Abstract: Taking a zero-configuration approach, a domain name discovery system utilizes, in an iterative process, WHOIS data and infrastructure data for a seed domain to automatically discover domain names having registration and/or infrastructure details that match those of the seed domain. Registration information such as a registered email address associated with a domain name discovered through WHOIS data matching or infrastructure data matching is utilized in a reverse lookup for domain names having infrastructure or WHOIS registered information that fully matches the information associated with the domain name discovered through the iterative process. Domain names discovered through WHOIS data matching, infrastructure data matching, and reverse lookup can be presented through a user interface on a client device communicatively connected to the domain name discovery system over a network. The domain name discovery can be performed periodically or in near real time responsive to receiving a new seed domain.

Abstract: Aspects of the disclosure relate to identifying legitimate websites and removing false positives from domain discovery analysis. Based on a list of known legitimate domains, a computing platform may generate a baseline dataset of feature vectors corresponding to the known legitimate domains. Subsequently, the computing platform may receive information identifying a first domain for analysis and may execute one or more machine learning algorithms to compare the first domain to the baseline dataset. Based on execution of the one or more machine learning algorithms, the computing platform may generate first domain classification information indicating that the first domain is a legitimate domain. In response to determining that the first domain is a legitimate domain, the computing platform may send one or more commands directing a domain identification system to remove the first domain from a list of indeterminate domains maintained by the domain identification system.

Abstract: Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.

Abstract: A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Abstract: Taking a zero-configuration approach, a domain name discovery system utilizes, in an iterative process, WHOIS data and infrastructure data for a seed domain to automatically discover domain names having registration and/or infrastructure details that match those of the seed domain. Registration information such as a registered email address associated with a domain name discovered through WHOIS data matching or infrastructure data matching is utilized in a reverse lookup for domain names having infrastructure or WHOIS registered information that fully matches the information associated with the domain name discovered through the iterative process. Domain names discovered through WHOIS data matching, infrastructure data matching, and reverse lookup can be presented through a user interface on a client device communicatively connected to the domain name discovery system over a network. The domain name discovery can be performed periodically or in near real time responsive to receiving a new seed domain.

Abstract: Disclosed is an effective domain name defense solution in which a domain name string may be provided to or obtained by a computer embodying a visual domain analyzer. The domain name string may be rendered or otherwise converted to an image. An optical character recognition function may be applied to the image to read out a text string which can then be compared with a protected domain name to determine whether the text string generated by the optical character recognition function from the image converted from the domain name string is similar to or matches the protected domain name. This visual domain analysis can be dynamically applied in an online process or proactively applied in an offline process to hundreds of millions of domain names.

Abstract: A method for detecting unavailable network connections comprises, at a first data processing node that is hosting a transport protocol connection that uses a plurality of sequence values to identify messages sent to a peer node, wherein the first node is communicatively coupled to a second data processing node serving as a redundant backup, periodically sending a checkpoint sequence value to the second node; detecting that either the transport protocol connection or a process using the transport protocol connection is unavailable, without use of a timeout; and in response thereto, sending a notification to the peer node, wherein the notification includes the checkpoint sequence value. One embodiment provides for rapidly detecting and responding to failure of a TCP process without using long timeouts as conventionally provided in long-lived applications that run on top of TCP.

Abstract: A method for detecting unavailable network connections comprises, at a first data processing node that is hosting a transport protocol connection that uses a plurality of sequence values to identify messages sent to a peer node, wherein the first node is communicatively coupled to a second data processing node serving as a redundant backup, periodically sending a checkpoint sequence value to the second node; detecting that either the transport protocol connection or a process using the transport protocol connection is unavailable, without use of a timeout; and in response thereto, sending a notification to the peer node, wherein the notification includes the checkpoint sequence value. One embodiment provides for rapidly detecting and responding to failure of a TCP process without using long timeouts as conventionally provided in long-lived applications that run on top of TCP.

Abstract: A method of modifying network identifiers at data servers is disclosed. A virtual private network (VPN) gateway server generates a Hypertext Transfer Protocol (HTTP) request. The HTTP request not only requests data from a data server that is within a VPN, but also instructs the data server to modify (“mangle”) URLs that are contained within the requested data so that the URLs refer to the VPN gateway server. The VPN gateway server sends the HTTP request toward the data server. As a result, the data server modifies the URLs so that the VPN gateway server does not need to. When such a modified URLs is selected in a web browser, the web browser generates an HTTP request that is directed to the VPN gateway server's URL, which, unlike the unmodified URLs, can be resolved by domain name servers that are outside of the VPN.

