`
`
`
`
`United States Patent
`
`
`
`US 7,295,516 B1
`
`(0) Patent No.:
`(12)
`
`
`
`
`
`
`
`Nov. 13, 2007
`(45) Date of Patent:
`Ye
`
`US007295516B1
`
`
`
`(54)
`
`
`
`(75)
`
`(73)
`
`
`
`
`
`EARLY TRAFFIC REGULATION
`
`
`
`
`
`TECHNIQUES TO PROTECT AGAINST
`NETWORK FLOODING
`
`
`
`
`
`
`
`
`
`Inventor: Baoqing Ye, Nashua, NH (US)
`
`
`
`
`
`
`
`
`Assignee: Verizon Services Corp., Waltham, MA
`
`(US)
`
`(*)
`
`
`
`
`Notice:
`
`
`
`
`
`
`
`Subject to any disclaimer, the term ofthis
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`
`U.S.C. 154(b) by 1068 days.
`
`
`
`Appl. No.: 10/010,774
`
`
`
`Filed:
`
`
`
`
`
`
`Nov. 13, 2001
`
`Int. Cl.
`
`
`HO4S 1/16
`
`
`
`(2006.01)
`
`
`
`(2006.01)
`HOAS 3/16
`
`
`
`(2006.01)
`GO6F 11/00
`
`
`
`
`
`US. Cleee 370/232; 370/236; 370/468;
`726/22
`
`
`
`
`
`Field of Classification Search..... 370/229-236.1,
`
`
`370/395.1, 465
`
`
`
`
`
`
`
`See application file for complete search history.
`
`
`References Cited
`
`(21)
`
`(22)
`
`(51)
`
`(52)
`
`(58)
`
`
`
`
`
`
`
`
`
`
`
`
`56
`(56)
`
`
`
`6,865,185 B1*
`
`7,058,015 B1*
`
`
`7,062,782 B1*
`
`
`7,092,357 BI*
`
`7,188,366 B2*
`
`
`2002/0101819 Al*
`
`
`
`
`
`
`3/2005 Patel et al. oe. 370/412
`
`
`
`
`6/2006 Wetherall et al.
`........... 370/236
`
`
`
`
`6/2006 Stone et al... 726/22
`
`
`
`
`8/2006 Ye ....ceeeeeeece cece 370/230
`
`
`
`3/2007 Chen etal. ....... 726/23
`
`
`
`
`
`8/2002 Goldstone..........0....00 370/229
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`2003/0172289 Al*
`
`
`
`
`9/2003 Soppera oo... eee 713/200
`
`
`
`
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`
`H-Y Chang S. F. Wu, C. Sargor, and X. Wu, “Towards Tracing
`
`
`
`
`
`
`Hidden Attackers on Untrusted IP Networks”, pp. 1-19.
`
`
`
`
`
`
`
`
`
`S. Savage, D. Wetherall, A. Karlin and T. Anderson, “Practical
`
`
`
`
`
`
`
`
`Network Support for IP Traceback”, Technical Report UW-CSE-
`
`
`
`
`00-02-01, University of Washington, 6 pgs.
`
`
`
`
`(Continued)
`
`
`
`Primary Examiner—Chau Nguyen
`
`
`Assistant Examiner—Nittaya Juntima
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`
`
`
`11 Claims, 10 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`Methods and apparatus for providing an Anti-Flooding
`:
`:
`:
`Flow-Control (AFFC) mechanism suitable for use in defend-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`U.S. PATENT DOCUMENTS
`ing against flooding network Denial-of-Service (N-DoS)
`hani
`ttacks
`described. Feat
`f the AFFC
`is
`
`
`
`
`
`
`
`
`4,769,811 A *
`9/1988 Eckberg et al. cscs. 370/236
`anclde (1) athe ‘baseline
`veneration, (2) d namic buffer
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`g
`y
`... 370/230
`2/1992 Fukuta etal. ......
`5,090,011 A *
`:
`>
`:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5/1994 Tominaga et al.
`Management, (3) packet scheduling, and (4) optional early
`.......... 370/235
`5,309,431 A *
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`traffic regulation. Baseline statistics on the flow rates for
`370/232
`5,457,687 A * 10/1995 Newman
`
`
`
`
`
`
`
`
`
`
`
`
`
`flows of data corresponding to different classes of packets
`.. 370/232
`5,706,279 A *
`1/1998 Teraslinna ..
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`are generated. When a router senses congestion,it activates
`5,835,484 A *
`11/1998 Yamato et al... 370/230
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the AFFC mechanism ofthe present invention. Traffic flows
`5,901,140 A *
`5/1999 Van Aset al... 370/236
`
`
`
`
`
`are classified. Elastic traffic is examined to determineifit is
`5,914,936 A *
`6/1999 Hatonoet al.
`«+ 370/230
`.....
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`responsive to flow control signals. Flows of non-responsive
`..... + 370/235
`6,028,842 A :
`2/2000 Chapman et al.
`
`
`
`
`
`
`
`
`
`
`
`
`
`elastic traffic is dropped. The remainingflows are compared
`........... 375/376
`6,144,714 A 11/2000 Bleiweiss et al.
`
`
`
`
`
`
`
`
`to corresponding class baseline flow rates. Flows exceeding
`......... 370/395.52
`6,208,653 Bl
`3/2001 Ogawaet al.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the baseline flow rates are subiect
`to forced flow rate
`7/2002 Nishihara .......00000.0.. 370/229
`6,424,620 BL*
`
`
`
`
`
`
`
`
`
`
`reductions. e
`dropping of ehete
`6,463,036 B2* 10/2002 Nakamuraet al.
`....... 370/236. 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`.... 370/2316,657,961 B1* 12/2003 Lauffenburgeret al. CroppingOFP> &8.,
`
`
`
`
`
`
`
`6,724,721 BL*
`4/2004 Cheriton we. 370/229
`
`
`
`
`
`
`
`
`
`
`
`
`
`6,735,702 B1*
`5/2004 Yavatkar et al.
`............ 726/13
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`vo
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`“TOLLaPeSeaTCURRENTNODEF904
`(BOTTLENECK NODE)
`
`
`
`
`SEND MESSAGE FROM
`
`
`
`
`
`BesTRATINNODETO.f-~908INITIATE ABACKTRACING
`
`
`
`DESTINATION NODE DETERMINES
`PATH OF PACKET(S)
`908
`
`CORRESPONDINGTO FLOW{S)
`
`
`
`CAUSING BOTTLENECK
`
`
`DESTINATION NODETRANSMITS PATH INFORMATION TO|~910
`BOTTLENECK NODE
`
`
`
`
`BOTTLENCK NODE SENDSAN ETR SIGNAL INCLUDING,E.G.
`
`
`
`DESTINATION TEDPATSRowe INDICATEDIN
`
`IN RESPONSE TOCONGESTION CONTROL METHOD, UPSTREAM
`seeRSTNATIUNDEATESNETRSNAL
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`212
`
`
`
`914
`
`
`
`Splunk Inc.
`
`Exhibit 1008
`
`Page 1
`
`Splunk Inc. Exhibit 1008 Page 1
`
`

