Abstract: Approaches for preventing TCP RST attacks and TCP SYN attacks in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, a first endpoint node challenges the second endpoint node in the then-current connection using an acknowledgement message. If the connection is genuinely closed, the second endpoint node responds with a RST packet carrying an expected next sequence value. The first endpoint node takes no action if no RST packet is received. Thus, attacks are thwarted because an attacker does not receive the acknowledgment message and therefore cannot provide the exact expected next sequence value.

Abstract: Techniques are provided for updating best path based on real-time congestion feedback. A method comprises monitoring packets received from an internetworked system, wherein the packets are received on one of a plurality of external interfaces of a networking device; detecting that a received packet includes real-time information that signals a present or pending congestion condition on a path from the external interfaces of the networking device to the internetworked system; notifying a control logic of the real-time information; receiving from the control logic control information defining a change in one or more paths from the external interfaces to the internetworked system; and changing the one or more paths from the external interfaces to the internetworked system. Examining ingress traffic on external interfaces of an internetworked system can cause changes to routes, routing policies and PBRs in routers of the first internetworked system in response to real-time congestion.

Abstract: Approaches for preventing TCP RST attacks and TCP SYN attacks in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, a first endpoint node challenges the second endpoint node in the then-current connection using an acknowledgement message. If the connection is genuinely closed, the second endpoint node responds with a RST packet carrying an expected next sequence value. The first endpoint node takes no action if no RST packet is received. Thus, attacks are thwarted because an attacker does not receive the acknowledgment message and therefore cannot provide the exact expected next sequence value.

Abstract: A method of modifying network identifiers at data servers is disclosed. A virtual private network (VPN) gateway server generates a Hypertext Transfer Protocol (HTTP) request. The HTTP request not only requests data from a data server that is within a VPN, but also instructs the data server to modify (“mangle”) URLs that are contained within the requested data so that the URLs refer to the VPN gateway server. The VPN gateway server sends the HTTP request toward the data server. As a result, the data server modifies the URLs so that the VPN gateway server does not need to. When such a modified URLs is selected in a web browser, the web browser generates an HTTP request that is directed to the VPN gateway server's URL, which, unlike the unmodified URLs, can be resolved by domain name servers that are outside of the VPN.

Abstract: A method for detecting unavailable network connections comprises, at a first data processing node that is hosting a transport protocol connection that uses a plurality of sequence values to identify messages sent to a peer node, wherein the first node is communicatively coupled to a second data processing node serving as a redundant backup, periodically sending a checkpoint sequence value to the second node; detecting that either the transport protocol connection or a process using the transport protocol connection is unavailable, without use of a timeout; and in response thereto, sending a notification to the peer node, wherein the notification includes the checkpoint sequence value. One embodiment provides for rapidly detecting and responding to failure of a TCP process without using long timeouts as conventionally provided in long-lived applications that run on top of TCP.

Abstract: A method of preventing an attack on a network, the method comprising the computer-implemented steps of receiving an ICMP packet that includes a copy of a header associated with a connection in a connection-oriented transport protocol; obtaining a packet sequence value from the header; determining if the packet sequence value is valid; and updating a parameter value associated with the transport protocol connection only if the packet sequence value is determined to be valid. Use of the disclosed method enables authenticating ICMP packets so that responsive measures of a network element, such as adjusting an MTU value, are performed only when the ICMP packet is determined to be authentic.

Abstract: Approaches for preventing TCP RST attacks intended to cause denial of service in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, an endpoint node determines whether the TCP segment contains valid authentication information. The TCP RST segment is accepted and the TCP connection is closed only when the authentication information is valid. Authentication information may comprise a reset type values, and either initial sequence numbers of both endpoints, or a copy of a TCP header and options values previously sent by the endpoint node that is performing the authentication. Thus, attacks are thwarted because an attacker cannot know or reasonably guess the required authentication information.