DCT
2:20-cv-00697
PacSec3 LLC v. F5 Networks
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: PacSec3, LLC (Texas)
- Defendant: F5 Networks, Inc. (California)
- Plaintiff’s Counsel: Ramey & Schwaller, LLP
- Case Identification: 2:20-cv-00697, D. Utah, 10/02/2020
- Venue Allegations: Plaintiff alleges venue is proper because Defendant maintains a regular and established place of business in the District of Utah, conducts substantial business in the forum, and has committed alleged acts of infringement within the district.
- Core Dispute: Plaintiff alleges that Defendant’s BIG-IP Application Security Manager (ASM) firewall systems infringe three patents related to methods and systems for defending against network-based packet flooding attacks.
- Technical Context: The technology addresses network security, specifically the mitigation of Distributed Denial of Service (DDoS) attacks, which is a critical function for ensuring the availability and reliability of internet-based services.
- Key Procedural History: Subsequent to the filing of this complaint, all three patents-in-suit underwent ex parte reexamination. For U.S. Patent No. 6,789,190, Reexamination Certificate US 6,789,190 C1 issued on April 13, 2023, cancelling asserted claim 1. For U.S. Patent No. 7,047,564, Reexamination Certificate US 7,047,564 C1 issued on February 1, 2023, cancelling asserted claims 1, 3, and 6. For U.S. Patent No. 7,523,497, Reexamination Certificate US 7,523,497 C1 issued on May 22, 2023, cancelling asserted claims 1, 4, 13, and 16. These post-filing events raise significant questions about the viability of the infringement claims as originally pleaded.
Case Timeline
| Date | Event |
|---|---|
| 2000-11-16 | Priority Date for ’190 Patent & ’497 Patent |
| 2001-10-31 | Priority Date for ’564 Patent |
| 2004-09-07 | ’190 Patent Issued |
| 2006-05-16 | ’564 Patent Issued |
| 2009-04-21 | ’497 Patent Issued |
| 2020-10-02 | Complaint Filed |
| 2023-02-01 | Reexamination Certificate for ’564 Patent Issued |
| 2023-04-13 | Reexamination Certificate for ’190 Patent Issued |
| 2023-05-22 | Reexamination Certificate for ’497 Patent Issued |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 6,789,190 - “PACKET FLOODING DEFENSE SYSTEM” (Issued Sep. 7, 2004)
The Invention Explained
- Problem Addressed: The patent describes "packet flooding attacks" where an attacker consumes a victim's entire network bandwidth with useless data, rendering the victim's system slow or unreachable for legitimate users (’190 Patent, col. 1:46-54). A key challenge is that attackers can falsify source address information, making it difficult to distinguish malicious traffic from legitimate traffic (’190 Patent, col. 2:3-6).
- The Patented Solution: The invention proposes a distributed defense system where cooperating routers and network sites work together to manage traffic. Instead of relying on potentially forged source addresses, the system approximates the origin of traffic by identifying the "places" (e.g., a specific router interface) from which packets are forwarded (’190 Patent, col. 2:12-16). A victim site can then use this path-based information to allocate its resources fairly and request that upstream routers rate-limit traffic from paths associated with an attack (’190 Patent, Abstract; col. 2:28-43).
- Technical Importance: The technology offered a framework for mitigating DoS attacks based on verifiable network topology (the packet's path) rather than easily spoofed packet data, a critical distinction for network defense during that period (’190 Patent, col. 2:6-9).
Key Claims at a Glance
- The complaint asserts independent claim 1 and dependent claims 2-3 (Compl. ¶9). As noted in Section I, claim 1 was cancelled during a subsequent reexamination.
- Independent Claim 1 (as originally asserted) requires:
- A packet flooding defense system comprising at least one firewall with hardware and software to control packet transmission.
- A means for classifying data packets received at the firewall.
- A means for associating a maximum acceptable transmission rate with each class of data packet.
- A means for the firewall to find information regarding the path by which packets arrived.
- Whereby the firewall can use this path information to allocate the transmission rate for each class. (’190 Patent, col. 7:40 - 8:12).
- The complaint reserves the right to assert other claims (Compl. ¶9).
U.S. Patent No. 7,047,564 - “REVERSE FIREWALL PACKET TRANSMISSION CONTROL SYSTEM” (Issued May 16, 2006)
The Invention Explained
- Problem Addressed: This patent focuses on preventing packet flooding attacks that originate from within a local network (e.g., a corporate or university LAN) and target external systems on the internet (’564 Patent, col. 3:1-8).
