System and method for an adaptive TCP SYN cookie with time validation

US 20070195792A1
Filed: 02/21/2006
Published: 08/23/2007
Est. Priority Date: 02/21/2006
Status: Active Grant

First Claim

Patent Images

1. A system for TCP SYN cookie validation at a host server comprising:

a session SYN packet receiver for receiving a session SYN packet;

a transition cookie generator for generating a transition cookie, the transition cookie comprising a time value representing the actual time;

a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;

a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and

a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

90 Citations

View as Search Results

25 Claims

1. A system for TCP SYN cookie validation at a host server comprising:
- a session SYN packet receiver for receiving a session SYN packet;
  
  a transition cookie generator for generating a transition cookie, the transition cookie comprising a time value representing the actual time;
  
  a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;
  
  a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and
  
  a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, in which the transition cookie validator determines that the received session ACK packet is valid if the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
  - 3. The system according to claim 1, in which the predetermined time interval is in the range of one to six seconds.
  - 4. The system according to claim 1, in which the predetermined time interval is three seconds.
  - 5. The system according to claim 1, in which the generating of the transition cookie includes the use of randomly generated data.
  - 6. The system according to claim 1, in which the generating of the transition cookie includes the use of data obtained from the session SYN packet.

7. A system for TCP SYN cookie validation comprising:
- a host server comprising a processor and memory, the processor configured for;
  
  receiving a session SYN packet;
  
  generating a transition cookie, the transition cookie comprising a time value representing the actual time;
  
  sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet;
  
  receiving a session ACK packet; and
  
  determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The system according to claim 7, in which the processor is further configured for regarding the received session ACK packet as valid if the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
  - 9. The system according to claim 7, in which the predetermined time interval is in the range of one to six seconds.
  - 10. The system according to claim 7, in which the predetermined time interval is three seconds.
  - 11. The system according to claim 7, in which the generating of the transition cookie includes the use of data obtained from the session SYN packet.
  - 12. The system according to claim 11, in which the data obtained from the session SYN packet comprises the source IP address of an IP header associated with the session SYN packet.
  - 13. The system according to claim 11, in which the data obtained from the session SYN packet comprises the sequence number of a TCP header associated with the session SYN packet.
  - 14. The system according to claim 11, in which the data obtained from the session SYN packet comprises a source port associated with the session SYN packet.
  - 15. The system according to claim 11, in which the data obtained from the session SYN packet comprises a destination port associated with the session SYN packet.

16. A method for TCP SYN cookie validation comprising:
- receiving a session SYN packet by a TCP session setup module;
  
  generating a transition cookie by the TCP session setup module, the transition cookie comprising a time value representing the actual time;
  
  sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet;
  
  receiving a session ACK packet; and
  
  determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method according to claim 16, further comprising indicating the received session ACK packet comprises a valid candidate transition cookie if the time value of the candidate transition cookie is within a predetermined time interval of the time the session ACK packet is received.
  - 18. The method according to claim 16, in which the predetermined time interval is in the range of one to six seconds.
  - 19. The method according to claim 16, in which the predetermined time interval is three seconds.
  - 20. The method according to claim 16, in which the generating of the transition cookie includes the use of randomized data.
  - 21. The method according to claim 16, in which the generating of the transition cookie includes the use of data obtained from the session SYN packet.
  - 22. The method according to claim 20, in which the data obtained from the session SYN packet comprises the source IP address of an IP header associated with the session SYN packet.
  - 23. The method according to claim 20, in which the data obtained from the session SYN packet comprises the sequence number of a TCP header associated with the session SYN packet.
  - 24. The method according to claim 20, in which the data obtained from the session SYN packet comprises a source port associated with the session SYN packet.
  - 25. The method according to claim 20, in which the data obtained from the session SYN packet comprises a destination port associated with the session SYN packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Hwang, Shih-Tsung, Szeto, Ronald

Granted Patent

US 7,675,854 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/395.52
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/43   Assembling or disassembling...

H04L 63/1458   Denial of Service

System and method for an adaptive TCP SYN cookie with time validation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

System and method for an adaptive TCP SYN cookie with time validation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others