Systems and methods for network access control

US 10,091,237 B2
Filed: 10/31/2017
Issued: 10/02/2018
Est. Priority Date: 04/25/2013
Status: Active Grant

First Claim

Patent Images

1. A system for network access control, system comprising:

a network device comprising one or more processors; and

a memory communicatively coupled to the network device, the memory storing instructions executable by the one or more processors of the network device, the network device being configured to;

determine whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device;

based on the determination that the client device is neither the trusted source nor the untrusted source, transmit a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device;

receive an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie;

determine whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet;

when the SYN cookie received from the client device is the incorrect SYN cookie, apply a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and

when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establish the connection with the network for the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network access control systems and methods are provided herein. A method includes receiving at a network device a SYN packet from a client device over a network, determining if the client device is a trusted source for the network using the SYN packet, if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device, and establishing a connection with the network for the client device.

Citations

18 Claims

1. A system for network access control, system comprising:
- a network device comprising one or more processors; and
  
  a memory communicatively coupled to the network device, the memory storing instructions executable by the one or more processors of the network device, the network device being configured to;
  
  determine whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device;
  
  based on the determination that the client device is neither the trusted source nor the untrusted source, transmit a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device;
  
  receive an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie;
  
  determine whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet;
  
  when the SYN cookie received from the client device is the incorrect SYN cookie, apply a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and
  
  when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establish the connection with the network for the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the network device is further configured to place the client device on a black list if the client device is subsequently determined to be the untrusted source.
  - 3. The system of claim 1, wherein the network device is further configured to drop, based on determining that the client device is the untrusted source, the SYN packet to deny network access to the client device.
  - 4. The system of claim 1, wherein the network device is further configured to transmit, based on determining that the client device is the trusted source, a SYN/ACK packet to the client device, the SYN/ACK packet comprising identifying information for the network device;
    - receive an ACK packet from the client device that includes the identifying information for the client device and the identifying information for the network device; and
      
      establish the connection with the network for the client device.
  - 5. The system according to claim 1, wherein the SYN cookie comprises one or more of the following:
    - a maximum segment size value and a cryptographic hash function computed using at least one of an IP address of the network device, a port number of the network device, an IP address of the client device, and a port number of the client device.
  - 6. The system according to claim 1, wherein the network device is further configured to:
    - receive a number of ACK packets from the client device that include an incorrect SYN cookie, wherein the incorrect SYN cookie comprises identifying information for the client device that is incorrect or identifying information for the network device that is incorrect;
      
      apply a SYN cookie tolerance level, wherein the SYN cookie tolerance level specifies a number of times the client device is allowed to supply the incorrect SYN cookie;
      
      add the identifying information for the client device to a black list if the client device exceeds the SYN cookie tolerance level, the black list storing identifying information for one or more untrusted sources; and
      
      drop subsequent SYN packets or ACK packets received from the client device.
  - 7. The system according to claim 1, wherein the network device is further configured to:
    - set an allowable connection rate policy for the client device, wherein the allowable connection rate policy specifies a maximum number of times the client device is to attempt to connect to the network in a given time period;
      
      add the identifying information for the client device to a black list if the client device violates the allowable connection rate policy; and
      
      drop subsequent SYN packets or ACK packets received from the client device.
  - 8. The system according to claim 1, wherein the network device is further configured to perform a SYN cookie check, the SYN cookie check comprising comparing information in the SYN cookie received in the ACK packet from the client device with information in the SYN cookie provided by the network device in the SYN/ACK packet, wherein the establishing of the connection is performed based on passing, by the client device, the SYN cookie check.

