Abstract: Methods and apparatus are disclosed for processing data packets using a router and a proxy in order to transparently proxy a connection between a client and a server. One method involves mapping a TCP connection to a connection ID and sending a segment from the TCP connection to a proxy, including the connection ID, a direction value and an identifier of an assigned proxy application, such that the segment appears to be from the connection. The method further involves a proxy creating and reading from an IP socket which corresponds to the segment, the connection ID, direction and assigned proxy application and then spoofing the segment using the connection ID, a second direction value, and an identifier of the assigned proxy application.

Abstract: Systems detect maliciously formed TCP/IP retransmit packets attempting to pass through an intrusion detection system (IDS) and prevent them from reaching their destination by forcing early flow termination. As each packet arrives in the IDS, the TTL field is monotonically decreased by setting it to the smallest TTL received from the packet flow. Any packet flow that attempts to confuse the sensor with a low TTL will be starved off and will never reach the destination host. Each flow may be periodically reset to a high value or to the current packet value to allow flow recovery. In another embodiment, the TTL decrease mechanism may operate on a contingent basis, determined by the presence or absence of the flow identifier on a pre-determined list of flows that should never be restricted.

Abstract: Embodiments of the invention are directed to systems that detect maliciously formed TCP/IP retransmit packets attempting to pass through an intrusion detection system (IDS) and prevent them from reaching their destination by forcing early flow termination. The IDS may be configured to track a hash of certain fields in each packet. This set of hashes is maintained for all of the packets in the currently open TCP window for each flow. If the hash of a retransmit packet does not match the cached hash of the corresponding original packet, the system concludes that there is an attack under way and terminates the flow. The hash function may range in complexity and security from low complexity and relative insecurity to high complexity and high security. Hash algorithms may also be used in conjunction with a private seed value concatenated with the packet fields prior to hashing.

Abstract: A method and intermediate device for dynamically modifying a stateful inspection of data. In one embodiment, the present invention is comprised of an intermediate device such as, for example, a router. The intermediate device is adapted to perform a stateful inspection of data passing therethrough. In one approach, the intermediate device performs the stateful inspection by inspecting the data to determine state information for the data. Next, the intermediate device modifies a state graph used to perform the stateful inspection of the data based upon the state information found during the aforementioned inspection. The intermediate device then utilizes the modified state graph to perform continued stateful inspection of the data. In so doing, the present invention enables an enhanced use of Quality of Service (QoS) classification based upon the high level application of the data. The present invention further provides a classification engine which can readily be adapted to new protocols.

Abstract: Methods and apparatus are disclosed for processing data packets using a router and a proxy in order to transparently proxy a connection between a client and a server. One method involves mapping a TCP connection to a connection ID and sending a segment from the TCP connection to a proxy, including the connection ID, a direction value and an identifier of an assigned proxy application, such that the segment appears to be from the connection. The method further involves a proxy creating and reading from an IP socket which corresponds to the segment, the connection ID, direction and assigned proxy application and then spoofing the segment using the connection ID, a second direction value, and an identifier of the assigned proxy application.

Abstract: A method and intermediate device for dynamically modifying a stateful inspection of data. In one embodiment, the present invention is comprised of an intermediate device such as, for example, a router. The intermediate device is adapted to perform a stateful inspection of data passing therethrough. In one approach, the intermediate device performs the stateful inspection by inspecting the data to determine state information for the data. Next, the intermediate device modifies a state graph used to perform the stateful inspection of the data based upon the state information found during the aforementioned inspection. The intermediate device then utilizes the modified state graph to perform continued stateful inspection of the data. In so doing, the present invention enables an enhanced use of Quality of Service (QoS) classification based upon the high level application of the data. The present invention further provides a classification engine which can readily be adapted to new protocols.