`

`
`
`US 7,295,516 B1
`Page 2
`
`
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`
`
`
`
`
`Bellovin and Leech AT&T Labs Research, “ICMP Traceback Mes-
`
`
`
`
`
`
`
`
`sages”, Network Working Group Internet Draft, downloaded from:
`
`
`
`
`
`
`
`
`“Characterizing and Tracing Packet Floods Using Cisco Routers”,
`
`
`
`
`http://www.ietf.org/internet-drafts/draft-ietf-itrace-00.txt on Jul. 9,
`
`
`
`downloaded from: wysiwyg://23/http://www.cisco.com/warp/pub-
`
`
`
`
`
`2001, Mar. 2001, pp. 1-9.
`
`
`lic/707/22 html, 5 pgs.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`S. Floyd and V. Paxson, “Why We Don’t Know How To Simulate
`“Cert® Advisory CA-1996-26 Denial-of-Service Attack via ping”,
`
`
`
`
`
`
`
`
`
`
`
`
`
`The Internet”, AT&T Center for Internet Research, Oct. 11, 1999,
`
`downloaded from:_http:/Avww.cert.org/advisories/CA-1996-26.
`
`
`
`
`
`
`html, 4 pgs., last revised Dec. 5, 1997.
`
`
`pp. 1-13.
`
`
`
`
`
`
`
`
`“Cert® Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing
`
`
`
`
`
`
`
`
`S. Floyd and K.Fall, “Promoting the Use of End-to-End Congestion
`
`
`
`
`Attacks”, downloaded from: http://www.cert.org/advisories/CA-
`
`
`
`
`
`
`
`Control in the Internet”, May 3, 1999, pp. 1-16.
`
`
`
`
`
`
`
`
`
`
`
`1996-21 html on Mar. 14, 2002, pp. 1-8, last revised Nov. 29, 2000.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`K. Thompson, G. J. Miller, and R. Wilder, “Wide-Area Internet
`S. Blake, D. Black, M. Carlson, E. Davies, Z. Wang, W. Weiss, “An
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Traffic Patterns and Characteristics”, IEEE Network, Nov./Dec.
`Architecture for Differentiated Services”, Network Working Group
`
`
`
`
`
`
`
`
`
`
`Request For Comments: 2475, downloaded from:ftp://ftp.isi.edu/
`1997, pp. 10-23.
`
`
`
`
`
`
`
`
`in-notes/rfc2475.txt on Mar. 14, 2002, Dec. 1998, pp. 1-32.
`
`
`
`
`
`
`
`
`S. Floyd and V. Jacobson,“Link-sharing and Resource Management
`
`
`
`
`
`
`
`
`
`L. Houvinen and J. Hursti, “Denial of Service Attacks: Teardrop and
`
`
`
`
`
`
`
`
`Models for Packet Networks”, IEEE/ACM Transactions on Net-
`
`
`
`
`
`
`
`Land”, Department of Computer Science Helsinki University of
`
`
`
`
`
`
`
`working, vol. 3, No. 4, Aug. 1995, 22 pgs.
`
`
`
`
`Technology,
`downloaded
`from:
`_http://www-hut.fi/~ilhuovine/
`
`
`
`
`
`
`
`
`S. Floyd and V. Jacobson, “Random Early Detection Gateways for
`
`
`
`
`
`
`hacker/dos.html on Mar. 14, 2002, pp. 1-12.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Congestion Avoidance”, Lawrence Berkeley Laboratory University
`SecurityFocus homemailing list: BugTraq “The “mstream”distrib-
`
`
`
`
`
`
`
`
`
`
`
`
`
`of California, 1993, pp. 1-22.
`uted denial of service attack tool”, downloaded from: http://online.
`
`
`
`
`
`
`securityfocus.com/archive/1/57854 on Mar. 14, 2002, May 1, 2000,
`
`
`pp. 1-22.
`
`
`
`
`
`
`
`
`* cited by examiner
`
`
`
`Splunk Inc.
`
`Exhibit 1008
`
`Page 2
`
`Splunk Inc. Exhibit 1008 Page 2
`
`

`

`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`Sheet 1 of 10
`
`
`
`US 7,295,516 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` FIGURE1
`
`108
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1008
`
`Page 3
`
`Splunk Inc. Exhibit 1008 Page 3
`
`

