Abstract: Methods and apparatus for supporting secure packet communications, e.g., sRTP/sRTCP, which are resistant to denial of service attacks are described. A received packet is identified to correspond to a particular stream being received, the stream having a current expected set of packet sequence numbers, e.g., a current window including a next expected packet sequence number and at least one packet sequence number in the expected packet window on each side of the expected packet sequence number. Unencrypted information from the received packet, e.g., a received packet sequence number, is used to determine at least one of: to drop the received packet, or to assign the packet to one of a plurality of policing levels. If the packet passes policing at its assigned policing level, the packet may undergo authentication and decryption to determine if it is a valid packet.

Abstract: Methods and apparatus for supporting secure packet communications, e.g., sRTP/sRTCP, which are resistant to denial of service attacks are described. A received packet is identified to correspond to a particular stream being received, the stream having a current expected set of packet sequence numbers, e.g., a current window including a next expected packet sequence number and at least one packet sequence number in the expected packet window on each side of the expected packet sequence number. Unencrypted information from the received packet, e.g., a received packet sequence number, is used to determine at least one of: to drop the received packet, or to assign the packet to one of a plurality of policing levels. If the packet passes policing at its assigned policing level, the packet may undergo authentication and decryption to determine if it is a valid packet.

Abstract: Methods and apparatus for supporting secure packet communications, e.g., sRTP/sRTCP, which are resistant to denial of service attacks are described. A received packet is identified to correspond to a particular stream being received, the stream having a current expected set of packet sequence numbers, e.g., a current window including a next expected packet sequence number and at least one packet sequence number in the expected packet window on each side of the expected packet sequence number. Unencrypted information from the received packet, e.g., a received packet sequence number, is used to determine at least one of: to drop the received packet, or to assign the packet to one of a plurality of policing levels. If the packet passes policing at its assigned policing level, the packet may undergo authentication and decryption to determine if it is a valid packet.

Abstract: Described are methods and apparatuses, including computer program products, for limiting server overload via client control. A first set of a plurality of requests are transmitted to a server at a first transmission rate during a first period of time. The first transmission rate is limited to be less than or equal to a first transmission limit rate. An overload value is determined based on whether at least two or more requests of the first set of requests for service satisfy an overload criterion. A second transmission limit rate is determined based on the overload value and the first transmission limit rate. A second set of a plurality of requests is transmitted to the server at a second transmission rate during a second period of time. The second transmission rate is limited to be less than or equal to the second transmission limit rate.

Abstract: Methods and apparatuses, including computer program products, are described for transparent recovery of transport connections. The method includes collecting a state associated with a first connection between a first server and a remote server via a first network socket and transmitting the state from a first networking module to a second networking module. The method includes storing the state, opening a second network socket based on failure of the first networking module, intercepting outbound packets associated with a request to initiate a second connection between the first server and the remote server via the second socket, modifying the intercepted packets based on the state, and transmitting the modified packets to the remote server to elicit an acknowledgement to maintain the first connection. The method includes receiving packets associated with the acknowledgment from the remote server, and modifying the received packets to acknowledge the request to initiate the second connection.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for loosely-coupled encryption functionality for operating systems. A data packet is processed through one or more internet protocol stack layers to generate a processed data packet. Encryption information is determined that includes parameters for encrypting and decrypting data packets transmitted between the first computing device and the remote computer. A message comprising data indicative of the encryption information is transmitted to a second computing device, wherein an operating system being executed is unaware of a security nature of the transmission. A bypass encryption routine is executed to generate a unencrypted data packet, wherein the bypass encryption routine does not encrypt the processed data packet. The unencrypted data packet is transmitted to the second computing device.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for load balancing among VOIP servers. An identity table includes an identity entry for a plurality of servers, each identity entry comprising a FQDN and load balancing information. A persistence table stores persistence entries indicative of a persistent connection between a client and a server. Updated load balancing information determined by the first server is received. The identity table is updated based on the updated load balancing information. A service request is received from a client. If the client is not associated with a persistence entry, a second server is selected from the plurality of servers based on load balancing information for each identity entry in the identity table. A persistence entry is stored indicative of a persistent connection between the client and the selected second server, the persistence entry comprising a FQDN and an identifier for the client.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for loosely-coupled encryption functionality for operating systems. A data packet is processed through one or more internet protocol stack layers to generate a processed data packet. Modified encryption information is determined that does not comprise a desired security policy for the data packet and comprises null parameter(s) and is based on encryption information that comprises the desired security policy. A message comprising data indicative of the encryption information is transmitted. An operating system is unaware of a security nature of the transmission. A null-encryption routine is executed to generate an unencrypted data packet, wherein the null-encryption routine does not encrypt the processed data packet. The unencrypted data packet is transmitted to the second computing device.

Abstract: Methods and apparatuses, including computer program products, are described for transparent recovery of transport connections. The method includes collecting a state associated with a first connection between a first server and a remote server via a first network socket and transmitting the state from a first networking module to a second networking module. The method includes storing the state, opening a second network socket based on failure of the first networking module, intercepting outbound packets associated with a request to initiate a second connection between the first server and the remote server via the second socket, modifying the intercepted packets based on the state, and transmitting the modified packets to the remote server to elicit an acknowledgement to maintain the first connection. The method includes receiving packets associated with the acknowledgment from the remote server, and modifying the received packets to acknowledge the request to initiate the second connection.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for identifying attackers on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

Abstract: Methods and apparatuses, including computer program products, are described for policing and prioritizing of data services. Each packet in a data stream is directed to a substream policer of a plurality of substream policers. Each packet is allowed through the substream policer based on rate parameters associated with the substream policer. The packets allowed by the substream policer are directed to an aggregate policer. Each packet allowed through the substream policer is allowed through the aggregate policer based on rate parameters associated with the aggregate policer. The substream policer and the aggregate policer are charged for each packet allowed by both the substream policer and the aggregate policer. The substream policer and the aggregate policer are not charged for each packet not allowed by either the substream policer or the aggregate policer.

Abstract: Methods and apparatuses, including computer program products, are described for priority policing of requests with deferred determination of priority level. The method includes directing each packet in a data stream to a policer. The method also includes determining whether to allow, reject, or conditionally pass each packet through the policer based on parameters associated with the policer. The method also includes directing each packet conditionally passed by the policer to a classifier associated with the policer. The method also includes determining, by the classifier, a priority value of each packet received from the policer. The method also includes directing, by the classifier, each prioritized packet to the policer. The method also includes determining whether to allow or reject each prioritized packet through the policer based on the priority value.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for scalable filtering and policing mechanism for protecting user traffic in a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for filtering and policing for defending against denial of service attacks on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for filtering and policing for defending against denial of service attacks on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for identifying attackers on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

Abstract: Described are computer-based methods and apparatuses, including computer program products, for scalable filtering and policing mechanism for protecting user traffic in a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.