Preventing network denial of service attacks by early discard of out-of-order segments

US 20070180533A1
Filed: 02/01/2006
Published: 08/02/2007
Est. Priority Date: 02/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method of preventing network denial of service attacks by early discard of out-of-order segments, the method comprising the computer-implemented steps of:

creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;

as out-of-order data segments arrive on the connection, and before other processing of the segments, determining whether the reassembly queue is full and discarding the out-of-order segments if the reassembly queue is full; and

automatically changing the size of the reassembly queue in response to one or more changes in any of network conditions and device resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of preventing network denial of service attacks by early discard of out-of-order segments comprises creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated. As out-of-order data segments arrive on the connection, and before other processing of the segments, whether the reassembly queue is full is determined, and the out-of-order segments are discarded if the reassembly queue is full. The size of the reassembly queue is automatically changed in response to one or more changes in any of network conditions and device resources.

61 Citations

View as Search Results

18 Claims

1. A method of preventing network denial of service attacks by early discard of out-of-order segments, the method comprising the computer-implemented steps of:
- creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
  
  as out-of-order data segments arrive on the connection, and before other processing of the segments, determining whether the reassembly queue is full and discarding the out-of-order segments if the reassembly queue is full; and
  
  automatically changing the size of the reassembly queue in response to one or more changes in any of network conditions and device resources.

2. A method, comprising the steps of:
- establishing a connection between a first network node and a second network node using a transport-layer network protocol;
  
  creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
  
  receiving an out-of-order segment on the connection;
  
  determining whether the reassembly queue is full;
  
  if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment.
- View Dependent Claims (3, 4, 5)
- - 3. A method as recited in claim 2, wherein the enlargement factors comprise any of amount of system load, amount of available memory, number of connections on the interface, and information from one or more other attack detection applications.
  - 4. A method as recited in claim 2, wherein the transport-layer network protocol is transmission control protocol (TCP) and wherein the reassembly queue is a TCP segment reassembly queue.
  - 5. A method as recited in claim 2, wherein the transport-layer network protocol is transmission control protocol (TCP) and wherein the reassembly queue is a TCP segment reassembly queue, and wherein determining whether the reassembly queue is full is performed before processing of the segment other than checksum validation.

6. A computer-readable medium carrying one or more sequences of instructions for preventing network denial of service attacks by early discard of out-of-order segments, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- establishing a connection between a first network node and a second network node using a transport-layer network protocol;
  
  creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
  
  receiving an out-of-order segment on the connection;
  
  determining whether the reassembly queue is full;
  
  if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment.

7. An apparatus, comprising:
- means for establishing a connection between a first network node and a second network node using a transport-layer network protocol;
  
  means for creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
  
  means for receiving an out-of-order segment on the connection;
  
  means for determining whether the reassembly queue is full;
  
  means for determining, if the reassembly queue is full, whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment.
- View Dependent Claims (8, 9, 10, 17)
- - 8. An apparatus as recited in claim 7, wherein the enlargement factors comprise any of amount of system load, amount of available memory, number of connections on the interface, and information from one or more other attack detection applications.
  - 9. An apparatus as recited in claim 7, wherein the transport-layer network protocol is transmission control protocol (TCP) and wherein the reassembly queue is a TCP segment reassembly queue.
  - 10. An apparatus as recited in claim 7, wherein the transport-layer network protocol is transmission control protocol (TCP) and wherein the reassembly queue is a TCP segment reassembly queue, and wherein determining whether the reassembly queue is full is performed before processing of the segment other than checksum validation.
  - 17. An apparatus as recited in claim 7, wherein the means for enlarging the reassembly queue comprises means for changing a scaling factor associated with the reassembly queue.

11. An apparatus for preventing network denial of service attacks by early discard of out-of-order segments, comprising:
- a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  establishing a connection between a first network node and a second network node using a transport-layer network protocol;
  
  creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
  
  receiving an out-of-order segment on the connection;
  
  determining whether the reassembly queue is full;
  
  if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. An apparatus as recited in claim 11, wherein the enlargement factors comprise any of amount of system load, amount of available memory, number of connections on the interface, and information from one or more other attack detection applications.
  - 13. An apparatus as recited in claim 11, wherein the transport-layer network protocol is transmission control protocol (TCP) and wherein the reassembly queue is a TCP segment reassembly queue.
  - 14. An apparatus as recited in claim 11, wherein the transport-layer network protocol is transmission control protocol (TCP) and wherein the reassembly queue is a TCP segment reassembly queue, and wherein determining whether the reassembly queue is full is performed before processing of the segment other than checksum validation.
  - 15. An apparatus as recited in claim 11, wherein the instructions for enlarging the reassembly queue comprise instructions for changing a scaling factor associated with the reassembly queue.
  - 16. An apparatus as recited in claim 11, comprising any of a router, a switch, and a TCP proxy.

18. A TCP proxy apparatus that prevents network denial of service attacks by early discard of out-of-order segments, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  establishing a connection between a first network node and a second network node using a transport-layer network protocol;
  
  creating a TCP reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
  
  receiving an out-of-order segment on the connection;
  
  before any processing of the segment other than checksum validation, determining whether the reassembly queue is full;
  
  if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment;
  
  wherein the enlargement factors comprise any of amount of system load, amount of available memory, number of connections on the interface, and information from one or more other attack detection applications;
  
  wherein the instructions for enlarging the reassembly queue comprise instructions for changing a scaling factor associated with the reassembly queue.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ramaiah, Anantha, Sivakumar, Senthil, Somasundaram, Mahadev

Granted Patent

US 8,074,275 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

H04L 45/54   Organization of routing tables

H04L 45/58   Association of routers

H04L 47/10   Flow control; Congestion co...

H04L 47/43   Assembling or disassembling...

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Preventing network denial of service attacks by early discard of out-of-order segments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing network denial of service attacks by early discard of out-of-order segments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links