`

`
`U.S. Patent
`
`
`
`Nov.13, 2007
`
`
`
`
`
`Sheet 2 of 10
`
`
`
`
`
`US 7,295,516 B1
`
`
`
`
`TRAFFIC
`
`MONITORING
`
`ROUTINE
`
`
`
`
`
`RECYCLING
`
`TABLE
`
`
`
`
`NETWORK NODE
`
`
`
`
`
`200
`
`
`
`
`
`
`
`
`
`
`
`FORWARDING AND
`
`
`ROUTINE
`
`
`
`MEMORY
`
`
`218
`
`
`TRAFFIC
`CLASSIFIER
`
`
`
`
`
`
`
`TRAFFIC BASELINE
`
`GENERATING
`
`MODULE
`
`
`
`
`
`
`
`DYNAMIC BUFFER
`
`MANAGER
`
`MODULE
`
`
`
`
`
`PACKET
`SCHEDULER
`
`MODULE
`
`
`
`
`
`
`
`
`
`EARLY-TRAFFIC
`
`REGULATOR
`
`MODULE
`
`
`
`
`
`
`
`
`
`TRAFFIC
`BASELINES
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PACKET
`
`FORWARDING
`
`ENGINE
`
` FLOW CONTROL
`
`
`MULTIPLE CLASS
`BASED PACKET
`QUEUES
`
`
`
`
`
`
`
`
`
`CURRENT TRAFFIC STATISTICS
`237
`
`
`
`239
`
`
`
`235
`
`
`
`
`MAX
`
`BITS
`
`
`TOTAL
`
`BITS
`
`
`MIN
`
`BITS
`
`
`
`LONG TERM TRAFFIC
`
`STATISTICS
`
`
`
`
`
`231
`
`233
`
`
`
`VO INTERFACE
`
`
`
`
`
`
`
`
`
`TO/FROM ROUTERS AND/OR HOST DEVICES
`
`
`
`
`FIGURE 2
`
`Splunk Inc.
`
`Exhibit1008
`
`Page 4
`
`Splunk Inc. Exhibit 1008 Page 4
`
`

`

`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`
`Sheet 3 of 10
`
`
`
`US 7,295,516 B1
`
`
`
`
`
`302
`
`RECEIVE PACKETS
`
`
`
`
`
`
`
`CLASSIFY PACKETSINTO CLASSES, EACH
`CLASS BEIING DEFINED BY DESTINATION
`
`
`
`
`
`
`
`
`ADDRESS, PROTOCOL TYPE, AND
`
`
`APPLICATION TYPE
`
`
`
`300
`
`303
`
`
`
`325
`
`
`
`
`
` INCOMING
`PACKET
`
`
`
`STREAM FOR
`
`
`
`
`
`TIME PERIOD AT
`
`
`
`
`
`
`
`304
`
`
`
`
`
`
`306
`FOR EACH CLASSDO:
`
`
`
`
`
`GENERATE SUM OF
`
`
`
`
`
`GENERATE SUM OF
`
`
`
`
`
`
`
`
`MINIMUM NUMBER OF
`MAXIMUM NUMBER OF
`GENERATE SUM OF
`
`
`
`
`
`
`
`
`
`
`
`
`BITS RECEIVED FROM
`BITS RECEIVED FROM
`TOTAL BITS RECEIVED
`
`
`
`
`
`
`
`
`
`
`
`
`
`ANY ONE FLOW
`ANY ONE FLOW
`DURING TIME AT FOR
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DURING EACH SECOND
`DURING EACH SECOND
`ALL FLOWSIN CLASS
`
`
`
`
`
`
`OF TIME PERIOD AT
`OF TIME PERIOD AT
`
`
`
`
`
`
`
`
`
`
`
`
`
`307
`SUBTRACT MAX AND MIN SUMS FROM
`
`
`
`
`
`TOTAL SUM TO GENERATE MODIFIED SUM
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DIVIDE MODIFIED SUM BY SECONDS IN TIME PERIOD AT AND
`308
`
`
`
`
`
`NUMBER OF FLOWSIN CLASS MINUS 2 TO GENERATE
`
`
`
`
`
`
`
`CURRENT AVERAGE FLOW DATA RATE
`
`
`STORE CURRENT AVERAGE FLOW
`310
`
`
`
`
`
`DATA RATE
`
`
`312
`
`
`
`
`
`
`
`
`
`
`RETRIEVE STORED AVERAGE FLOW DATA
`
`
`
`
`
`
`
`
`RATES FOR TIME PERIOD AT FROM STORED
`
`
`
`
`
`
`STATISTICS FOR PRECEDING WEEKS
`
`
`EXCLUDE FROM SET OF AVERAGE FLOW RATES,
`
`
`
`
`
`
`
`
`
`
`
`
`INCLUDING PRECEDING WEEKS AND CURRENT WEEK,
`
`
`
`
`
`
`
`MIN AND MAX AVERAGE FLOW RATE
`
`
`
`
`
`
`
`
`GENERATE AVERAGE FLOW RATE BASELINE, FOR GIVEN
`
`
`
`
`
`
`
`
`CLASS , BY AVERAGING REMAINING FLOW RATES
`
`314
`
`
`
`
`316
`
`
`
`
`
`
`
`
`
`STORE GENERATED CLASS|__318
`
`
`
`FLOW RATE BASELINE
`
`STOP
`
`320
`
`
`FIGURE 3
`
`Splunk Inc.
`
`Exhibit1008
`
`Page5
`
`Splunk Inc. Exhibit 1008 Page 5
`
`

