Using TCP to authenticate IP source addresses
First Claim
1. A method for authenticating communication traffic, comprising:
- intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol;
sending to the source address a reply to the request that deviates from the specified handshake procedure;
analyzing a response from the source address to the reply in order to make an assessment of legitimacy of the source address; and
upon determining, based on the assessment, that the source address is legitimate, permitting the target computer to complete the handshake procedure so as to open the connection with the source address.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for authenticating communication traffic includes intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol. A reply to the request that deviates from the specified handshake procedure is sent to the source address. A response from the source address to the reply is analyzed in order to make an assessment of legitimacy of the source address. Upon determining, based on the assessment, that the source address is legitimate, the target computer is permitted to complete the handshake procedure so as to open the connection with the source address.
136 Citations
75 Claims
-
1. A method for authenticating communication traffic, comprising:
-
intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol;
sending to the source address a reply to the request that deviates from the specified handshake procedure;
analyzing a response from the source address to the reply in order to make an assessment of legitimacy of the source address; and
upon determining, based on the assessment, that the source address is legitimate, permitting the target computer to complete the handshake procedure so as to open the connection with the source address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for authenticating communication traffic, comprising:
-
intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP);
reading from the SYN packet a first value of a Time-To-Live (TTL) field;
in reply to the SYN packet, sending a TCP ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet;
receiving a TCP RST packet sent from the source address in response to the ACK packet;
reading a TCP sequence number and a second value of the TTL field from the RST packet; and
comparing the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method for authenticating communication traffic, comprising:
-
intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), the SYN packet comprising a TCP sequence number;
in reply to the SYN packet, sending a first TCP ACK packet to the source address, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet;
receiving a TCP RST packet sent from the source address in response to the first ACK packet;
responsively to receiving the TCP RST packet, sending a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet; and
assessing legitimacy of the source address based upon a further response received from the source address following the further ACK packet. - View Dependent Claims (19)
-
-
20. A method for authenticating communication traffic, comprising:
-
intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP);
reading a TCP sequence number from the SYN packet;
in reply to the SYN packet, sending a TCP ACK packet to the source address, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet; and
upon receiving a TCP RST packet sent from the source address in response to the ACK packet, determining the source address to be illegitimate. - View Dependent Claims (21, 22, 23, 24, 25)
-
- 26. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol, and is adapted to send to the source address a reply to the request that deviates from the specified handshake procedure, to analyze a response from the source address to the reply in order to make an assessment of legitimacy of the source address, and upon determining, based on the assessment, that the source address is legitimate, to permit the target computer to complete the handshake procedure so as to open the connection with the source address.
-
37. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and is adapted to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet,
wherein the guard device is coupled to receive a TCP RST packet sent from the source address in response to the ACK packet, and is adapted to read a TCP sequence number and a second value of the TTL field from the RST packet, and to compare the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- 43. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), the SYN packet comprising a TCP sequence number, and which is adapted to send, in reply to the SYN packet, a first TCP ACK packet to the source address, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet, and which is further adapted, upon receiving a TCP RST packet sent from the source address in response to the first ACK packet, to send a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet, and to assess legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- 45. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and which is adapted to read a TCP sequence number from the SYN packet, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet, and to determine the source address to be illegitimate upon receiving a TCP RST packet sent from the source address in response to the ACK packet.
- 51. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol, and further cause the guard computer to send to the source address a reply to the request that deviates from the specified handshake procedure, to analyze a response from the source address to the reply in order to make an assessment of legitimacy of the source address, and upon determining, based on the assessment, that the source address is legitimate, to permit the target computer to complete the handshake procedure so as to open the connection with the source address.
-
62. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet,
wherein the instructions further cause the guard computer to receive a TCP RST packet sent from the source address in response to the ACK packet, and to read a TCP sequence number and a second value of the TTL field from the RST packet, and to compare the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- 68. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), the SYN packet comprising a TCP sequence number, and further cause the guard computer to send, in reply to the SYN packet, a first TCP ACK packet to the source address, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet, and which instructions further cause the guard computer, upon receiving a TCP RST packet sent from the source address in response to the first ACK packet, to send a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet, and to assess legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- 70. A computer software product for authenticating communication traffic, the product comprising a computer readable medium, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP), and further cause the guard computer to read a TCP sequence number from the SYN packet, and in reply to the SYN packet, to send a TCP ACK packet to the source address, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet, and to determine the source address to be illegitimate upon receiving a TCP RST packet sent from the source address in response to the ACK packet.
Specification