Preventing network denial of service attacks by early discard of out-of-order segments
First Claim
1. A method of preventing network denial of service attacks by early discard of out-of-order segments, the method comprising the computer-implemented steps of:
- creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
as out-of-order data segments arrive on the connection, and before other processing of the segments, determining whether the reassembly queue is full and discarding the out-of-order segments if the reassembly queue is full; and
automatically changing the size of the reassembly queue in response to one or more changes in any of network conditions and device resources.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of preventing network denial of service attacks by early discard of out-of-order segments comprises creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated. As out-of-order data segments arrive on the connection, and before other processing of the segments, whether the reassembly queue is full is determined, and the out-of-order segments are discarded if the reassembly queue is full. The size of the reassembly queue is automatically changed in response to one or more changes in any of network conditions and device resources.
61 Citations
18 Claims
-
1. A method of preventing network denial of service attacks by early discard of out-of-order segments, the method comprising the computer-implemented steps of:
-
creating a reassembly queue for a connection between a first network node and a second network node, wherein the connection has been established based on a transport-layer network protocol, the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
as out-of-order data segments arrive on the connection, and before other processing of the segments, determining whether the reassembly queue is full and discarding the out-of-order segments if the reassembly queue is full; and
automatically changing the size of the reassembly queue in response to one or more changes in any of network conditions and device resources.
-
-
2. A method, comprising the steps of:
-
establishing a connection between a first network node and a second network node using a transport-layer network protocol;
creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
receiving an out-of-order segment on the connection;
determining whether the reassembly queue is full;
if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment. - View Dependent Claims (3, 4, 5)
-
-
6. A computer-readable medium carrying one or more sequences of instructions for preventing network denial of service attacks by early discard of out-of-order segments, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
-
establishing a connection between a first network node and a second network node using a transport-layer network protocol;
creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
receiving an out-of-order segment on the connection;
determining whether the reassembly queue is full;
if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment.
-
-
7. An apparatus, comprising:
-
means for establishing a connection between a first network node and a second network node using a transport-layer network protocol;
means for creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
means for receiving an out-of-order segment on the connection;
means for determining whether the reassembly queue is full;
means for determining, if the reassembly queue is full, whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment. - View Dependent Claims (8, 9, 10, 17)
-
-
11. An apparatus for preventing network denial of service attacks by early discard of out-of-order segments, comprising:
-
a network interface that is coupled to the data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
establishing a connection between a first network node and a second network node using a transport-layer network protocol;
creating a reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
receiving an out-of-order segment on the connection;
determining whether the reassembly queue is full;
if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
18. A TCP proxy apparatus that prevents network denial of service attacks by early discard of out-of-order segments, comprising:
-
a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
a processor;
one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
establishing a connection between a first network node and a second network node using a transport-layer network protocol;
creating a TCP reassembly queue for the reassembly queue having a size based on a buffer size of an input interface with which the connection is associated;
receiving an out-of-order segment on the connection;
before any processing of the segment other than checksum validation, determining whether the reassembly queue is full;
if the reassembly queue is full, then determining whether the reassembly queue should be enlarged based on one or more enlargement factors, and if the reassembly queue should be enlarged, then enlarging the reassembly queue and queuing the segment to the reassembly queue, and otherwise discarding the out-of-order segment;
wherein the enlargement factors comprise any of amount of system load, amount of available memory, number of connections on the interface, and information from one or more other attack detection applications;
wherein the instructions for enlarging the reassembly queue comprise instructions for changing a scaling factor associated with the reassembly queue.
-
Specification