`

`U.S. Patent
`
`Nov. 13, 2007
`
`Sheet 4 of 10
`
`US 7,295,516 B1
`
`
`
`
`
`009aanCCSC™C~‘CSed]16501014
`
`
`00200ZoseOOFO08(des/iq)jndyBnoww
`abeicny 00P
`er[es|a|o|[i|e|a|a|enog
`
`aanedi][0009014
`[On|Sax[S34_[On|ON|S34|S3A|SaA|ONSSoLaNSESIEBY
`
`[sngCOMqe)aS—C—“‘iCSCSCSCSC—‘“‘SSCSadK900301
`[oar]or[002|00st|00|008|monsaaeuRAYer[a|a|os|sa[rs|es|a[oa|@)roul
`
`
`
`Syey[EAL vn][ON|ON|S3A[S34|___Ssouerisuodsexy fF 06z082OOLLoose
`
`[06[oe|00s
`
`[yesagesseTeesesdSCSCeI
`
`SNPEdMadA,uoneoiddy
`
`
`
`sno|wCdTiCiLSCd’cMedi]Tonesiddy
`7888[zeeCIC”
`
`VORBEGpas
`HOUSS=aCSS|
`
`
`
`ZQuOoljeulsegJO4a|qe|suljasegMO]JsseiD
`
`
`
`
`
`Bulsseo0lgS1OjegSONSHEISMO]
`
`yaYNOIS
`
`
`
`
`
`
`
`Buisseo014JeyyinduGnojy|oper]
`
`9AYNSIA
`
`2ayNo!s
`
`Splunk Inc.
`
`Exhibit 1008
`
`Page 6
`
`
`
`
`
`(oasjigajeyjeALUYy)
`
`euleseg
`
`Splunk Inc. Exhibit 1008 Page 6
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`
`
`Nov.13, 2007
`
`
`
`
`
`Sheet 5 of 10
`
`
`
`US 7,295,516 B1
`
`START
`
`504
`
`
`N
`
`y
`
`¥
`220
`
`
`
`
`
`
`
`
`
`- —_—_
`
`
`
`INTIATEETR | 506
`|
`
`
`
`|
`SIGNALING
`|
`
`
`
`CLASSIFY INCOMING
`
`
`
`
`TRAFFIC INTO FLOWS
`
`
`508
`
`
`FOR EACH
`
`FLOW:
`
`
`
`
`510
`
`
`
`
`
`FLOW ELASTIC
`
`
`
`
`
`
`
`\\_BEST EFFORT
`
`
`
`
`
`
`
`ELASTIC
`
`
`
`
`IS TRAFFIC
`
`
`RESPONSIVE?
`
`520
`
`
`
`
`
` IS TRAFFIC
`
`
`
`
`AGGRESSIVE?
`
`
`216
`
`
`
`BLOCK TRAFFIC
`
`
`
`
`
`
`REGULATE
`FORWARDING
`
`RATE
`
`
`
`
`
`
`
`
`
`
`
` FORWARD PACKETS SUBJECT TO
`
`
`
`
`
`
`
`APPLIED FORWARDING RATE
`
`
`REDUCTION
`
`
`
`FORWARD
`
`PACKETS
`
`
`
`
`
`
`
`FIGURE 5
`
`Splunk Inc.
`
`Exhibit1008
`
`Page 7
`
`Splunk Inc. Exhibit 1008 Page 7
`
`

`

`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`
`Sheet 6 of 10
`
`
`US 7,295,516 B1
`
`
`
`
`MIN
`
`
`THRESHOLD THRESHOLD
`
`804
`302
`
`y
`\
`
`
`
`
`
`
`
`
`
`
`ORIGINAL ARRIVAL
`ae
`
`
`|
`l
`
`|
`
`i
`i
`
`
`OUTGOING RATE
`
`
`
`
`800
`
`er
`
`
`DROPPING-RATE v
`
`
`FIGURE8
`
`Splunk Inc.
`
`Exhibit1008
`
`Page8
`
`Splunk Inc. Exhibit 1008 Page 8
`
`

`

`
`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`
`Sheet 7 of 10
`
`
`US 7,295,516 B1
`
`
`
`START ETR
`
`(_startere)me
`Foo
`
`
`
`
`
`
`DETECT POTENTIAL CONGESTION
`904
`
`0
`COLLAPESE AT CURRENT NODE
`
`
`
`
`(BOTTLENECK NODE)
`
`DESTINATION NODE DETERMINES PATH OF PACKET(s)
`
`
`
`
`
`
`SEND MESSAGE FROM
`
`
`BOTTLENECK NODE TO
`906
`
`
`DESTINATION NODE TO
`
`
`INITIATE A BACKTRACING
`
`OPERATION
`
`
`
`
`
`
`
`
`
`CORRESPONDING TO FLOW(S)
`
`
`CAUSING BOTTLENECK
`
`
`
`
`
`
`908
`
`
`DESTINATION NODE TRANSMITS PATH INFORMATION TO
`
`
`
`
`
`
`
`BOTTLENECK NODE
`
`
`910
`
`912
`
`
`
`
`
`
`
`
`
`
`BOTTLENCK NODE SENDS AN ETR SIGNAL INCLUDING, E.G.,
`
`
`
`
`
`DESTINATION ADDRESS, TO UPSTREAM NODE(s) INDICATEDIN
`
`
`
`RECEIVED PATH INFORMATION
`
`
`
`DESTINATION INDICATED IN ETR SIGNAL
`
`
`
`
`
`
`
`914
`IN RESPONSE TO CONGESTION CONTROL METHOD, UPSTREAM
`
`
`
`
`
`
`NODE APPLIES FORCED REDUCTION TO FLOW(S) DIRECTED TO
`
`
`
`
`
`
`
`
`FIGURE 9
`
`Splunk Inc.
`
`Exhibit1008
`
`Page9
`
`Splunk Inc. Exhibit 1008 Page 9
`
`

