SYSTEMS AND METHODS FOR TRANSPARENTLY MONITORING NETWORK TRAFFIC FOR DENIAL OF SERVICE ATTACKS

US 20140150094A1
Filed: 11/28/2012
Published: 05/29/2014
Est. Priority Date: 11/28/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for monitoring network connections by a mitigation service, the mitigation service monitoring network traffic in one direction between a client computer and a server computer, the method comprising:

receiving, from the client computer, a connection request that is configured to establish a network connection between the client computer and the server computer, wherein the connection request comprises at least one parameter corresponding to the network connection;

sending, to the client computer, a response that is configured to cause a reply by the client computer, wherein the response comprises a sequence number that is within a range of sequence numbers received in the connection request and wherein the sequence number does not interrupt the establishment of the network connection between the client computer and the server computer and does not complete the establishment of the network connection between the client computer and the server computer;

determining whether the reply is received from the client computer; and

in response to determining that the reply is received from the client computer;

sending the connection request to the server computer without altering an identification of the client computer in the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mitigation service can monitor network traffic in one direction between a client computer and a server computer. The mitigation service can receive a request from a client computer to establish a network connection with a server computer. The mitigation service can reply to the client computer with an acknowledgment that is configured to cause the client computer to issue a request to reset the connection. The acknowledgement is configured not to affect the establishment of the network connection with the server computer. The mitigation service can compare the details of the reset request with the request to establish the network connection. If the details match, the mitigation service can forward the request to establish the network connection to the server computer.

26 Citations

View as Search Results

27 Claims

1. A computer-implemented method for monitoring network connections by a mitigation service, the mitigation service monitoring network traffic in one direction between a client computer and a server computer, the method comprising:
- receiving, from the client computer, a connection request that is configured to establish a network connection between the client computer and the server computer, wherein the connection request comprises at least one parameter corresponding to the network connection;
  
  sending, to the client computer, a response that is configured to cause a reply by the client computer, wherein the response comprises a sequence number that is within a range of sequence numbers received in the connection request and wherein the sequence number does not interrupt the establishment of the network connection between the client computer and the server computer and does not complete the establishment of the network connection between the client computer and the server computer;
  
  determining whether the reply is received from the client computer; and
  
  in response to determining that the reply is received from the client computer;
  
  sending the connection request to the server computer without altering an identification of the client computer in the request.
- View Dependent Claims (2, 3, 4, 5, 6, 27)
- - 2. The method of claim 1, the method further comprising:
    - comparing the at least one parameter corresponding to the connection request to at least one parameter of the reply; and
      
      determining whether the reply is received form the client computer based on the comparison.
  - 3. The method of claim 2, wherein sending the connection request to the server computer comprises generating a new connection request based the at least one parameter corresponding to the connection request.
  - 4. The method of claim 1, the method further comprising:
    - storing, in response to determining that the reply is received from the client computer, a network address corresponding to the client computer and at least one parameter corresponding to the reply;
      
      receiving a retransmitted connection request corresponding to a network address, wherein the retransmitted connection request comprises at least one parameter;
      
      comparing the network address and the at least one parameter corresponding to the retransmitted connection request respectively to the network address corresponding to the client computer and the at least one parameter corresponding to the reply; and
      
      in response the network address and the at least one parameter corresponding to the retransmitted connection request respectively matching the network address corresponding to the client computer and the at least one parameter corresponding to the reply;
      
      sending the retransmitted connection request to the server computer.
  - 5. The method of claim 1, the method further comprising:
    - determining that a number of connection requests from the client computer exceeds a predetermined threshold; and
      
      in response to determining that the number of connection requests exceeds the predetermined threshold;
      
      monitoring network traffic in both directions between the client computer and the server computer.
  - 6. The method of claim 5, wherein monitoring the network traffic in both directions comprises:
    - replacing, In future connection requests, the network address corresponding the client computer with the network address corresponding the mitigation service.
  - 27. The method of claim 1, wherein the sequence number of the response is the same as a sequence number received in the connection request.

