Using TCP to authenticate IP source addresses

US 20050021999A1
Filed: 03/02/2004
Published: 01/27/2005
Est. Priority Date: 03/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating communication traffic, comprising:

intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol;

sending to the source address a reply to the request that deviates from the specified handshake procedure;

analyzing a response from the source address to the reply in order to make an assessment of legitimacy of the source address; and

upon determining, based on the assessment, that the source address is legitimate, permitting the target computer to complete the handshake procedure so as to open the connection with the source address.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol. A reply to the request that deviates from the specified handshake procedure is sent to the source address. A response from the source address to the reply is analyzed in order to make an assessment of legitimacy of the source address. Upon determining, based on the assessment, that the source address is legitimate, the target computer is permitted to complete the handshake procedure so as to open the connection with the source address.

136 Citations

View as Search Results

75 Claims

1. A method for authenticating communication traffic, comprising:
- intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol;
  
  sending to the source address a reply to the request that deviates from the specified handshake procedure;
  
  analyzing a response from the source address to the reply in order to make an assessment of legitimacy of the source address; and
  
  upon determining, based on the assessment, that the source address is legitimate, permitting the target computer to complete the handshake procedure so as to open the connection with the source address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method according to claim 1, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the handshake procedure comprises a TCP three-way handshake.
  - 3. The method according to claim 2, wherein intercepting the request comprises intercepting a TCP SYN packet, and wherein sending the reply comprises sending a TCP ACK packet.
  - 4. The method according to claim 1, wherein intercepting the request comprises intercepting a first incoming packet comprising a field that is indicative of a number of hops traversed by the first incoming packet since having been sent from the source address, and making a record of a first value of the field appearing in the first incoming packet, and wherein analyzing the response comprises receiving a second incoming packet from the source address, and reading from the second incoming packet a second value of the field that is indicative of the number of hops traversed by the second incoming packet, and comparing the first and second values of the field in order to assess the legitimacy of the source address.
  - 5. The method according to claim 4, wherein making the record comprises encoding the first value of the field in an outgoing packet, and wherein sending the reply comprises sending the outgoing packet to the source address, so as to cause the encoded first value to be incorporated in the second incoming packet.
  - 6. The method according to claim 4, wherein the first, second and third packets are Internet Protocol (IP) packets, and wherein the field comprises a Time-To-Live (TTL) field in a header of the IP packets.
  - 7. The method according to claim 6, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein encoding the first value comprises encoding the first value of the TTL field in an acknowledgment number field in a TCP header of the second packet.
  - 8. The method according to claim 1, wherein intercepting the request comprises intercepting a first packet comprising a sequence number, and wherein sending the reply comprises sending a second packet to the source address, acknowledging the first packet and containing an acknowledgment number based on the sequence number in accordance with the protocol, and wherein analyzing the response comprises disqualifying the source address if the source address responds to the second packet.
  - 9. The method according to claim 8, wherein analyzing the response comprises determining the source address to be legitimate if the source address retransmits the first packet without responding to the second packet.
  - 10. The method according to claim 1, and comprising opening a proxy connection between a guard device and the source address, and permitting the source address to access the target computer only via the proxy connection as long as the legitimacy of the source address is not established.
  - 11. The method according to claim 10, and comprising making a determination that the source address is legitimate responsively to use of the proxy connection, and responsively to the determination, causing the connection to be opened directly between the source address and the target computer while closing the proxy connection.