9. A method for network access control, the method comprising:
- determining, at a network device, whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device;
  
  based on determining that the client device is neither the trusted source nor the untrusted source, transmitting a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device;
  
  receiving an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie;
  
  determining whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet;
  
  when the SYN cookie received from the client device is the incorrect SYN cookie, applying a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and
  
  when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establishing the connection with the network for the client device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The method of claim 9, further comprising placing the client device on a black list if the client device is subsequently determined to be the untrusted source.
  - 11. The method of claim 9, further comprising dropping, based on determining that the client device is the untrusted source, the SYN packet to deny network access to the client device.
  - 12. The method of claim 9, further comprising:
    - based on determining that the client device is the trusted source, transmitting a SYN/ACK packet to the client device, the SYN/ACK packet comprising identifying information for the network device;
      
      receiving an ACK packet from the client device that includes the identifying information for the client device and the identifying information for the network device; and
      
      establishing the connection with the network for the client device.
  - 13. The method of claim 9, wherein the establishing the connection comprises connecting the client device to a host server such that network traffic flows directly from the host server to the client device.
  - 14. The method according to claim 9, further comprising:
    - receiving a number of ACK packets from the client device that include an incorrect SYN cookie, wherein the incorrect SYN cookie comprises identifying information for the client device that is incorrect or identifying information for the network device that is incorrect;
      
      applying a SYN cookie tolerance level, wherein the SYN cookie tolerance level specifies a number of times the client device is allowed to supply the incorrect SYN cookie;
      
      adding the identifying information for the client device to a black list if the client device exceeds the SYN cookie tolerance level, the black list storing identifying information for one or more untrusted sources; and
      
      dropping subsequent SYN packets or ACK packets received from the client device.
  - 15. The method according to claim 9, further comprising:
    - setting an allowable connection rate policy for the client device, wherein the allowable connection rate policy specifies a maximum number of times the client device is to attempt connecting to the network in a given time period;
      
      adding the identifying information for the client device to a black list if the client device violates the allowable connection rate policy; and
      
      dropping subsequent SYN packets or ACK packets received from the client device.
  - 16. The method according to claim 9, further comprising:
    - performing a SYN cookie check, the SYN cookie check comprising comparing information in the SYN cookie received in the ACK packet from the client device with information in the SYN cookie provided by the network device in the SYN/ACK packet, wherein the establishing of the connection is performed based on passing, by the client device, the SYN cookie check.
  - 17. The method according to claim 9, further comprising:
    - setting a SYN cookie threshold, wherein the SYN cookie threshold identifies a total number of times the client device is to provide the SYN cookie to the network device;
      
      for each time the client device provides the SYN cookie to the network device, reducing the SYN cookie threshold by one until the SYN cookie threshold is zero;
      
      when the SYN cookie threshold is zero, adding the identifying information for the client device to a black list; and
      
      dropping subsequent SYN packets or ACK packets received from the client device.

18. A non-transitory computer-readable storage medium having embodied thereon a program executable by at least one processor to perform a method for network access control, the method comprising:
- determining, at a network device, whether a client device is a trusted source, an untrusted source, or neither the trusted source nor the untrusted source for a network using a SYN packet received from the client device, the SYN packet comprising identifying information for the client device;
  
  based on determining that the client device is neither the trusted source nor the untrusted source, transmitting a SYN/ACK packet to the client device, the SYN/ACK packet comprising a SYN cookie and identifying information for the network device;
  
  receiving an ACK packet from the client device that includes the identifying information for the client device, identifying information for the network device, and the SYN cookie;
  
  determining whether the SYN cookie received in the ACK packet from the client device is a correct SYN cookie or an incorrect SYN cookie, the correct SYN cookie being based on information provided to the client device in the SYN cookie of the SYN/ACK packet;
  
  when the SYN cookie received from the client device is the incorrect SYN cookie, applying a SYN cookie tolerance level to determine whether a number of times the client device provided the incorrect SYN cookie in one or more ACK packets when attempting to connect to the network device exceeds a predetermined threshold, wherein a connection is established when the number of times the client device provides the incorrect SYN cookie is below the predetermined threshold; and
  
  when the SYN cookie received in the ACK packet from the client device is the correct SYN cookie, establishing the connection with the network for the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Jalan, Rajkumar, Szeto, Ronald Wai Lun, Wu, Steven
Primary Examiner(s)
Leung, Robert
Assistant Examiner(s)
Ho, Thomas

Application Number

US15/799,528
Publication Number

US 20180054459A1
Time in Patent Office

336 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Systems and methods for network access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for network access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links