TECHNIQUES FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS

US 20150215436A1
Filed: 04/06/2015
Published: 07/30/2015
Est. Priority Date: 04/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

extracting, by a network device, one or more values from a Transmission Control Protocol (TCP) ACK packet sent by a client device, the one or more values encoding TCP option information;

decoding, by the network device, the one or more values to determine the TCP option information;

embedding, by the network device, the decoded TCP option information into the TCP ACK packet; and

forwarding, by the network device, the TCP ACK packet with the embedded TCP option information to a server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for protecting against denial of service attacks are provided. In one embodiment, a network device can extract one or more values from a Transmission Control Protocol (TCP) ACK packet sent by a client device, where the one or more values encode TCP option information. The network device can further decode the one or more values to determine the TCP option information and embed the TCP option information into the TCP ACK packet. The network device can then forward the TCP ACK packet with the embedded TCP option information to a server.

Citations

24 Claims

1. A method comprising:
- extracting, by a network device, one or more values from a Transmission Control Protocol (TCP) ACK packet sent by a client device, the one or more values encoding TCP option information;
  
  decoding, by the network device, the one or more values to determine the TCP option information;
  
  embedding, by the network device, the decoded TCP option information into the TCP ACK packet; and
  
  forwarding, by the network device, the TCP ACK packet with the embedded TCP option information to a server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the one or more values were previously generated by the network device and transmitted to the client device via a TCP SYN-ACK packet in response to receiving a TCP SYN packet from the client device.
  - 3. The method of claim 2 wherein the TCP option information was originally included in the TCP SYN packet.
  - 4. The method of claim 1 wherein the decoding is performed via an algorithm that is kept secret from the client device and the server.
  - 5. The method of claim 4 wherein the value is a SYN cookie and the algorithm is a SYN cookie algorithm.
  - 6. The method of claim 1 wherein embedding the decoded TCP option information into the TCP ACK packet comprises including the decoded TCP option information in a TCP option field of the TCP ACK packet that has a reserved type.
  - 7. The method of claim 6 wherein the reserved type is identified by kind number 252.
  - 8. The method of claim 6 wherein the TCP option information included in the TCP option field includes max segment size (MSS), window scale, SACK permit, and timestamp.
  - 9. The method of claim 1 wherein embedding the decoded TCP option information into the TCP ACK packet comprises including the decoded TCP option information in a TCP/IP header field of the TCP ACK packet.
  - 10. The method of claim 1 further comprising, subsequent to the forwarding:
    - receiving a first TCP data packet from the client device that is destined for the server;
      
      embedding the decoded TCP option information into the first TCP data packet; and
      
      forwarding first TCP data packet with the embedded TCP option information to the server.
  - 11. The method of claim 1 further comprising, prior to the forwarding:
    - embedding a security token into the TCP ACK packet.
  - 12. The method of claim 1 wherein extracting the value from the TCP ACK packet comprises:
    - extracting an acknowledgement value from an acknowledgement number field of the TCP ACK packet;
      
      subtracting 1 from the acknowledgement value.

13. A network device comprising:
- a processor; and
  
  a non-transitory computer readable medium having stored thereon executable program code which, when executed by the processor, causes the processor to;
  
  extract a one or more values from a TCP ACK packet sent by a client device, the one or more values encoding TCP option information;
  
  decode the one or more values to determine the TCP option information;
  
  embed the decoded TCP option information into the TCP ACK packet; and
  
  forward the TCP ACK packet with the embedded TCP option information to a server.
- View Dependent Claims (14)
- - 14. The network device of claim 13 wherein the network device is an application delivery switch.

15. A non-transitory computer readable medium having stored thereon program code executable by a processor, the program code comprising:
- code that causes the processor to extract one or more values from a TCP ACK packet sent by a client device, the one or more values encoding TCP option information;
  
  code that causes the processor to decode the one or more values to determine the TCP option information;
  
  code that causes the processor to embed the decoded TCP option information into the TCP ACK packet; and
  
  code that causes the processor to forward the TCP ACK packet with the embedded TCP option information to a server.

16. A method comprising:
- identifying, by a server, a received TCP ACK packet as including TCP option information;
  
  extracting, by the server, the TCP option information from the TCP ACK packet; and
  
  establishing a TCP session based on the TCP option information.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16 further comprising, upon identifying the TCP ACK packet as including the TCP option information:
    - disabling SYN cookie validation of the TCP ACK packet.
  - 18. The method of claim 16 wherein identifying the TCP ACK packet as including the TCP option information comprises:
    - identifying the TCP ACK packet as including a TCP option field that has a particular reserved type.
  - 19. The method of claim 18 wherein the particular reserved type is identified by kind number 252.
  - 20. The method of claim 18 wherein extracting the TCP option information from the TCP ACK packet comprises:
    - extracting the TCP option information from the TCP option field.
  - 21. The method of claim 16 wherein the TCP option information includes max segment size (MSS), window scale, SACK permit, and timestamp.
  - 22. The method of claim 19 further comprising:
    - extracting a security token from the TCP ACK packet; and
      
      validating the TCP ACK packet as having originated from the network switch based on the security token.

23. A computer system comprising:
- a processor; and
  
  a non-transitory computer readable medium having stored thereon executable program code which, when executed by the processor, causes the processor to;
  
  identify a received TCP ACK packet as including TCP option information;
  
  extract the TCP option information from the TCP ACK packet, without performing any SYN cookie validation; and
  
  establish a TCP session based on the TCP option information.

24. A non-transitory computer readable medium having stored thereon program code executable by a processor, the program code comprising:
- code that causes the processor to identify a received TCP ACK packet as including TCP option information;
  
  code that causes the processor to extract the TCP option information from the TCP ACK packet, without performing any SYN cookie validation; and
  
  code that causes the processor to establish a TCP session based on the TCP option information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Brocade Communications Systems, Inc. (Broadcom, Inc.)
Inventors
Kancherla, Mani

Granted Patent

US 9,438,702 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1458   Denial of Service

H04L 67/60   Scheduling or organising th...

H04L 69/166   IP fragmentation; TCP segme...

TECHNIQUES FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links