Thwarting connection-based denial of service attacks
First Claim
1. A method of defending a server against SYN flood attacks executed on a device, the method comprises:
- during a connection setup initiated by sending a SYN packet from a client to a server;
forwarding a received SYN ACK packet from the server to the client and immediately sending a ACK packet to the server;
maintaining the connection open for a variable timeout period and if an ACK packet does not arrive from the client to server, sending a RST to the server to cause the server to close the connection; and
if the ACK packet does arrive from the client to the server, forwarding the ACK to the server and maintain the connection.
22 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
239 Citations
22 Claims
-
1. A method of defending a server against SYN flood attacks executed on a device, the method comprises:
-
during a connection setup initiated by sending a SYN packet from a client to a server;
forwarding a received SYN ACK packet from the server to the client and immediately sending a ACK packet to the server;
maintaining the connection open for a variable timeout period and if an ACK packet does not arrive from the client to server, sending a RST to the server to cause the server to close the connection; and
if the ACK packet does arrive from the client to the server,forwarding the ACK to the server and maintain the connection. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of defending a server against SYN flood attacks comprises:
-
during a connection setup initiated by sending a SYN packet from a client to a server;
tracking ratios of SYNs to SYN ACKs and SYN ACKs to ACKs;
comparing the ratios to threshold values; and
sending an alarm to a control center when at least one of the ratios exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack. - View Dependent Claims (9)
-
-
10. A gateway device disposed between a data center and a network for thwarting denial of service attacks on the data center, the gateway device comprises:
-
a computing device comprising;
a monitoring process that monitors network connection setups initiated by sending SYN packets from a client to the data center, the monitoring process including a SYN ACT forward process to forward received SYN ACK packets from the server to the client and to immediately send a ACK packet to the server;
a process to determine a variable time out period;
a process to maintain the connection open for the variable timeout period;
a reset process to send a reset packet to the server to cause the server to close the connection when an ACK packet does not arrive from the client to server during the timeout period; and
a packet forwarding process to forward the ACK packet when the ACK packet is received from the client by the server, and to maintain the connection.
-
- 11. The gateway of claim 11 wherein the variable time out period is inversely proportional to number of connections for which a first ACK packet from client has not been received.
-
15. A gateway device disposed between a data center and a network for thwarting denial of service attacks on the data center, the gateway device comprising:
-
a computing device comprising a monitoring process that monitors network connection setups initiated by sending SYN packets from a client to the data center, the monitoring process comprising a process to;
track ratios of SYNs to SYN ACKs and SYN ACKs to ACKs;
compare the ratios to threshold values; and
send an alarm to a control center when at least one of the ratios exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack.
-
-
17. A computer program product residing on a computer readable medium for defending a server against SYN flood attacks, the computer program product executed on a device, the computer program product comprising instructions to cause the device to:
-
forward, in response to a SYN packet received from a client to by server, a SYN ACK packet from the server to the client and immediately sending a ACK packet to the server;
maintain the connection open for a variable timeout period; and
close the connection by sending a RST to the server if an ACK packet does not arrive from the client to server;
orforward a received ACK to the server if the ACK packet does arrive from the client to the server; and
maintain the connection.
-
-
22. A computer program product residing on a computer readable medium for defending a server against SYN flood attacks, the computer program product executed on a device, the computer program product comprising instructions to cause the device to:
-
during a connection setup initiated by sending a SYN packet from a client to a server;
track ratios of SYNs to SYN ACKs and SYN ACKs to ACKs;
compare the ratios to threshold values; and
send an alarm message to a control center when at least one of the ratios exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack. - View Dependent Claims (21)
-
Specification