- The Patented Solution: The invention describes a "Reverse Firewall" that sits at the boundary between the local network and the external network, monitoring and controlling outgoing traffic. The system classifies outgoing packets, for example by distinguishing between packets sent in response to an external request versus those initiated without a prior external trigger (’564 Patent, col. 3:11-19). By identifying and rate-limiting outgoing traffic based on various classifications, the firewall can prevent the local network from being used as a source for DoS attacks (’564 Patent, Abstract).
- Technical Importance: This approach addressed the "good neighbor" aspect of network security, providing administrators with a tool to prevent their own infrastructure from being used to launch attacks on others (’564 Patent, col. 3:1-8).
Key Claims at a Glance
- The complaint asserts independent claims 1 and 6, and dependent claims 2-5 (Compl. ¶16). As noted in Section I, claims 1, 3, and 6 were cancelled during a subsequent reexamination.
- Independent Claim 1 (as originally asserted) requires:
- A packet transmission control system with at least one firewall providing a non-redundant connection between networks.
- A means for classifying received data packets related to the consumption of a resource.
- A means for associating a maximum acceptable transmission rate with each class of packet.
- A means for limiting the transmission rate from the firewall to that maximum rate.
- Whereby packet flooding attacks cannot be effectively launched through the non-redundant connection. (’564 Patent, col. 6:30-52).
- The complaint reserves the right to assert other claims (Compl. ¶16).
U.S. Patent No. 7,523,497 - “PACKET FLOODING DEFENSE SYSTEM” (Issued Apr. 21, 2009)
Multi-Patent Capsule
- Technology Synopsis: As a continuation of the application leading to the ’190 Patent, the ’497 Patent describes a method for defending against packet flooding. The method involves a host computer determining the path by which data packets arrive (via "packet marks" from routers), classifying those packets into "wanted" and "unwanted" categories based on their path, and then allocating a processing rate to unwanted packets that is less than or equal to a predetermined maximum. (’497 Patent, Abstract; col. 2:6-14).
- Asserted Claims: Claims 1-18 (Compl. ¶23). As noted in Section I, independent claims 1, 4, 13, and 16 were cancelled during a subsequent reexamination.
- Accused Features: The complaint alleges that the F5 BIG-IP ASM product performs the patented method by determining packet paths, classifying packets, and allocating processing rates to mitigate DoS attacks (Compl. ¶¶23-24).
III. The Accused Instrumentality
Product Identification
The complaint identifies the F5 BIG-IP Application Security Manager (ASM) and potentially other F5 firewall systems as the accused instrumentalities (Compl. ¶9, 16, 23).
Functionality and Market Context
The complaint alleges the BIG-IP ASM is a firewall system that provides a "packet flooding defense system" to handle various network attacks, including DNS attacks, malformed packets, and packet floods (Compl. ¶10). Its accused technical features include a "Classification Engine" for applying rules to packets, a "Default Internal Rate Limit" to set traffic thresholds, and a "Detection Threshold Percent" feature that automatically imposes rate limits when an attack is detected (Compl. ¶¶10, 17). A network diagram from an F5 study guide is presented to illustrate the accused BIG-IP ASM's role in managing traffic between internal and external networks, including from various threat sources (Compl. ¶17, p. 8).
IV. Analysis of Infringement Allegations
’190 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| ...at least one firewall, said firewall comprising: hardware and software serving to control packet transmission... | The F5 BIG-IP Network Firewall is identified as the firewall, providing "policy-based access control" for network traffic. | ¶10 | col. 7:44-47 |
| means for classifying data packets received at said firewall; | The "Classification Engine" allegedly performs this function by using a "Compiled Classifier to determine the set of rules matching a packet." | ¶10 | col. 7:48-49 |
| means for associating a maximum acceptable transmission rate with each class of data packet... | The "Default Internal Rate Limit" feature, which allows a user to "set a value, in packets per second, which cannot be exceeded." | ¶10 | col. 8:1-4 |
| means for said firewall to find information for packets it receives regarding the path by which said packets came to said firewall; | The "Classification Engine" is alleged to meet this limitation by determining rules based on "packet contents and other relevant input." | ¶10 | col. 8:5-8 |
| whereby, said firewall can use said information to allocate the transmission rate for each class in a desired way. | The "Detection Threshold Percent" feature allegedly performs this function by "automatically institut[ing] a rate limit equal to the average for the last hour." | ¶10 | col. 8:9-12 |
’564 Patent Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| ...at least one firewall, said firewall comprising: hardware and software providing a non-redundant connection between said networks... | The complaint alleges the F5 BIG-IP ASM provides a system for managing traffic between at least two networks, as depicted in a system diagram. | ¶17 | col. 6:33-37 |
| means for classifying data packets received at said firewall related to the consumption of at least one resource; | The "Classification Engine" is alleged to perform this function by using a classifier to determine rules based on packet contents. | ¶17 | col. 6:38-40 |
| means for associating a maximum acceptable transmission rate with each class of data packet received at said firewall; | The "Default Internal Rate Limit" feature allegedly sets a maximum rate in packets per second. | ¶17 | col. 6:41-43 |
| means for limiting the transmission rate from the firewall to the maximum acceptable transmission rate... | The "Detection Threshold Percent" feature is alleged to implement rate limiting by dropping all packets over a specified threshold. | ¶17 | col. 6:44-47 |
| whereby, packet flooding and other over usage type distributed denial of service attacks cannot be effectively launched... | The complaint cites F5's documentation stating the BIG-IP system handles DNS flood attacks and provides a "DoS Protection profile." | ¶17 | col. 6:48-52 |
Identified Points of Contention
- Means-Plus-Function: Key limitations in the asserted claims are drafted in means-plus-function format. A central dispute will concern whether the accused software modules identified in the complaint (e.g., "Classification Engine") are structurally equivalent to the corresponding structures disclosed in the patent specifications, as required under 35 U.S.C. § 112(f).