`

`
`U.S. Patent
`
`
`
`Nov.13, 2007
`
`
`
`
`Sheet 8 of 10
`
`
`
`
`
`
`US 7,295,516 B1
`
`228
`
`
`
`
`
`
`NETWORK NODE ETR MODULE
`
`
`
`
`
`
`
`
`
`MAIN ETR
`
`CONTROL
`
`ROUTINE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SUBROUTINE
`
`
`FIGURE 10A
`
`
`
`
`
`
`
`
`
`
`HOST DEVICE ETR MODULE
`
`
`
`
`
`1032
`
`
`SUBROUTINE
`
`
`
`1040
`
`
`
`
`
`
`
`
`
`FIGURE 10B
`
`
`
`SplunkInc.
`
`Exhibit 1008
`
`Page 10
`
`Splunk Inc. Exhibit 1008 Page 10
`
`

`

`120
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TO
`
`UPSTREAM
`
`NODE
`
`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`
`Sheet 9 of 10
`
`
`US 7,295,516 B1
`
`
`
`
`DESTINATION NODE
`
`
`
`
`Rt-S
`
`
`
`
`
`
`
`
`
`110
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`127
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FROM
`UPSTREAM
`
`NODE
`
`
`
`
`FIGURE 11
`
`Splunk Inc.
`
`Exhibit1008
`
`Page 11
`
`Splunk Inc. Exhibit 1008 Page 11
`
`

`

`
`
`U.S. Patent
`
`
`
`Nov. 13, 2007
`
`
`
`
`Sheet 10 of 10
`
`
`
`US 7,295,516 B1
`
`YSAIZO3Y
`
`AILLOG
`
`
`
`MOAN
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ELCh
`
`Old8071
`
`
`
`vO?L
`
`
`
`
`
`
`
`LLYNIVHO"HLVdSGONMYOMLAN
`
`LOZ
`
`
`
`
`
`OLLY
`
`élSYNSIS
`
`
`AQENOS
`
`SplunkInc.
`
`Exhibit 1008
`
`Page 12
`
`Splunk Inc. Exhibit 1008 Page 12
`
`
`
`