12. A method for authenticating communication traffic, comprising:
- intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP);
  
  reading from the SYN packet a first value of a Time-To-Live (TTL) field;
  
  in reply to the SYN packet, sending a TCP ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet;
  
  receiving a TCP RST packet sent from the source address in response to the ACK packet;
  
  reading a TCP sequence number and a second value of the TTL field from the RST packet; and
  
  comparing the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method according to claim 12, wherein comparing the TCP sequence number comprises decoding the TCP sequence number in order to recover the first value of the TTL field, and determining the source address to be legitimate if the first and second values of the TTL field are equal to within a predetermined tolerance.
  - 14. The method according to claim 12, and comprising sending a TCP SYN-ACK packet to the source address after a timeout period and, upon receiving an incoming TCP ACK packet from the source address in response to the SYN-ACK packet, permitting the source address to communicate with the target computer even if no RST packet was received in response to the ACK packet sent to the source address.
  - 15. The method according to claim 14, wherein permitting the source address to communicate comprises opening a TCP proxy connection between a guard device and the source address, and permitting the source address to access the target computer via the proxy connection.
  - 16. The method according to claim 12, and comprising, upon failing to determine the source address to be legitimate based upon receiving the RST packet:
    - reading a TCP sequence number from the SYN packet;
      
      sending a further ACK packet to the source address, while setting a TCP acknowledgment number of the further ACK packet to a value greater by one than the sequence number of the SYN packet; and
      
      assessing the legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
  - 17. The method according to claim 12, and comprising permitting the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

18. A method for authenticating communication traffic, comprising:
- intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), the SYN packet comprising a TCP sequence number;
  
  in reply to the SYN packet, sending a first TCP ACK packet to the source address, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet;
  
  receiving a TCP RST packet sent from the source address in response to the first ACK packet;
  
  responsively to receiving the TCP RST packet, sending a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet; and
  
  assessing legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- View Dependent Claims (19)
- - 19. The method according to claim 18, wherein assessing the legitimacy of the source address comprises determining the source address to be legitimate if a further TCP RST packet is not received from the source address in response to the second ACK packet.

20. A method for authenticating communication traffic, comprising:
- intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP);
  
  reading a TCP sequence number from the SYN packet;
  
  in reply to the SYN packet, sending a TCP ACK packet to the source address, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet; and
  
  upon receiving a TCP RST packet sent from the source address in response to the ACK packet, determining the source address to be illegitimate.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The method according to claim 20, and comprising receiving a retransmission of the SYN packet from the source address after a timeout, without having received the RST packet, and permitting the source address to make a TCP connection with the target computer responsively to the retransmission.
  - 22. The method according to claim 20, wherein sending the TCP ACK packet comprises sending a first ACK packet, the method further comprising:
    - reading from the SYN packet a first value of a Time-To-Live (TTL) field;
      
      in reply to the SYN packet, sending a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet;
      
      receiving a further TCP RST packet sent from the source address in response to the second ACK packet;
      
      reading the TCP sequence number and a second value of the TTL field from the further RST packet; and
      
      comparing the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 23. The method according to claim 20, wherein intercepting the SYN packet comprises intercepting a first SYN packet, and wherein sending the TCP ACK packet comprises sending a first ACK packet, the method further comprising:
    - intercepting a second SYN packet from the source address, subsequent to the first SYN packet;
      
      reading from the second SYN packet a first value of a Time-To-Live (TTL) field;
      
      in reply to the second SYN packet, sending a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet;
      
      receiving a further TCP RST packet sent from the source address in response to the second ACK packet;
      
      reading the TCP sequence number and a second value of the TTL field from the further RST packet; and
      
      comparing the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 24. The method according to claim 23, wherein intercepting the second SYN packet comprises receiving a retransmission of the first SYN packet from the source address, without having received the RST packet.
  - 25. The method according to claim 20, and comprising permitting the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

26. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol, and is adapted to send to the source address a reply to the request that deviates from the specified handshake procedure, to analyze a response from the source address to the reply in order to make an assessment of legitimacy of the source address, and upon determining, based on the assessment, that the source address is legitimate, to permit the target computer to complete the handshake procedure so as to open the connection with the source address.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 27. The apparatus according to claim 26, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the handshake procedure comprises a TCP three-way handshake.
  - 28. The apparatus according to claim 27, wherein the request comprises a TCP SYN packet, and wherein the reply comprises a TCP ACK packet.
  - 29. The apparatus according to claim 26, wherein the request comprises a first incoming packet comprising a field that is indicative of a number of hops traversed by the first packet since having been sent from the source address, and wherein the guard device is adapted to make a record of a first value of the field appearing in the first incoming packet, and to read from the second incoming packet a second value of the field that is indicative of the number of hops traversed by the second incoming packet, and to compare the first and second values of the field in order to assess the legitimacy of the source address.
  - 30. The apparatus according to claim 29, wherein the reply comprises an outgoing packet sent to the source address, and wherein the guard device is adapted to encode the first value of the field in the outgoing packet, so as to cause the encoded first value to be incorporated in the second incoming packet.
  - 31. The apparatus according to claim 29, wherein the first, second and third packets are Internet Protocol (IP) packets, and wherein the field comprises a Time-To-Live (TTL) field in a header of the IP packets.
  - 32. The apparatus according to claim 31, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the guard device is adapted to encode the first value of the TTL field in an acknowledgment number field in a TCP header of the second packet.
  - 33. The apparatus according to claim 26, wherein the request comprises a first packet comprising a sequence number, and wherein the reply comprises a second packet, sent by the guard device to the source address, such that the second packet acknowledges the first packet and contains an acknowledgment number based on the sequence number in accordance with the protocol, and wherein the guard device is adapted to disqualify the source address if the source address responds to the second packet.
  - 34. The apparatus according to claim 33, wherein the guard device is adapted to determine the source address to be legitimate if the source address retransmits the first packet without responding to the second packet.
  - 35. The apparatus according to claim 26, wherein the guard device is adapted to open a proxy connection with the source address, and to permit the source address to access the target computer only via the proxy connection as long as the legitimacy of the source address is not established.
  - 36. The apparatus according to claim 35, wherein the guard device is adapted to make a determination that the source address is legitimate responsively to use of the proxy connection, and responsively to the determination, to cause the connection to be opened directly between the source address and the target computer while closing the proxy connection.

37. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and is adapted to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet, wherein the guard device is coupled to receive a TCP RST packet sent from the source address in response to the ACK packet, and is adapted to read a TCP sequence number and a second value of the TTL field from the RST packet, and to compare the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The apparatus according to claim 37, wherein the guard device is adapted to decode the TCP sequence number in order to recover the first value of the TTL field, and to determine the source address to be legitimate if the first and second values of the TTL field are equal to within a predetermined tolerance.
  - 39. The apparatus according to claim 37, wherein the guard device is further adapted to send a TCP SYN-ACK packet to the source address after a timeout period and, upon receiving an incoming TCP ACK packet from the source address in response to the SYN-ACK packet, to permit the source address to communicate with the target computer even if no RST packet was received in response to the ACK packet sent to the source address.
  - 40. The apparatus according to claim 39, wherein the guard device is adapted to open a TCP proxy connection between the guard device and the source address, and to permit the source address to access the target computer via the proxy connection.
  - 41. The apparatus according to claim 37, and wherein the guard device is adapted, upon failing to determine the source address to be legitimate based upon receiving the RST packet, to read a TCP sequence number from the SYN packet, to send a further ACK packet to the source address, while setting a TCP acknowledgment number of the further ACK packet to a value greater by one than the sequence number of the SYN packet, and to assess the legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
  - 42. The apparatus according to claim 37, wherein the guard device is adapted to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

43. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), the SYN packet comprising a TCP sequence number, and which is adapted to send, in reply to the SYN packet, a first TCP ACK packet to the source address, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet, and which is further adapted, upon receiving a TCP RST packet sent from the source address in response to the first ACK packet, to send a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet, and to assess legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- View Dependent Claims (44)
- - 44. The apparatus according to claim 43, wherein the guard device is adapted to determine the source address to be legitimate if a further TCP RST packet is not received from the source address in response to the second ACK packet.

45. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and which is adapted to read a TCP sequence number from the SYN packet, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet, and to determine the source address to be illegitimate upon receiving a TCP RST packet sent from the source address in response to the ACK packet.
- View Dependent Claims (46, 47, 48, 49, 50)
- - 46. The apparatus according to claim 45, wherein the guard device is adapted to permit the source address to make a TCP connection with the target computer responsively to the retransmission upon receiving a retransmission of the SYN packet from the source address after a timeout, without having received the RST packet.
  - 47. The apparatus according to claim 45, wherein the TCP ACK packet sent by the guard device is a first ACK packet, and wherein the guard device is further adapted to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, and wherein the guard device is coupled to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and is adapted to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 48. The apparatus according to claim 45, wherein the intercepted SYN packet comprises a first SYN packet, and wherein the TCP ACK packet sent by the guard device is a first ACK packet, and wherein the guard device is coupled to intercept a second SYN packet from the source address, subsequent to the first SYN packet, and is adapted to read from the second SYN packet a first value of a Time-To-Live (TTL) field, and to send a second ACK packet to the source address in reply to the second SYN packet, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, and wherein the guard device is coupled to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and is adapted to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 49. The apparatus according to claim 48, wherein the second SYN packet comprises a retransmission of the first SYN packet from the source address, which is received by the guard device without the guard device having received the RST packet.
  - 50. The apparatus according to claim 45, wherein the guard device is adapted to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

51. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol, and further cause the guard computer to send to the source address a reply to the request that deviates from the specified handshake procedure, to analyze a response from the source address to the reply in order to make an assessment of legitimacy of the source address, and upon determining, based on the assessment, that the source address is legitimate, to permit the target computer to complete the handshake procedure so as to open the connection with the source address.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61)
- - 52. The product according to claim 51, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the handshake procedure comprises a TCP three-way handshake.
  - 53. The product according to claim 52, wherein the request comprises a TCP SYN packet, and wherein the reply comprises a TCP ACK packet.
  - 54. The product according to claim 51, wherein the request comprises a first incoming packet comprising a field that is indicative of a number of hops traversed by the first packet since having been sent from the source address, and wherein the instructions cause the guard computer to make a record of a first value of the field appearing in the first incoming packet, and to read from the second incoming packet a second value of the field that is indicative of the number of hops traversed by the second incoming packet, and to compare the first and second values of the field in order to assess the legitimacy of the source address.
  - 55. The product according to claim 54, wherein the reply comprises an outgoing packet sent to the source address, and wherein the instructions cause the guard computer to encode the first value of the field in the outgoing packet, so as to cause the encoded first value to be incorporated in the second incoming packet.
  - 56. The product according to claim 54, wherein the first, second and third packets are Internet Protocol (IP) packets, and wherein the field comprises a Time-To-Live (TTL) field in a header of the IP packets.
  - 57. The product according to claim 56, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the instructions cause the guard computer to encode the first value of the TTL field in an acknowledgment number field in a TCP header of the second packet.
  - 58. The product according to claim 51, wherein the request comprises a first packet comprising a sequence number, and wherein the reply comprises a second packet, sent by the guard computer to the source address, such that the second packet acknowledges the first packet and contains an acknowledgment number based on the sequence number in accordance with the protocol, and wherein the instructions cause the guard computer to disqualify the source address if the source address responds to the second packet.
  - 59. The product according to claim 58, wherein the instructions cause the guard computer to determine the source address to be legitimate if the source address retransmits the first packet without responding to the second packet.
  - 60. The product according to claim 51, wherein the instructions cause the guard computer to open a proxy connection with the source address, and to permit the source address to access the target computer only via the proxy connection as long as the legitimacy of the source address is not established.
  - 61. The product according to claim 60, wherein the instructions cause the guard computer to make a determination that the source address is legitimate responsively to use of the proxy connection, and responsively to the determination, to cause the connection to be opened directly between the source address and the target computer while closing the proxy connection.

62. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet, wherein the instructions further cause the guard computer to receive a TCP RST packet sent from the source address in response to the ACK packet, and to read a TCP sequence number and a second value of the TTL field from the RST packet, and to compare the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- View Dependent Claims (63, 64, 65, 66, 67)
- - 63. The product according to claim 62, wherein the instructions cause the guard computer to decode the TCP sequence number in order to recover the first value of the TTL field, and to determine the source address to be legitimate if the first and second values of the TTL field are equal to within a predetermined tolerance.
  - 64. The product according to claim 62, wherein the instructions further cause the guard computer to send a TCP SYN-ACK packet to the source address after a timeout period and, cause the guard computer, upon receiving an incoming TCP ACK packet from the source address in response to the SYN-ACK packet, to permit the source address to communicate with the target computer even if no RST packet was received in response to the ACK packet sent to the source address.
  - 65. The product according to claim 64, wherein the instructions cause the guard computer to open a TCP proxy connection between the guard computer and the source address, and to permit the source address to access the target computer via the proxy connection.
  - 66. The product according to claim 62, and wherein the instructions cause the guard computer, upon failing to determine the source address to be legitimate based upon receiving the RST packet, to read a TCP sequence number from the SYN packet, to send a further ACK packet to the source address, while setting a TCP acknowledgment number of the further ACK packet to a value greater by one than the sequence number of the SYN packet, and to assess the legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
  - 67. The product according to claim 62, wherein the instructions cause the guard computer to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

68. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), the SYN packet comprising a TCP sequence number, and further cause the guard computer to send, in reply to the SYN packet, a first TCP ACK packet to the source address, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet, and which instructions further cause the guard computer, upon receiving a TCP RST packet sent from the source address in response to the first ACK packet, to send a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet, and to assess legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- View Dependent Claims (69)
- - 69. The product according to claim 68, wherein the guard device is adapted to determine the source address to be legitimate if a further TCP RST packet is not received from the source address in response to the second ACK packet.

70. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and further cause the guard computer to read a TCP sequence number from the SYN packet, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet, and to determine the source address to be illegitimate upon receiving a TCP RST packet sent from the source address in response to the ACK packet.
- View Dependent Claims (71, 72, 73, 74, 75)
- - 71. The product according to claim 70, wherein the instructions cause the guard computer to permit the source address to make a TCP connection with the target computer responsively to the retransmission upon receiving a retransmission of the SYN packet from the source address after a timeout, without having received the RST packet.
  - 72. The product according to claim 70, wherein the TCP ACK packet sent by the guard computer is a first ACK packet, and wherein the instructions cause the guard computer to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, and wherein the instructions cause the guard computer to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 73. The product according to claim 70, wherein the intercepted SYN packet comprises a first SYN packet, and wherein the TCP ACK packet sent by the guard computer is a first ACK packet, and wherein the instructions cause the guard computer to intercept a second SYN packet from the source address, subsequent to the first SYN packet, and to read from the second SYN packet a first value of a Time-To-Live (TTL) field, and to send a second ACK packet to the source address in reply to the second SYN packet, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, and wherein the instructions cause the guard computer to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 74. The product according to claim 73, wherein the second SYN packet comprises a retransmission of the first SYN packet from the source address, which is received by the guard computer without the guard computer having received the RST packet.
  - 75. The product according to claim 70, wherein the instructions cause the guard computer to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Riverhead Networks, Inc.
Inventors
Touitou, Dan, Tzadikario, Rephael, Shtein, Yehiel, Pazi, Guy

Granted Patent

US 7,979,694 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Y04S 40/20   Information technology spec...

Using TCP to authenticate IP source addresses

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

136 Citations

75 Claims

Specification

Use Cases

Quick Links

Others

Using TCP to authenticate IP source addresses

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

136 Citations

75 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others