described that employ multi-path BGP to realize dynamic multi-path load balancing based on an Intelligent Route Service Control Point (IRSCP) router control architecture that uses dynamic traffic flow information to perform dynamic load balancing to enable precise and effective load balancing.

Abstract: A route control architecture allows a network operator to flexibly control routing between the traffic ingresses and egresses in a computer network, without modifying existing routers. An intelligent route service control point (IRSCP) replaces distributed BGP decision processes of conventional network routers with a route computation that is flexible and logically centralized but physically distributed. One embodiment supplements the traditional BGP decision process with a ranking decision process that allows route-control applications to explicitly rank traffic egresses on a per-destination, per-router basis. A straightforward set of correctness requirements prevents routing anomalies in implementations that are scalable and fault-tolerant.

Abstract: Systems and methods are described that manage routing information in an IP network using extensible indexing and use the indexing to control the network. The indexing and associated controls apply to any router within the routing domain.

Abstract: A method of managing a network application includes identifying a network path for the network application, obtaining network performance measurements along the network path, obtaining application performance information for the network application, and extracting infrastructure specific information for the infrastructure supporting the network application. The method further includes correlating the application performance information, network performance measurements, and the infrastructure specific information to identify a performance issue affecting the network application, and modifying the application behavior, the network behavior, or any combination thereof in response to the performance issue.

Abstract: A route control architecture allows a network operator to flexibly control routing between the traffic ingresses and egresses in a computer network, without modifying existing routers. An intelligent route service control point (IRSCP) replaces distributed BGP decision processes of conventional network routers with a route computation that is flexible and logically centralized but physically distributed. One embodiment supplements the traditional BGP decision process with a ranking decision process that allows route-control applications to explicitly rank traffic egresses on a per-destination, per-router basis. A straightforward set of correctness requirements prevents routing anomalies in implementations that are scalable and fault-tolerant.

Abstract: A system for providing content includes a plurality of content delivery servers and a routing control module. Each of the content delivery servers is configured to receive a first request from a client system sent to an anycast IP address for the content, and to provide a first portion of the content to the client system. Each of the content delivery servers is further configured to receive a second request from the client system sent to the anycast IP address for a second portion of the content, and to provide the second portion of the content to the client system. The routing control module is configured to modify the routing of the anycast address from a first content delivery server to a second content delivery server.

Abstract: A domain name server includes a processor configured to receive a request from a requester for an edge cache address, identify a first edge cache serving content requests to an anycast address from the requester, and determine a load of first edge cache. The processor is further configured to provide unicast address of an alternate edge cache to requester in response to the request when the load exceeds a threshold or to provide anycast address to requester in response to request when the load is below the threshold.

Abstract: Live router migration is implemented by separating the logical features of a virtual router from its physical features. Tunnels are established between a source (physical) router and a destination (physical) router, allowing the control plane of the virtual router being migrated to send and receive messages from the destination router. The control plane information is then transferred to the destination router, which functions to clone the data plane at the destination router. Outgoing links from the destination router are then be established. The double appearance of the data plane at both the source and destination routers allows for the data plane information to be transferred asynchronously over to the destination router. Once all of the data plane information has been transferred, incoming data traffic links at the destination router can be established and the tunnels between the routers taken down.

Abstract: A cache server for providing content includes a processor configured to receive a first datagram from a client system sent to an anycast address, send a response datagram to the client system in response to the first datagram, receive a request datagram from the client system sent to the anycast address, and send a batch of content datagrams to the client system. The first datagram includes a universal resource locator corresponding to the content. The response datagram includes a content identifier for the content. The request datagram includes the content identifier, an offset, and a bandwidth indicator. The batch of content datagrams includes a portion of the content starting at the offset.

Abstract: Disclosed is a method and system for identifying a controller of a first computer transmitting a network attack to an attacked computer. To identify an attacker implementing the attack on the attacked computer, the present invention traces the attack back to the controller one hop at a time. The invention examines traces of the attacked computer to identify the first computer. Traffic transmitted to the first computer is redirected through a monitoring complex before being transmitted to the first computer. The controller is then detected from traffic monitoring by the monitoring complex.