`

`
`
`US 7,295,516 B1
`
`
`1
`EARLY TRAFFIC REGULATION
`
`
`
`
`
`
`TECHNIQUES TO PROTECT AGAINST
`NETWORK FLOODING
`
`
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`The present invention is directed to communication sys-
`
`
`
`
`
`
`
`
`
`tems, and moreparticularly, to flow control methods and
`
`
`
`
`
`
`
`apparatus suitable for use in network congestion control,
`
`
`
`
`
`
`
`especially when systems are under flooding Denial-of-ser-
`vice attacks.
`
`
`
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`
`Data networks are used today to transmit vast amounts of
`
`
`
`
`
`
`
`data. Such networks comprise elements sometimes called
`
`
`
`
`
`
`
`
`nodes. Nodes may be, e.g., routers, switches, and/or end-
`
`
`
`
`
`
`
`
`
`hosts. Among those nodes, routers or switches are called
`network nodes. End-hosts can serve as the source or desti-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`nation of data transmitted through a network.
`In many
`
`
`
`
`
`
`
`packet networks, data is transmitted between a source and
`
`
`
`
`
`
`
`destination device as a flow of packets. Flows of packets can
`
`
`
`
`
`
`
`
`be categorized by a wide range of factors including,e.g., the
`
`
`
`
`
`
`
`
`
`type of protocol used to form and/or transmit the packet
`
`
`
`
`
`
`
`
`and/or the specific type of application to which the packet
`
`corresponds.
`
`
`
`
`
`
`
`
`
`As knownin theart, it is common to monitortraffic flows
`
`
`
`
`
`
`
`
`
`and store flow statistics in a database, e.g., for purposes of
`
`
`
`
`
`
`
`load balancing and traffic route determination. Gathered
`
`
`
`
`
`
`
`traffic information for a node typically includes information
`
`
`
`
`
`
`
`
`
`
`such as packet flow rates and, for each flow, protocol type,
`
`
`
`
`
`
`
`
`application type, source IP address, source port number,
`
`
`
`
`
`
`
`
`destination IP address, destination port number, etc. Such
`
`
`
`
`
`
`
`
`detailed statistics along with information about the time
`
`
`
`
`
`
`
`
`periods in which suchstatistics are gathered can be used to
`
`
`
`
`
`
`
`
`grouptraflic flows into a wide numberof classes depending
`
`
`
`
`
`
`
`on the intended purpose of grouping thetraffic.
`
`
`
`
`
`
`
`Flooding Network DoS (N-DoS) attacks occur in a net-
`
`
`
`
`
`
`
`
`
`work when one or more sources send large amounts of data
`
`
`
`
`
`
`
`
`to a destination node, e.g., web page server, in an attempt to
`
`
`
`
`
`
`
`
`interfere with the normal servicing oftraffic at the destina-
`
`
`
`
`
`
`
`
`tion node. Flowsoftraffic used to implement N-DoS attack
`
`
`
`
`
`
`
`
`can be considered malicious since their purpose is to inter-
`
`
`
`
`
`
`
`
`fere with the communication and servicing of legitimate
`network traffic.
`
`
`
`
`
`
`
`
`
`Malicious flows associated with an flooding N-DoSattack
`
`
`
`
`
`
`
`
`often create congestion at certain nodeslocatedpriorto, 1.e.,
`
`
`
`
`
`
`
`
`upstream from, the flow’s destination node. The nodes at
`
`
`
`
`
`
`
`which congestion occurs are sometimesreferredto as bottle-
`neck nodes.
`
`
`
`
`
`
`
`
`
`As a result of malicious sources flooding a bottleneck
`
`
`
`
`
`
`
`
`node with traffic,
`legitimate traffic passing through the
`
`
`
`
`
`
`
`
`bottleneck node may be subject to dropping of packets
`
`
`
`
`
`thereby preventing legitimate
`communications. Thus,
`
`
`
`
`
`
`
`N-DoS attacks negatively effect
`legitimate users, and/or
`
`
`
`
`
`
`
`
`
`even cause its victim’s services (e.g. web sites) to crash due
`
`
`
`to excessive loading.
`
`
`
`
`
`
`
`One known technique for protecting against N-DoS
`
`
`
`
`
`
`
`
`attacks involves explicit signature capture and analysis. For
`
`
`
`
`
`
`
`example, those signatures can be communication port num-
`
`
`
`
`
`
`bers, daemon names or commands, or contained in IP packet
`
`
`
`
`
`
`payload. Unfortunately these approaches can be ineffective
`
`
`
`
`
`
`
`
`and may result
`in negative consequences for legitimate
`
`
`
`
`
`
`
`
`
`users, because the signatures can change over time making
`
`
`
`
`
`
`
`a captured signature useless in identifying a malicious
`
`
`
`
`source during a subsequent attack.
`
`20
`
`
`
`25
`
`
`30
`
`
`
`35
`
`
`40
`
`
`
`45
`
`
`50
`
`
`
`55
`
`
`60
`
`
`
`65
`
`
`
`2
`
`
`
`
`
`
`Another disadvantage of the signature capture system is
`
`
`
`
`
`
`
`
`the signature collection methods are an aftermath
`that
`
`
`
`
`
`
`
`defense approach. Thus, such an approach helps in prevent-
`
`
`
`
`
`
`
`
`
`ing future attacks with known signatures, but is of limited
`
`
`
`
`use during initial attacks.
`
`
`
`
`
`
`
`
`
`In view of the above discussion, it is apparent that there
`
`
`
`
`
`
`
`is a need for methods of effectively identifying malicious
`
`
`
`
`
`
`
`
`traffic flows, e.g.,
`traffic flows from individuals and/or
`
`
`
`
`
`
`
`sources involved in launching an N-DoS attack. There is
`
`
`
`
`
`
`
`
`
`also a need for methods and apparatus for reducing and/or
`
`
`
`
`
`
`
`
`eliminating the effects of malicioustraffic flows associated
`with N-DoS attacks.
`is desirable that at
`least some
`It
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`congestion control methods be capable oflimiting malicious
`
`
`
`
`
`
`traffic prior to a significant collapse or restriction on legiti-
`mate network traffic occurs.
`
`
`
`
`
`SUMMARY OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`The present invention is directed to congestion control
`
`
`
`
`
`
`
`
`methods and apparatus. Various methods and apparatus of
`
`
`
`
`
`
`
`
`
`the invention are well suited for defending against flooding
`
`
`
`
`network Denial-of-Service (N-DoS)attacks.
`
`
`
`
`
`An Anti-Flooding Flow-Control (AFFC) mechanism of
`
`
`
`
`
`
`
`the present
`invention monitors, analyzes, and regulates
`
`
`
`
`
`
`
`
`traffic flows at network nodes, e.g., routers, based on the
`
`
`
`
`
`
`
`
`flow’s behavior. In a node, the AFFC mechanism of the
`
`
`
`
`
`
`invention, utilizes a traffic baseline generating module, a
`
`
`
`
`
`
`
`dynamic buffer manager module, a packet scheduler mod-
`
`
`
`
`
`
`
`
`ule, and optionally, an early traffic regulator (ETR) module.
`
`
`
`
`
`
`
`Each module may be implemented using software and/or
`hardware.
`
`
`
`
`
`
`
`
`In some embodiments traffic baselines are generated
`
`
`
`
`
`
`
`
`external to a node usingtraffic information forthe particular
`
`
`
`
`
`
`
`
`node. The generated baselines are then supplied to the
`
`
`
`
`
`
`
`
`dynamic buffer manager and packet scheduler in the node.
`
`
`
`
`
`
`
`
`In such embodiments, the traffic baseline module may be
`
`
`
`
`
`
`implemented as a stand-alone device separate from packet
`
`
`
`
`
`
`
`
`forwarding nodes. This can reduce the processing burden
`
`
`
`
`
`
`placed on such nodes by the AFFC methods ofthe invention.
`
`
`
`
`
`
`While the AFFC mechanism can be implemented in a
`
`
`
`
`
`
`
`
`single node, for more effective network protection it can be
`
`
`
`
`
`
`implemented in multiple network nodes. AFFC modules,
`
`
`
`
`
`
`
`
`e.g., ETR modules, of different nodes may, and in various
`
`
`
`
`
`
`
`embodiments do,
`interact with one another to perform a
`
`
`
`
`multi-node approach to congestion control.
`
`
`
`
`
`
`
`
`Thetraffic baseline generating module receives and ana-
`
`
`
`
`
`
`
`
`lyzes traffic statistics to generate baseline flow statistics,
`
`
`
`
`
`
`
`
`
`e.g., diurnal flow statistics, for individual periods of time,
`
`
`
`
`
`
`
`
`
`e.g., hours or minutes of a day in a week. The traflic
`
`
`
`
`
`
`
`
`
`baselines are generated for each node based on thetraffic
`
`
`
`
`
`
`
`
`
`
`through the node over an extended period of time, e.g.,
`
`
`multiple weeks.
`
`
`
`
`
`
`
`
`
`
`Aspart of the flow control method, the current data flow
`
`
`
`
`
`
`
`
`rates are compared to the corresponding baseline flow rate
`
`
`
`
`
`
`
`
`
`
`
`for the same period of time and type oftraflic. Flows are
`
`
`
`
`
`
`
`determined to be aggressive if they have an arrival rate that
`
`
`
`
`
`
`
`
`
`is higher than the baseline for flow ofits type. In accordance
`
`
`
`
`
`
`
`with the present
`invention, under certain circumstances
`
`
`
`
`
`
`
`
`aggressive flows are targeted for forced data rate reductions.
`
`
`
`
`
`
`
`In addition to aggressive flows, unresponsive elastic flows
`
`
`
`
`
`may be blocked independently oftraffic baselines.
`
`
`
`
`
`
`
`
`The dynamic buffer manager module 224 and packet
`
`
`
`
`
`
`
`
`scheduler module 226 are the mechanisms by which forced
`
`
`
`
`
`
`
`reductions in data flow rates are implemented at a node in
`
`
`
`
`
`
`response to the presence of congestion. In accordance with
`
`
`
`
`
`
`
`
`the invention the forced data flow reduction functionality of
`
`
`
`
`
`
`
`
`the buffer manager and packet scheduler normally remain
`SplunkInc.
`Exhibit 1008
`Page 13
`
`Splunk Inc. Exhibit 1008 Page 13
`
`

