SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM

US 20110154488A1
Filed: 12/23/2009
Published: 06/23/2011
Est. Priority Date: 12/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method for generating cookie signatures in a multi-core intermediary providing security protection between a plurality of clients and one or more servers, the method comprising:

(a) establishing, by a first packet processing engine executing on a first core of an intermediary device comprising a plurality of packet processing engines executing on a corresponding core of a plurality of cores, a first cookie timer having a first predetermined time period, the cookie timer to signal regeneration of cookie signatures;

(b) storing, by the first packet processing engine responsive to an expiration of the cookie timer, a random seed in shared memory accessible by each of the plurality of packet processing engines, a new random seed generated by the first packet processing engine responsive to each expiration of the cookie timer;

(c) storing, by a second packet processing engine of the plurality of packet processing engines, the random seed obtained from the shared memory to a cache of the second packet processing engine;

(d) generating, by the second packet processing engine, one or more cookie signatures based on the random seed; and

(e) determining, by the second packet processing engine responsive to a second cookie timer established by the second packet processing engine having a second predetermined timer period less than the first predetermined time period, whether the random seed in shared memory has changed in comparison to the random seed stored in the cache of the second packet processing engine.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present application is directed towards systems and methods for generating and maintaining cookie consistency for security protection across a plurality of cores in a multi-core system. A packet processing engine executing on one core designated as a primary packet processing engine generates and maintains a global random seed. The global random seed may be used as an initial seed for creation of cookie signatures by each of a plurality of packet processing engines executing on a plurality of cores of the multi-core system using a deterministic pseudo-random number generation function such that each core creates an identical set of cookie signatures.

33 Citations

View as Search Results

20 Claims

1. A method for generating cookie signatures in a multi-core intermediary providing security protection between a plurality of clients and one or more servers, the method comprising:
- (a) establishing, by a first packet processing engine executing on a first core of an intermediary device comprising a plurality of packet processing engines executing on a corresponding core of a plurality of cores, a first cookie timer having a first predetermined time period, the cookie timer to signal regeneration of cookie signatures;
  
  (b) storing, by the first packet processing engine responsive to an expiration of the cookie timer, a random seed in shared memory accessible by each of the plurality of packet processing engines, a new random seed generated by the first packet processing engine responsive to each expiration of the cookie timer;
  
  (c) storing, by a second packet processing engine of the plurality of packet processing engines, the random seed obtained from the shared memory to a cache of the second packet processing engine;
  
  (d) generating, by the second packet processing engine, one or more cookie signatures based on the random seed; and
  
  (e) determining, by the second packet processing engine responsive to a second cookie timer established by the second packet processing engine having a second predetermined timer period less than the first predetermined time period, whether the random seed in shared memory has changed in comparison to the random seed stored in the cache of the second packet processing engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein storing a random seed in shared memory further comprises replacing a previous random seed in shared memory with the new random seed generated by the first packet processing engine.
  - 3. The method of claim 2, wherein storing a random seed in shared memory further comprises locking the random seed in shared memory to prevent the second packet processing engine from reading the seed;
    - replacing the previous random seed with the new random seed; and
      
      unlocking the random seed.
  - 4. The method of claim 1, wherein generating one or more cookie signatures based on the random seed further comprises storing a previous one or more cookie signatures to the cache of the second packet processing engine as a previous set of cookie signatures prior to generating the one or more cookie signatures.
  - 5. The method of claim 1, wherein generating one or more cookie signatures based on the random seed comprises calculating one or more random numbers using the random seed as an initial value;
    - and storing the one or more random numbers in an array.
  - 6. The method of claim 1, wherein the first predetermined time period is two minutes.
  - 7. The method of claim 1, wherein the second predetermined time period is one second.
  - 8. The method of claim 1, wherein determining whether the random seed in shared memory has changed in comparison to the random seed stored in the cache of the second packet processing engine further comprises:
    - attempting to read the random seed in shared memory;
      
      failing to read the random seed in shared memory, responsive to the random seed being locked by the first packet processing engine;
      
      attempting to read the random seed in shared memory again; and
      
      succeeding to read the random seed in shared memory, responsive to the random seed being unlocked by the first packet processing engine.
  - 9. The method of claim 1, further comprising generating, by the second packet processing engine, one or more transport layer SYN cookies based on the one or more cookie signatures.
  - 10. The method of claim 1, further comprising generating, by the second packet processing engine, one or more application layer HTTP cookies based on the one or more cookie signatures.