Abstract: Described is a system and method for receiving a data packet including a destination address and a source address, the data packet corresponding to a port number, assigning an address risk value for the data packet based on the source address and a port risk value for the data packet based on the port number. The data packet is categorized into a community based on the source address, wherein the community is predefined by a user corresponding to the destination address, the community includes a utility value. The address risk value and the port risk value are compared to the utility value to yield a benefit coefficient and the data packet is treated based on the benefit coefficient.

Abstract: A networking device connects to a router and to an autonomous system (AS). The networking device receives a routing table from the router, exchanges routing information with the AS, updates the routing table in response to exchanging information with the AS, coalesces the updated routing table into a compressed routing table, and sends the compressed routing table back to the router. The compressed routing table causes the router to forward data in a manner that is identical to the received routing table.

Abstract: A system includes first, second, and third content servers, and an edge server. The first, second, and third content servers each are configured to cache content. The edge server is in communication with the first, second, and third content servers. The edge server is configured to receive a content request, and to request different portions of the content from each of the first, second, and third content servers based on a network cost of each of the first, second, and third content servers.

Abstract: Systems and methods are described that manage routing information in an IP network using extensible indexing and use the indexing to control the network. The indexing and associated controls apply to any router within the routing domain.

Abstract: A method includes receiving a request for an edge cache address, and comparing a requester address to an anycast group. The method can further include providing an anycast edge cache address when the requestor address is in the anycast group. Alternatively, the method can further include determining an optimal cache server, and providing a unicast address of the optimal cache server when the requester address is not in the anycast group.

Abstract: A system and method for filtering unwanted Internet Protocol traffic based on blacklists receives a first blacklist containing a first plurality of Internet protocol addresses associated with unwanted Internet traffic. The system also operates a first plurality of access control lists adapted to block the unwanted Internet traffic from one of the first Internet protocol addresses listed in the first blacklist. The system also assigns a first weight to each of the first Internet protocol addresses based on a reliability of Internet traffic from each of the first Internet protocol addresses. Additionally, the system reduces a first number of the first access control lists to optimally trade off a number of desirable Internet protocol addresses blocked with a number of bad Internet protocol addresses blocked based on the first weight of each of the first Internet protocol addresses.

Abstract: Methods and apparatus to dynamically control access from VPNs to shared resources are disclosed. A disclosed example route reflector comprises a memory to implement a database, a user interface module to receive a request to permit access for a VPN to a shared resource, a BGP engine to process BGP advertisements, a network interface to receive a first BGP advertisement from a PE router associated with the VPN that includes a first RT associated with the VPN, and a shared resource access controller to update the database based on the request, to query the database to determine whether the VPN has access to the shared resource in response to the first BGP advertisement, and to direct the BGP engine to form a second BGP advertisement based on the first BGP advertisement that includes a second RT associated with the shared resource when the VPN has access to the shared resource.

Abstract: According to an aspect of this invention, a method to detect phishing URLs involves: creating a whitelist of URLs using a first regular expression; creating a blacklist of URLs using a second regular expression; comparing a URL to the whitelist; and if the URL is not on the whitelist, comparing the URL to the blacklist. False negatives and positives may be avoided by classifying Internet domain names for the target organization as “legitimate”. This classification leaves a filtered set of URLs with unknown domain names which may be more closely examined to detect a potential phishing URL. Valid domain names may be classified without end-user participation.

Abstract: A method includes receiving a plurality of radio frequency (RF) channels in parallel at a receive site, and demodulating the RF channels using a plurality of demodulators of the receive site to generate a plurality of streams of packets, each stream of packets having a first address space. The method also includes combining the plurality of streams of packets at a tunneling destination of the receive site to generate a first stream of packets having a second address space.