`

`
`
`US 7,295,516 B1
`
`
`3
`
`
`
`
`
`
`inactive. However, when congestion is detected or a control
`
`
`
`
`
`
`
`message is received from another network node as part of
`
`
`
`
`
`
`
`
`
`the ETR method of the invention,
`the forced data flow
`
`
`
`
`
`
`
`reduction functionality in a node is activated. An ETR
`
`
`
`
`
`
`
`
`message triggering activation of the buffer manager and
`
`
`
`
`
`
`
`packet scheduler functionality may be received from, e.g., a
`
`
`
`
`
`
`downstream node confronting a potential collapse due to
`
`congestion.
`
`
`
`
`
`
`
`
`The dynamic buffer manager module 224 ofthe invention
`
`
`
`
`
`
`
`determines packet dropping rates to be applied to different
`
`
`
`
`
`
`
`
`
`data flows, e.g., those flows identified as being allowable but
`
`
`
`
`
`
`
`aggressive. The packet scheduler module 226 determines
`
`
`
`
`
`
`
`current packet forwarding rates, e.g., flow rates.
`
`
`
`
`
`
`
`
`During periods of congestion during which the forced
`
`
`
`
`
`
`
`
`data flow reduction is applied,
`incoming data flows are
`
`
`
`
`
`
`
`
`
`processed based ontheirtraffic types,elastic traffic and best
`
`
`
`
`
`
`
`
`traffic. Elastic traffic, which is not responsive to
`effort
`
`
`
`
`
`
`
`congestion signaling, e.g., ECN (Explicit Congestion Noti-
`
`
`
`
`
`
`
`fication) or packet dropping,
`is considered malicious and
`
`dropped.
`
`
`
`
`
`
`Elastic traflic that is responsive to congestion signals is
`considered allowable.
`
`
`
`
`
`
`
`
`
`
`For both elastic traffic and best-effort traffic, allowable
`
`
`
`
`
`
`
`traffic flows are determinedto be aggressive if the flow rate
`
`
`
`
`
`
`
`of the allowable flow exceeds a corresponding baseline flow
`
`
`
`
`
`
`
`
`rate. Allowable non aggressive flows, e.g., flows having a
`
`
`
`
`
`
`
`
`flow rate equal to or lower than a corresponding baseline
`
`
`
`
`
`
`
`
`
`flow rate are forwarded without being subject to flow rate
`
`
`
`
`
`
`
`reduction. Allowable flows that are found to be aggressive,
`
`
`
`
`
`
`
`
`are subject to forced reductions in their flow rates during
`
`
`
`
`
`
`
`
`periods of congestion. The applied flow rate reduction may,
`
`
`
`
`
`
`
`
`e.g., reduce the flow rate of an aggressive flow, to or below
`
`
`
`
`
`the corresponding flow rate baseline.
`
`
`
`
`
`
`
`
`
`To support different packet drop rates for each allowable
`
`
`
`
`
`
`
`aggressive flow, packets from different allowable aggressive
`
`
`
`
`
`
`
`flows are stored in different packet forwarding queues. e.g.,
`
`
`
`
`
`
`
`one per allowable aggressive flow. In some embodiments,
`
`
`
`
`
`
`
`
`e.g., where sufficient memory is not available to support one
`
`
`
`
`
`
`
`
`
`queueperflow, a group offlows(e.g. from the same domain)
`
`
`
`
`may be processed per queue.
`
`
`
`
`
`
`
`
`The dynamic buffer manager module 224 ofthe invention
`
`
`
`
`
`
`
`determines packet dropping rates to be applied to different
`
`
`
`
`
`
`
`
`
`data flows, e.g., those flows identified as being allowable but
`
`
`
`
`
`
`
`aggressive. The packet scheduler module 226 determines
`
`
`
`
`
`
`
`
`
`current packet forwarding rates, e.g., flow rates. As men-
`
`
`
`
`
`
`
`
`
`tioned above, the current flow rates are compared to the
`
`
`
`
`
`
`
`
`
`baseline flow rates and packets are dropped, e.g., when the
`current flow rate exceeds the baseline flow rate. Accord-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ingly, incoming flows are subject to different reductions in
`their flow rates as a function of their normal baselines and
`
`
`
`
`
`
`
`
`
`their current arrival rates. In the case of malicious traffic
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`flows, such forced data rate reductions maybe interpreted as
`
`
`
`
`punishing of the malicious flows.
`
`
`
`
`
`
`ETR is a mechanism by which congestion control, and
`
`
`
`
`
`
`
`
`
`forced data rate reductions can be triggered in nodes
`
`
`
`
`
`
`
`upstream of a bottleneck node where the congestion occurs.
`
`
`
`
`
`
`
`
`ETR messages are used to activate flow reduction in the
`
`
`
`
`
`
`
`
`upstream nodes. Thus ETRoffers protection for downstream
`
`
`
`
`
`
`
`nodes facing potential collapse due to congestion by reduc-
`
`
`
`
`
`
`
`
`
`ing the flow oftraffic directed to the node suffering from
`
`congestion.
`
`
`
`
`
`
`
`features and advantages of the
`Numerous additional
`
`
`
`
`
`
`
`invention are discussed in the detailed description which
`follows.
`
`
`20
`
`
`
`25
`
`
`30
`
`
`
`35
`