Abstract: A method for detecting unavailable network connections comprises, at a first data processing node that is hosting a transport protocol connection that uses a plurality of sequence values to identify messages sent to a peer node, wherein the first node is communicatively coupled to a second data processing node serving as a redundant backup, periodically sending a checkpoint sequence value to the second node; detecting that either the transport protocol connection or a process using the transport protocol connection is unavailable, without use of a timeout; and in response thereto, sending a notification to the peer node, wherein the notification includes the checkpoint sequence value. One embodiment provides for rapidly detecting and responding to failure of a TCP process without using long timeouts as conventionally provided in long-lived applications that run on top of TCP.

Abstract: A network element implementing a method for determining an optimal maximum transmission unit (MTU) value on a path between two nodes in a network is described. A sending node interested in learning the optimal MTU path value allows fragmentation of datagrams sent on the path, selects an initial MTU, and sends one or more data packets to a receiving node. Upon receiving the data the receiver determines if fragmentation occurred. If no fragmentation occurred then the MTU path selected is the optimal MTU for the given path between the nodes. If fragmentation did occur then the sender is notified that the selected MTU was not the optimal MTU for the path. Either the receiver proposes a new MTU for the path, or the sender selects a new, smaller MTU. The process repeats until the receiver detects no fragmentation.

Abstract: A multi-homed network node comprises an interface that is addressable using a primary network address and a secondary network address. Network packets identifying the primary network address traverse a first network path and packets identifying the second network address traverse a second network path that is routed physically separately from the first network path. A transport layer network protocol association is established in the network between a first node and the multi-homed node. One or more data messages are sent to the second node and identify the primary network address. Network feedback information indicates one or more performance characteristics of the first network path. In response, the data messages are automatically modified to identify the secondary network address.

Abstract: A method of preventing an attack on a network, the method comprising the computer-implemented steps of receiving an ICMP packet that includes a copy of a header associated with a connection in a connection-oriented transport protocol; obtaining a packet sequence value from the header; determining if the packet sequence value is valid; and updating a parameter value associated with the transport protocol connection only if the packet sequence value is determined to be valid. Use of the disclosed method enables authenticating ICMP packets so that responsive measures of a network element, such as adjusting an MTU value, are performed only when the ICMP packet is determined to be authentic.

Abstract: Techniques are provided for updating best path based on real-time congestion feedback. A method comprises monitoring packets received from an internetworked system, wherein the packets are received on one of a plurality of external interfaces of a networking device; detecting that a received packet includes real-time information that signals a present or pending congestion condition on a path from the external interfaces of the networking device to the internetworked system; notifying a control logic of the real-time information; receiving from the control logic control information defining a change in one or more paths from the external interfaces to the internetworked system; and changing the one or more paths from the external interfaces to the internetworked system. Examining ingress traffic on external interfaces of an internetworked system can cause changes to routes, routing policies and PBRs in routers of the first internetworked system in response to real-time congestion.

Abstract: Approaches for preventing TCP RST attacks intended to cause denial of service in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, an endpoint node determines whether the TCP segment contains valid authentication information. The TCP RST segment is accepted and the TCP connection is closed only when the authentication information is valid. Authentication information may comprise a reset type values, and either initial sequence numbers of both endpoints, or a copy of a TCP header and options values previously sent by the endpoint node that is performing the authentication. Thus, attacks are thwarted because an attacker cannot know or reasonably guess the required authentication information.

Abstract: Approaches for preventing TCP RST attacks and TCP SYN attacks in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, a first endpoint node challenges the second endpoint node in the then-current connection using an acknowledgement message. If the connection is genuinely closed, the second endpoint node responds with a RST packet carrying an expected next sequence value. The first endpoint node takes no action if no RST packet is received. Thus, attacks are thwarted because an attacker does not receive the acknowledgment message and therefore cannot provide the exact expected next sequence value.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.

Abstract: A network element implementing a method for determining an optimal maximum transmission unit (MTU) value on a path between two nodes in a network is described. A sending node interested in learning the optimal MTU path value allows fragmentation of datagrams sent on the path, selects an initial MTU, and sends one or more data packets to a receiving node. Upon receiving the data the receiver determines if fragmentation occurred. If no fragmentation occurred then the MTU path selected is the optimal MTU for the given path between the nodes. If fragmentation did occur then the sender is notified that the selected MTU was not the optimal MTU for the path. Either the receiver proposes a new MTU for the path, or the sender selects a new, smaller MTU. The process repeats until the receiver detects no fragmentation.

Abstract: A multi-homed network node comprises an interface that is addressable using a primary network address and a secondary network address. Network packets identifying the primary network address traverse a first network path and packets identifying the second network address traverse a second network path that is routed physically separately from the first network path. A transport layer network protocol association is established in the network between a first node and the multi-homed node. One or more data messages are sent to the second node and identify the primary network address. Network feedback information indicates one or more performance characteristics of the first network path. In response, the data messages are automatically modified to identify the secondary network address.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.