Some embodiments provide a method for identifying security threats to a datacenter. The method receives flow attribute sets for multiple flows from multiple host computers in the datacenter on which data compute nodes (DCNs) execute. Each flow attribute set indicates at least a source DCN for the flow. The method identifies flow attribute sets that correspond to DCNs responding to name resolution requests. For each DCN of a set of DCNs executing on the host computers, the method determines whether the DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the DCN based on the identified flow attribute sets. When a particular DCN has sent responses to name resolution requests in a manner that deviates from a historical baseline for the particular DCN, the method identifies the particular DCN as a security threat to the datacenter.

Methods and systems for performing a Mapping of Address and Port using translation (MAP-T) data plane verification. A method for performing a MAP-T data plane verification includes initiating, by a diagnostic server provisioned with at least MAP-T diagnostic rules, a MAP-T diagnostic on a border relay provisioned with MAP-T rules, generating, by the diagnostic server, a diagnostic packet per the MAP-T diagnostic rules, sending, by the diagnostic server, the diagnostic packet to the border relay, performing, by the border relay, a translation on the diagnostic packet per the provisioned MAP-T rules, analyzing, by the diagnostic server to generate a report, at least a translation accuracy of a received translated diagnostic packet, and configuring at least one device based on a received report.

Establishing proxy-less connectivity from logically isolated virtual private clouds (VPC)within a cloud environment without the use of VPN or VPC peering is provided. Establishing a service attachment in one VPC, related to a service which is to be accessed, and a service endpoint in another VPC allows for private communication between the two networks without exposing the service to other VPCs in the cloud environment.

Some embodiments provide a method that allows a first data compute node (DCN) to forward outgoing traffic to a second DCN directly in spite of receiving the incoming traffic from the second DCN through a load balancer. That is, the return traffic's network path from the first DCN (e.g., a server machine) to the second DCN (e.g., a client machine) bypasses the load balancer, even though a request that initiated the return traffic is received through the load balancer. The load balancer receives a connection session request from a client machine to connect to a server. It identifies a set of parameters for the connection session and after selecting a server for the connection, passes the identified set of parameters to a host machine that executes the server. The server establishes the connection session directly with the client machine based on the identified set of parameters.

Embodiments of this application provide a load balance method and an apparatus thereof. The method may include the following steps: receiving, by a load balance node, a first service request packet from a service request end, where the first service request packet includes address information of the service request end, address information of a to-be-processed load balance instance, and a MAC address of the load balance node; determining a to-be-processed service member based on the address information of the to-be-processed load balance instance, where the to-be-processed service member is configured to process the first service request packet; and modifying the MAC address of the load balance node in the first service request packet to a MAC address of the to-be-processed service member, to obtain a second service request packet, and sending the second service request packet to a computing node to which the to-be-processed service member belongs.

Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

A data transceiver device in a repeater according to an exemplary embodiment includes: a radio unit assigned with a unique port number for uniquely identifying the radio unit and a layer splitter connected to the radio unit; a transfer unit configured to transfer an inbound packet to the layer splitter identified by the unique port number when the inbound packet including the unique port number as an internal port number is received; and the layer splitter configured to transfer the inbound packet to the radio unit corresponding to the unique port number when the inbound packet is received through transfer unit.

A communication control method executed by a computer including generating, for each of a plurality of tenants, a plurality of virtual interfaces on a first virtual machine, the first virtual machine executing an application for the plurality of tenants, applying, to the first virtual machine, a first conversion rule in which an IP address of a transmission source of a packet output from the application is converted to one of a plurality of virtual IP addresses allocated for a virtual interface corresponding to one of the plurality of tenants, generating a plurality of gateways on a second virtual machine, applying, to the first virtual machine, routing information so as transmit the packet addressed to the transmission destination to the second virtual machine, and applying, to the second virtual machine, a distribution rule in which the packet is distributed to one of the plurality of gateways.

An interconnection device for interconnecting two sub-networks, on which UPnP devices are connected: determines actual IP addresses and port numbers of servers of the UPnP device; allocates a port number to each server, establishes a connection with a UPnP device of the femtocell and a connection with a UPnP device of the local area network; replaces, in frames received via one of said connections, each actual server IP address and port number allocated by the interconnection device to said server; and replaces, in frames received via one of said connections, each actual IP address and port number with an IP address of the interconnection device to said server; and replaces, in said received frames, each IP address of the interconnection device and port number allocated by the interconnection device to a server with the IP address and port number of the corresponding server.