公开(公告)号：US20180109554A1

公开(公告)日：2018-04-19

申请号：US15292503

申请日：2016-10-13

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Carlos M. Pignataro

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  H04L63/0245 ,  H04L63/0428 ,  H04L63/08 ,  H04L63/10 ,  H04L2463/143 ,  H04W4/70 ,  H04W12/08

Abstract: Presented herein are techniques for remediating a distributed denial of service attack. A methodology includes, at a network device, such as a constrained resource Internet of Things (IoT) device, receiving from an authorization server cryptographic material sufficient to validate and decrypt tokens carried in packets, detecting a denial of service attack that employs packets containing invalid tokens, and in response to detecting the denial of service attack, signaling a remediation server for assistance to remediate the denial of service attack, and sending to the remediation server the cryptographic material over a secure communication channel such that the remediation server enables validation and decryption of tokens carried in packets, subsequent to detection of the denial of service attack, that are destined for the network device.

公开(公告)号：US20230118375A1

公开(公告)日：2023-04-20

申请号：US18068470

申请日：2022-12-19

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L9/40 ,  H04L9/08

Abstract: A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

公开(公告)号：US10382480B2

公开(公告)日：2019-08-13

申请号：US15292503

申请日：2016-10-13

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Carlos M. Pignataro

IPC: H04L29/06 ,  H04W12/08 ,  H04W4/70

Abstract: Presented herein are techniques for remediating a distributed denial of service attack. A methodology includes, at a network device, such as a constrained resource Internet of Things (IoT) device, receiving from an authorization server cryptographic material sufficient to validate and decrypt tokens carried in packets, detecting a denial of service attack that employs packets containing invalid tokens, and in response to detecting the denial of service attack, signaling a remediation server for assistance to remediate the denial of service attack, and sending to the remediation server the cryptographic material over a secure communication channel such that the remediation server enables validation and decryption of tokens carried in packets, subsequent to detection of the denial of service attack, that are destined for the network device.

公开(公告)号：US10305931B2

公开(公告)日：2019-05-28

申请号：US15297241

申请日：2016-10-19

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Flemming Stig Andreasen ,  Michael David Geller

IPC: G06F7/04 ,  H04L29/06 ,  G06F21/55 ,  H04W12/12 ,  H04W4/70

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.

公开(公告)号：US20180351757A1

公开(公告)日：2018-12-06

申请号：US15615270

申请日：2017-06-06

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Kaustubh Inamdar ,  Gonzalo Salgueiro

IPC: H04L12/18 ,  H04L29/06

CPC classification number: H04L12/1822 ,  H04L12/1818 ,  H04L63/0457 ,  H04L63/062 ,  H04L63/166

Abstract: The disclosed technology addresses the need in the art for a detecting an unauthorized participant in a multiparty conferencing session. A system is configured to join a conferencing session, obtain a roster for the conferencing session via a Session Initiation Protocol (SIP) channel, and generate a roster hash value based on the roster. The system may further receive a reference hash value from a key management server and compare the reference hash value with the roster hash value. The system may determine that the roster is invalid when the reference hash value does not match the roster hash value.

公开(公告)号：US20170257310A1

公开(公告)日：2017-09-07

申请号：US15058259

申请日：2016-03-02

Applicant: Cisco Technology, Inc.

Inventor： Prashanth Patil ,  K Tirumaleswar Reddy ,  Steven Richard Stites ,  James N. Guichard

IPC: H04L12/725 ,  H04L12/46 ,  H04L29/08

CPC classification number: H04L45/306 ,  H04L12/4633 ,  H04L45/64 ,  H04L47/115 ,  H04L47/31

Abstract: At a service function node configured to perform at least one service function on a data flow that follows a service function path, degradation in performing the service function is detected. The service function node generates a status indicator for the degradation in performing the service function and inserts the status indicator into a peer detection packet. The peer detection packet encapsulates an inner packet with a header that indicates the service function path. The service function node forwards the peer detection packet to a neighboring service function node along the service function path.

公开(公告)号：US11108814B2

公开(公告)日：2021-08-31

申请号：US16551280

申请日：2019-08-26

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L29/06 ,  H04L9/32

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

公开(公告)号：US10554689B2

公开(公告)日：2020-02-04

申请号：US15582026

申请日：2017-04-28

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L29/06

Abstract: A method for resuming a Transport Layer Security (TLS) session in a Service Function Chain comprising a plurality of Service Function nodes coupled to a Service Function Forwarder. A request is received at a first Service Function node to establish a TLS session, and a Pre-Shared Key (PSK) and a PSK identifier that uniquely correspond to the first Service Function node and the TLS session are generated. The PSK identifier is forwarded to one or more of the Service Function Forwarder and the plurality of Service Function nodes. A request to resume the TLS session is received from a client device that previously disconnected. It is determined that the connection request contains the PSK identifier, a second Service Function node is selected, and the TLS session is re-established between the client device and the second Service Function node using the same PSK as the prior TLS session.

公开(公告)号：US20190020678A1

公开(公告)日：2019-01-17

申请号：US15646429

申请日：2017-07-11

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Ram Mohan Ravindranath ,  Prashanth Patil ,  Carlos M. Pignataro

IPC: H04L29/06 ,  H04L9/32

CPC classification number: H04L63/1458 ,  H04L9/3228 ,  H04L9/3236 ,  H04L9/3297 ,  H04L63/0838 ,  H04L63/1425 ,  H04L65/1006 ,  H04L65/403

Abstract: A web conferencing operator can enable participants to share multimedia content in real-time despite one or more of the participants operating from behind a middlebox via network address translation (NAT) traversal protocols and tools, such as STUN, TURN, and/or ICE. In NAT traversal, participants share a transport addresses that the participants can use to establish a joint media session. However, connectivity checks during NAT traversal can expose a media distribution device hosted by the web conferencing operator to various vulnerabilities, such as distributed denial of service (DDoS) attacks. The web conferencing operator can minimize the effects of a DDoS attack during the connectivity checks at scale and without significant performance degradation by configuring the middlebox to validate incoming requests for the connectivity checks without persistent signaling between the web conference operator and the middlebox.

公开(公告)号：US20180109555A1

公开(公告)日：2018-04-19

申请号：US15297241

申请日：2016-10-19

Applicant: Cisco Technology, Inc.

Inventor： K Tirumaleswar Reddy ,  Daniel G. Wing ,  Flemming Stig Andreasen ,  Michael David Geller

IPC: H04L29/06

CPC classification number: H04L63/1458 ,  G06F21/554 ,  G06F2221/2111 ,  H04W4/70 ,  H04W12/12

Abstract: In one embodiment, a primary server receives, from a client device, a first request to mitigate an external attack on the client device. The primary server sends, to a plurality of secondary servers, a second request to mitigate the external attack, wherein each one of the plurality of secondary servers has associated mitigation resources, and receives from at least one of the plurality of secondary servers an indication that it has mitigation resources capable of mitigating the external attack. The primary server sends, to the client device, a list including the secondary servers having mitigation resources capable of mitigating the attack, and receives, from the client device, an indication that a subset of the list is selected to mitigate the external attack. In response, the primary server sends a request for mitigation services to one of the secondary servers in the subset selected to mitigate the external attack.