Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.

Abstract: An appliance for controlling data transmission is described. The appliance includes a packet engine configured to acquire data regarding a flow of first data packets over a link and to determine transport communication protocol (TCP) characteristics for the flow. The appliance also includes a data transmission controller configured to receive second data packets, determine a rate of transmission based on the TCP characteristics, and determine, based on one or more criteria, whether to use a rate-based data transmission control to control a transmission of the second data packets. The data transmission controller is also configured to, responsive to determining that a rate-based data transmission control is to be used to control a transmission of the second data packets, cause the packet engine to transmit the second data packets in groups, wherein transmission times of each group of second data packets are determined based on the rate of transmission.

Abstract: An appliance for controlling data transmission is described. The appliance includes a packet engine configured to acquire data regarding a flow of first data packets over a link and to determine transport communication protocol (TCP) characteristics for the flow. The appliance also includes a data transmission controller configured to receive second data packets, determine a rate of transmission based on the TCP characteristics, and determine, based on one or more criteria, whether to use a rate-based data transmission control to control a transmission of the second data packets. The data transmission controller is also configured to, responsive to determining that a rate-based data transmission control is to be used to control a transmission of the second data packets, cause the packet engine to transmit the second data packets in groups, wherein transmission times of each group of second data packets are determined based on the rate of transmission.

Abstract: An appliance for controlling data transmission is described. The appliance includes a packet engine configured to acquire data regarding a flow of first data packets over a link and to determine transport communication protocol (TCP) characteristics for the flow. The appliance also includes a data transmission controller configured to receive second data packets, determine a rate of transmission based on the TCP characteristics, and determine, based on one or more criteria, whether to use a rate-based data transmission control to control a transmission of the second data packets. The data transmission controller is also configured to, responsive to determining that a rate-based data transmission control is to be used to control a transmission of the second data packets, cause the packet engine to transmit the second data packets in groups, wherein transmission times of each group of second data packets are determined based on the rate of transmission.

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.

Abstract: The present disclosure is directed towards systems and methods for application performance measurement. A device may receive a first document for transmission to a client, comprising instructions for the client to transmit a request for an embedded object. A flow monitor executed the device may generate a unique identification associated with the first document, the unique identification identifying a first access of the first document, and transmit the first document and unique identification to the client. The device may receive, from the client, a request for the embedded object comprising the unique identification, and transmit, to a server, the request for the embedded object at a transmit time. The device may receive, from the server, the embedded object at a receipt time, and may transmit a performance record comprising an identification of the object, the server, the transmit time, the receipt time, and the unique identification to a data collector.

Abstract: The present disclosure is directed generally to systems and methods for Diameter load balancing. In some embodiments, an intermediary device may receive a diameter connection request from a client that includes a CER. The intermediary device may initiate a connection with a server of a plurality of servers and place the server protocol control block in a reuse pool. Responsive to opening the connection with the server, the intermediary device may forward the received CER. The intermediary device may then receive a CEA message from the server and establish an AVP-based persistent connection. The intermediary device may modify the received CEA message, and then forward the message to the client. When the intermediary device receives a diameter message from a client, the intermediary device may match an AVP of the message with an AVP associated with a persistent server connection, and forward the diameter message to the corresponding server.

Abstract: An appliance for controlling data transmission is described. The appliance includes a packet engine configured to acquire data regarding a flow of first data packets over a link and to determine transport communication protocol (TCP) characteristics for the flow. The appliance also includes a data transmission controller configured to receive second data packets, determine a rate of transmission based on the TCP characteristics, and determine, based on one or more criteria, whether to use a rate-based data transmission control to control a transmission of the second data packets. The data transmission controller is also configured to, responsive to determining that a rate-based data transmission control is to be used to control a transmission of the second data packets, cause the packet engine to transmit the second data packets in groups, wherein transmission times of each group of second data packets are determined based on the rate of transmission.

Abstract: The present disclosure is directed towards tracking application layer flow via a multi-connection intermediary. Transaction level or application layer information may be tracked via the intermediary, including one or more of: (i) the request method; (ii) response codes; (iii) URLs; (iv) HTTP cookies; (v) RTT of both ends of the transaction in a quad flow arrangement; (vi) server time to provide first byte of a communication; (vii) server time to provide the last byte of a communication; (viii) flow flags; or any other type and form of transaction level data may be captured, exported, and analyzed. The application layer flow or transaction level information may be provided in an IPFIX-compliant data record. This may be done to provide template-based data record definition, as well as providing data on an application or transaction level of granularity.

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.

Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: The present application is directed towards systems and methods for aggressively probing a client side connection to determine and counteract a malicious window size attack or similar behavior from a malfunctioning client. The solution described herein detects when a connection may be under malicious attach via improper or unusual window size settings. Responsive to the detection, the solution described herein will setup probes that determine whether or not the client is malicious and does so within an aggressive time period to avoid the tying up of processing cycles, transport layer sockets and buffers, and other resources of the sender.

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.

Abstract: The present solution is directed to systems and methods for synchronizing a random seed value among a plurality of multi-core nodes in a cluster of nodes for generating a cookie signature. The cookie signature may be used for protection from SYN flood attacks. A cluster of nodes comprises one master node and one or more other nodes. Each node comprises one master core and one or more other cores. A random number is generated at the master core of the master node. The random number is synchronized across every other core. The random number is used to generated a secret key value that is attached in the encoded initial sequence number of a SYN-ACK packet. If the responding ACK packet does not contain the secret key value, then the ACK packet is dropped.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.