- Technical Questions: A technical question is whether the accused "Classification Engine," which allegedly relies on "packet contents and other relevant input," performs the specific function of finding information "regarding the path" as described in the ’190 Patent. The patent specification suggests this path information comes from cooperating upstream routers (’190 Patent, col. 2:28-29).
V. Key Claim Terms for Construction
The Term: "means for said firewall to find information for packets it receives regarding the path by which said packets came to said firewall" (’190 Patent, Claim 1)
Context and Importance
This means-plus-function term is central to the ’190 Patent's infringement theory. Its construction will determine whether the accused product's method of classifying traffic infringes. Practitioners may focus on this term because the dispute will likely involve comparing the accused product's actual operation to the specific implementation described in the patent.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: The specification describes the concept abstractly, stating the "association of packets with the 'users' is approximated by associating packets with 'places' in the cooperating neighborhood from which those packets are forwarded" (’190 Patent, col. 2:12-16). This language could support a broader interpretation of what constitutes "path" information.
- Evidence for a Narrower Interpretation: The specification also provides a more specific embodiment, stating that "Routers will supply data about the forwarding path of the packets that arrive at a site" (’190 Patent, col. 2:28-29). This could be used to argue that the corresponding structure is limited to a system that relies on explicit data from cooperating routers.
The Term: "non-redundant connection" (’564 Patent, Claim 1)
Context and Importance
This term appears to define a key architectural aspect of the system claimed in the ’564 Patent. As the term is not explicitly defined, its scope will be a critical point of construction.
Intrinsic Evidence for Interpretation
- Evidence for a Broader Interpretation: A party could argue for the term's plain and ordinary meaning, suggesting it covers any standard network gateway or firewall that is not configured in a high-availability or redundant pair.
- Evidence for a Narrower Interpretation: The patent’s figures and description consistently depict a single "Reverse Firewall" as the sole chokepoint between two networks, through which all traffic must pass (’564 Patent, Fig. 1). This could support an argument that the term is limited to this specific single-gateway architecture.
VI. Other Allegations
Indirect Infringement
The complaint alleges that F5 induces infringement by "actively encourag[ing] or instruct[ing]" customers on how to use its products in an infringing manner, referencing user manuals and "question and answer services on the Internet" (Compl. ¶¶11, 18, 25).
Willful Infringement
The complaint alleges that F5 has known of the patents-in-suit "from at least the date of issuance of the patent" and asks the court to declare the infringement willful and award treble damages (Compl. ¶¶11, 18, 25; p. 16, ¶e).
VII. Analyst’s Conclusion: Key Questions for the Case
- A threshold issue for the entire case is one of claim viability: given that the primary independent claims asserted in the complaint for all three patents were subsequently cancelled during reexamination, what, if any, asserted claims remain for adjudication? The plaintiff may be required to amend its complaint to proceed on any surviving dependent claims, which would likely narrow the scope of the dispute.
- For any surviving claims, a central issue will be one of structural equivalence under the means-plus-function framework: do the accused software features in the F5 product, such as the "Classification Engine," perform the claimed functions using structures that are the same as or equivalent to the specific, router-cooperation-based architecture disclosed in the patent specifications?
- The case will also present a key question of definitional scope: does the accused system's alleged classification of packets based on "packet contents and other relevant input" satisfy the ’190 Patent’s requirement to find information "regarding the path," a term the patent's disclosure suggests is a sequence of network routers?