`
`40
`
`
`
`50
`
`
`
`55
`
`
`60
`
`
`
`65
`
`
`
`4
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG.1 illustrates a communications system incorporating
`
`
`
`
`
`
`nodes that implement the present invention.
`
`
`
`
`
`
`FIG. 2 illustrates an exemplary router implemented in
`
`
`
`
`
`
`
`
`accordance with the present invention that may be used as
`one of the routers shown in FIG.1.
`
`
`
`
`
`
`
`
`
`
`
`FIG.3 illustrates the steps of an exemplary traflic baseline
`
`
`
`
`generation routine of the invention.
`
`
`
`
`
`
`
`
`FIG.4 illustrates an exemplary flow baseline table gen-
`erated and used in accordance with an embodiment of the
`
`
`
`
`
`
`
`
`
`present invention.
`
`
`
`
`
`
`
`FIG. 5 illustrates the steps of an Anti-Flooding Flow-
`
`
`
`
`
`
`Control (AFFC) method implemented in accordance with an
`
`
`
`
`
`exemplary embodimentof the present invention.
`
`
`
`
`
`
`
`
`FIG. 6 illustrates an exemplary set of internet traffic
`
`
`
`
`
`
`
`statistics measured right during a period of potential con-
`
`
`
`
`gestion collapse at a bottleneck node.
`
`
`
`
`
`
`
`
`FIG.7 illustrates an exemplary set of router throughput
`
`
`
`
`
`
`
`
`statistics resulting from the AFFC methodof the invention
`
`
`
`
`
`
`
`
`being applied at a bottleneck nodeto the flows listed in FIG.
`6
`
`
`
`
`
`
`
`
`
`FIG.8 illustrates the dropping of packets from a queue in
`accordance with the invention.
`
`
`
`
`
`
`
`
`
`
`FIG.9 illustrates an early traffic regulation method of the
`invention.
`
`
`
`
`
`
`
`
`FIGS. 10A and 10B illustrate early trafic regulation
`
`
`
`
`
`
`modules implemented in accordance with the invention.
`
`
`
`
`
`
`
`FIGS. 11 and 12 illustrate signaling between various
`
`
`
`
`
`
`nodes performed in accordance with the invention.
`
`
`
`
`
`
`
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`
`
`
`
`The present invention is directed to congestion control
`
`
`
`
`
`
`
`
`methods and apparatus. The methods and apparatus of the
`
`
`
`
`
`
`
`invention are well suited for defending against
`present
`
`
`
`
`network Denial-of-Service (N-DoS)attacks.
`
`
`
`
`
`
`FIG. 1 illustrates a communications system 100 imple-
`
`
`
`
`
`
`
`
`mented in accordance with the present invention. The sys-
`
`
`
`
`
`
`
`
`tem 100 comprises a plurality of sources 102, 104, 106, an
`
`
`
`
`
`
`
`
`
`internet 108 anda plurality of destination nodes 110, 112,
`
`
`
`
`
`
`
`
`
`114. The internet 108 may be a corporate internet or the
`
`
`
`
`
`
`
`
`world wide Internet. The internet 108 comprises a plurality
`
`
`
`
`
`
`
`
`
`
`of nodes R1 through R10 116, 118, 120, 122, 124, 126, 127,
`
`
`
`
`
`
`
`128, 130, 132 connected together as shown in FIG. 1 by the
`
`
`
`
`
`
`
`
`
`use of solid lines. Each of the nodes maybe,e.g., a router
`or a switch. Arrows are used in FIG.1 to indicate the flow
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of packets, e.g., between source devices S1, S2,..., SN,
`
`
`
`
`
`
`
`
`
`102, 104, 106 and destination device 112. While FIG. 1
`
`
`
`
`
`
`
`shows flows of packets to destination device D2 112 from
`
`
`
`
`
`
`
`
`
`
`
`
`sources S1, $2,..., SN, 102, 104, 106 the communications
`
`
`
`
`
`
`
`
`
`
`paths in the system 100 between the routers and devices are
`
`
`
`
`
`
`
`
`bi-directional allowing for responses, e.g., packets and mes-
`
`
`
`
`
`
`
`
`sages, to be transmitted in the reverse direction as well. In
`
`
`
`
`
`
`
`
`the FIG. 1 embodiment source S1 102 is coupled to the
`
`
`
`
`
`
`
`
`
`
`internet 108 by router R1 116. In addition, source S2 is
`
`
`
`
`
`
`
`
`coupled to the internet 108 by router R4 122, while source
`
`
`
`
`
`
`
`
`SN 106 is coupled to the internet 108 by router R8 128.
`
`
`
`
`
`
`
`
`Router R7 127 couples each ofthe three destination devices,
`
`
`
`
`
`
`
`
`
`D1 110, D2 112, and D3 114, to the internet 108. As a result
`
`
`
`
`
`
`
`
`
`
`
`packets from any one of the sources 102, 104, 106 will pass
`
`
`
`
`
`
`
`through router R7 prior to reaching one of the destination
`
`
`
`
`devices 110, 112, 114.
`
`
`
`
`
`
`
`Since traffic directed to a destination device, e.g., device
`
`
`
`
`
`
`
`
`
`D2 112, will pass through the router R7 127 regardless of the
`
`
`
`
`
`
`
`
`
`source of the traffic, router R7 127 represents a potential
`
`
`
`
`
`
`
`congestion point. For purposes of explaining the invention,
`SplunkInc.
`Exhibit 1008
`Page 14
`
`Splunk Inc. Exhibit 1008 Page 14
`
`

`

`
`
`US 7,295,516 B1
`
`
`5
`router R7 127 wil