7. A computer-implemented method for monitoring network traffic by a mitigation service, the mitigation service monitoring network traffic in one direction between a client computer and a server computer, the method comprising:
- receiving, from the client computer, a TCP synchronization (SYN) packet that is configured to establish a TCP connection with the server computer, wherein the TCP SYN packet comprises one or more parameters corresponding to the TCP connection;
  
  determining a network address corresponding to the client computer;
  
  sending, to the client computer, a TCP acknowledgement (ACK) packet, wherein the TCP ACK comprises a sequence number that is the same as a sequence number corresponding to the TCP SYN packet to initiate a reply by the client computer without interrupting the establishment of the TCP connection with the server computer and does not complete the establishment of the TCP connection between the client computer and the server computer;
  
  receiving a TCP reset (RST) packet, wherein the TCP RST packet comprises one or more parameters;
  
  determining an origination network address corresponding to the TCP RST packet;
  
  comparing the origination network address and at least one of the one or more parameters of the ISP RST packet respectively to the network address corresponding to the client computer and at least one of the parameters corresponding to the TCP connection of the TCP SYN packet;
  
  determining whether the TCP RST packet originated from the client computer based on the comparison; and
  
  in response to determining that the TCP RST packet originated from the client computer;
  
  sending the TCP SYN packet to the server computer without altering an identification of the client computer in the TCP SYN.
- View Dependent Claims (8, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein the one or more parameters corresponding to the TCP connection of the TCP SYN packet comprise the sequence number and a time to live.
  - 10. The method of claim 7, the method further comprising;
    - storing the network address corresponding to the client computer; and
      
      storing at least one of the one or more parameters from the TCP SYN packet corresponding to the TCP connection.
  - 11. The method of claim 10, the method further comprising:
    - generating, in response to determining that the TCP RST packet originated from the client computer, a new TCP SYN packet based on the at least one of the one or more parameters that was stored; and
      
      sending the new TCP SYN packet to the server computer as the TCP SYN packet.
  - 12. The method of claim 7, the method further comprising:
    - determining that a number of TCP SYN packets from the client computer exceeds a predetermined threshold; and
      
      in response to determining that the number of TCP SYN packets exceeds the predetermined threshold;
      
      monitoring network traffic in both directions between the client computer and the server computer.
  - 13. The method of claim 12, wherein monitoring the network traffic in both directions comprises:
    - replacing, in future connection requests, the network address corresponding the client computer with the network address corresponding the mitigation service.

9. (canceled)

14. A computer-implemented method for monitoring network traffic by a mitigation service, the mitigation service monitoring network traffic in one direction between a client computer and a server computer, the method comprising:
- receiving, from the client computer, a TCP synchronization (SYN) packet that is configured to establish a TCP connection with the server computer, wherein the TCP SYN packet comprises one or more parameters corresponding to the TCP connection;
  
  determining a network address corresponding to the client computer that sent the TCP SYN packet;
  
  sending, to the client computer, a TCP acknowledgement (ACK) packet, wherein the TCP ACK comprises a sequence number that is the same as a sequence number corresponding to the TCP SYN packet to initiate a reply by the client computer without interrupting the establishment of the TCP connection with the server computer and does not complete the establishment of the TCP connection between the client computer and the server computer;
  
  determining whether a TCP reset (RST) packet is received from the client computer, wherein the TCP RST packet comprises one or more parameters; and
  
  in response to determining that a TCP RST packet is received;
  
  allowing the network traffic in the one direction between the client computer and the server computer.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, the method further comprising:
    - storing, in response to determining that the TCP RST packet originated from the client computer, the network address corresponding to the client computer and the one or more parameters corresponding to the TCP RST packet;
      
      receiving a retransmitted TCP SYN packet corresponding to a network address, wherein the retransmitted TCP SYN packet comprises one or more parameters;
      
      comparing the network address corresponding to the retransmitted TCP SYN packet and the one or more parameters corresponding to the retransmitted TCP SYN packet respectively to the network address corresponding to the client computer and the one or more parameters corresponding to the TCP RST packet; and
      
      in response to the network address corresponding to the retransmitted TCP SYN packet and the one or more parameters corresponding to the retransmitted TCP SYN packet respectively matching the network address corresponding to the client computer and the one or more parameters corresponding to the TCP RST packet;
      
      sending the retransmitted TCP SYN packet to the server computer.
  - 16. The method of claim 15, the method further comprising:
    - receiving a new TCP SYN packet corresponding to a network address, wherein the new TCP SYN packet comprises one or more parameters;
      
      comparing the network address corresponding to the new TCP SYN packet and the one or more parameters corresponding to the new TCP SYN packet respectively to the network address corresponding to the client computer and the one or more parameters corresponding to the TCP RST packet; and
      
      in response to the network address corresponding to the new TCP SYN packet and the one or more parameters corresponding to the new TCP SYN packet respectively matching the network address corresponding to the client computer and the one or more parameters corresponding to the TCP RST packet;
      
      sending the new TCP SYN packet to the server computer.
  - 17. The method of claim 14, the method further comprising:
    - determining that a number of TCP SYN packets from the client computer exceeds a predetermined threshold; and
      
      in response to determining that the number of TCP SYN packets exceeds the predetermined threshold;
      
      monitoring network traffic in both directions between the client computer and the server computer.
  - 18. The method of claim 17, wherein monitoring the network traffic in both directions comprises:
    - replacing, in future connection requests, the network address corresponding the client computer with the network address corresponding the mitigation service.