11. A method for generating cookie signatures in a multi-core intermediary providing security protection between a plurality of clients and one or more servers, the method comprising:
- (a) generating, by a second packet processing engine executing on a second core of an intermediary device comprising a plurality of packet processing engines executing on a corresponding core of a plurality of cores, a set of current cookie signatures based on a random seed established by a first packet processing engine executing on a first core of the plurality of cores;
  
  (b) storing, by the second packet processing engine responsive to an expiration of a cookie timer, the set of current cookie signatures to a set of previous cookie signatures;
  
  (c) receiving, by the second packet processing engine, a request from a client to access a server, the request comprising a cookie;
  
  (d) determining, by the second packet processing engine, that a signature of the cookie does not correspond to either of the set of previous cookie signatures and the set of current cookie signatures;
  
  (e) generating, by the second packet processing engine, a second set of current cookie signatures responsive to identifying that the random seed of the first packet processing engine has changed; and
  
  (f) determining, by the second packet processing engine, whether to accept the request responsive to whether the cookie signature of the cookie corresponds to the second set of current cookie signatures.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein generating the set of current cookie signatures based on a random seed comprises obtaining the random seed from a shared memory accessible by each of the plurality of packet processing engines.
  - 13. The method of claim 12, wherein generating the set of current cookie signatures based on a random seed comprises calculating one or more random numbers using the random seed as an initial value;
    - and storing the one or more random numbers in an array.
  - 14. The method of claim 11, wherein storing the set of current cookie signatures to a set of previous cookie signatures comprises storing the set of previous cookie signatures in a cache of the second packet processing engine separate from a shared memory accessible by each of the plurality of packet processing engines.
  - 15. The method of claim 11, wherein storing the set of current cookie signatures to a set of previous cookie signatures further comprises generating a new set of current cookie signatures based on the random seed.
  - 16. The method of claim 15, wherein storing the set of current cookie signatures to a set of previous cookie signatures is performed responsive to determining that the random seed established by the first packet processing engine has changed.
  - 17. The method of claim 11, wherein receiving a request from a client to access a server comprises receiving an acknowledgement packet for a transport layer SYN packet previously transmitted to the client, the transport layer SYN packet comprising a SYN cookie.
  - 18. The method of claim 17, wherein determining that a signature of the cookie does not correspond to either of the set of previous cookie signatures and the set of current cookie signatures further comprises calculating the signature of the cookie based on the received cookie and one or more internet layer and transport layer header fields of the received request.
  - 19. The method of claim 11, wherein receiving a request from a client to access a server comprises receiving an application layer GET packet responsive to an application layer data packet previously transmitted to the client, the application layer data packet comprising an http cookie.
  - 20. The method of claim 11, wherein generating a second set of current cookie signatures responsive to identifying that the random seed of the first packet processing engine has changed comprises:
    - identifying that the random seed established by the first packet processing engine has changed;
      
      obtaining the changed random seed from a shared memory accessible by each of the plurality of packet processing engines;
      
      storing the set of current cookie signatures to a set of previous cookie signatures; and
      
      generating a second set of current cookie signatures.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Rajan, Roy, Annamalaisami, Saravanakumar

Granted Patent

US 8,380,994 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 15/167   using a common memory, e.g....

H04L 63/123   received data contents, e.g...

H04L 63/168   above the transport layer

SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR GENERATING AND MANAGING COOKIE SIGNATURES FOR PREVENTION OF HTTP DENIAL OF SERVICE IN MULTI-CORE SYSTEM

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links