19. A computer readable storage medium comprising instructions that cause one or more processors to perform a method for monitoring network connections by a mitigation service, the mitigation service monitoring network traffic in one direction between a client computer and a server computer, the method comprising:
- receiving, from the client computer, a connection request that is configured to establish a network connection between the client computer and the server computer, wherein the connection request comprises at least one parameter corresponding to the network connection;
  
  sending, to the client computer, a response that is configured to cause a reply by the client computer, wherein the response comprises a sequence number that is within a range of sequence numbers received in the connection request and wherein the sequence number does not interrupt the establishment of the network connection between the client computer and the server computer and does not complete the establishment of the network connection between the client computer and the server computer;
  
  determining whether the reply is received from the client computer; and
  
  in response to determining that the reply is received from the client computer;
  
  sending the connection request to the server computer without altering an identification of the client computer In the request.
- View Dependent Claims (20, 21, 22)
- - 20. The computer readable storage medium of claim 19, the method further comprising:
    - comparing the at least one parameter corresponding to the connection request to at least one parameter of the reply; and
      
      determining whether the reply is received form the client computer based on the comparison.
  - 21. The computer readable storage medium of claim 20, wherein sending the connection request to the server computer comprises generating a new connection request based the at least one parameter of the connection request.
  - 22. The computer readable storage medium of claim 19, the method further comprising:
    - storing, in response to determining that the reply is received from the client computer, a network address corresponding to the client computer and at least one parameter corresponding to the reply;
      
      receiving a retransmitted connection request corresponding to a network address, wherein the retransmitted connection request comprises at least one parameter;
      
      comparing the network address and the at least one parameter corresponding to the retransmitted connection request respectively to the network address corresponding to the client computer and the at least one parameter corresponding to the reply; and
      
      in response the network address and the at least one parameter corresponding to the retransmitted connection request respectively matching the network address corresponding to the client computer and the at least one parameter corresponding to the reply;
      
      sending the retransmitted connection request to the server computer.

23. A system for monitoring network traffic in one direction between a client computer and a server computer, comprising:
- one or more memory devices storing instructions; and
  
  one or more processors coupled to the memory devices and configured to execute the instructions to perform a method comprising;
  
  receiving, from the client computer, a connection request that is configured to establish a network connection between the client computer and the server computer, wherein the connection request comprises at least one parameter corresponding to the network connection;
  
  sending, to the client computer, a response that is configured to cause a reply by the client computer, wherein the response comprises a sequence number that is within a range of sequence numbers received in the connection request and wherein the sequence number does not interrupt the establishment of the network connection between the client computer and the server computer and does not complete the establishment of the network connection between the client computer and the server computer;
  
  determining whether the reply is received from the client computer; and
  
  in response to determining that the reply is received from the client computer;
  
  sending the connection request to the server computer without altering an identification of the client computer in the request.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23, wherein the one or more processors are configured to execute the instructions to perform the method further comprising:
    - comparing the at least one parameter corresponding to the connection request to at least one parameter of the reply; and
      
      determining whether the reply is received form the client computer based on the comparison.
  - 25. The system of claim 24, wherein sending the connection request to the server computer comprises generating a new connection request based the at least one parameter of the connection request.
  - 26. The system of claim 23, wherein the one or more processors are configured to execute the instructions to perform the method further comprising:
    - storing, in response to determining that the reply is received from the client computer, a network address corresponding to the client computer and at least one parameter corresponding to the reply;
      
      receiving a retransmitted connection request corresponding to a network address, wherein the retransmitted connection request comprises at least one parameter;
      
      comparing the network address and the at least one parameter corresponding to the retransmitted connection request respectively to the network address corresponding to the client computer and the at least one parameter corresponding to the reply; and
      
      in response the network address and the at least one parameter corresponding to the retransmitted connection request respectively matching the network address corresponding to the client computer and the at least one parameter corresponding to the reply;
      
      sending the retransmitted connection request to the server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Rao, Sanjay, Bhogavilli, Suresh

Granted Patent

US 9,288,227 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/0281 Proxies

H04L 63/1458 Denial of Service

SYSTEMS AND METHODS FOR TRANSPARENTLY MONITORING NETWORK TRAFFIC FOR DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR TRANSPARENTLY MONITORING NETWORK TRAFFIC FOR DENIAL OF SERVICE ATTACKS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links