Network protection for denial of service attacks
First Claim
Patent Images
1. A method, comprising:
- monitoring TCP connection status from an untrusted network to a number of destination hosts operatively coupled to the untrusted network to reduce a performance degradation caused by SYN flooding from the untrusted network;
classifying a TCP connection source address in a good address state when an ACK packet or a RST packet is received from the untrusted network with the source address;
reclassifying the source address from the good address state to a new address state after a first predetermined time period passes without receiving the ACK packet or the RST packet from the untrusted network;
reclassifying the source address from the new address state to a bad address state after a second predetermined time period passes without receiving the ACK packet or the RST packet from the untrusted network; and
sending a RST packet to a corresponding one of the destination hosts to close a respective connection after the source address is classified in the bad address state.
1 Assignment
0 Petitions
Accused Products
Abstract
An active monitor detects and classifies messages transmitted on a network. In one form, the monitor includes a routine for classifying TCP packet source addresses as being of an acceptable, unacceptable, or suspect type. Suspect source addresses may be further processed in accordance with a state machine having a number of conditionally linked states including a good address state, a new address state, and a bad address state. For this form, the monitor selectively sends signals to targeted destination hosts for addresses in the unacceptable
-
Citations
4 Claims
-
1. A method, comprising:
-
monitoring TCP connection status from an untrusted network to a number of destination hosts operatively coupled to the untrusted network to reduce a performance degradation caused by SYN flooding from the untrusted network;
classifying a TCP connection source address in a good address state when an ACK packet or a RST packet is received from the untrusted network with the source address;
reclassifying the source address from the good address state to a new address state after a first predetermined time period passes without receiving the ACK packet or the RST packet from the untrusted network;
reclassifying the source address from the new address state to a bad address state after a second predetermined time period passes without receiving the ACK packet or the RST packet from the untrusted network; and
sending a RST packet to a corresponding one of the destination hosts to close a respective connection after the source address is classified in the bad address state.
-
-
2. A method, comprising:
-
monitoring a number of SYN packets sent from an untrusted network to a destination host to regulate spurious TCP connection attempts, the number of SYN packets each having a corresponding source address;
classifying the corresponding source address in one of a plurality of different categories, the different categories including a suspect source address category and an unacceptable source address category, said classifying including comparing the corresponding source address to a number of entries in a database;
sending a ACK packet to the destination host for each of the number of SYN packets having the corresponding source address classified in the suspect source address category to complete formation of a corresponding TCP connection with the destination host;
sending a RST packet to the destination host for the each of the number of SYN packets classified in the unacceptable source address category to close a respective connection with the destination host;
said monitoring including examining each of the corresponding source addresses in the suspect source addresses category in accordance with a state machine including at least three conditionally coupled states; and
wherein a one state of the at least three conditionally coupled states corresponds to a good source address, a second state corresponds to a new source address, and a third state corresponds to a bad source address, and the corresponding source address classified in the suspect source address category cannot change from the one state to the third state without first changing to the second state.
-
-
3. A method, comprising:
-
monitoring a number of SYN packets sent from an untrusted network to a destination host to regulate spurious TCP connection attempts, the number of SYN packets each having a corresponding source address;
classifying the corresponding source address in one of a plurality of different categories, the different categories including a suspect source address category and an unacceptable source address category, said classifying including comparing the corresponding source address to a number of entries in a database;
sending a ACK packet to the destination host for each of the number of SYN packets having the corresponding source address classified in the suspect source address category to complete formation of a corresponding TCP connection with the destination host;
sending a RST packet to the destination host for the each of the number of SYN packets classified in the unacceptable source address category to close a respective connection with the destination host;
said monitoring including examining each of the corresponding source addresses in the suspect source address category in accordance with a state machine including at least three conditionally coupled states;
a one state of the at least three conditionally coupled states corresponds to a good source address, a second state corresponds to a new source address, and a third state corresponds to a bad source address, and the corresponding source address classified in the suspect source address category cannot change from the one state to the third state without first changing to the second state; and
wherein the RST packet is sent to the destination host for any of the number of SYN packets having suspect sources addresses in the third state.
-
-
4. A method, comprising:
-
monitoring a number of SYN packets sent from an untrusted network to a destination host to regulate spurious TCP connection attempts, the number of SYN packets each having a corresponding source address;
classifying the corresponding source address in one of a plurality of different categories, the different categories including a suspect source address category and an unacceptable source address category, said classifying including comparing the corresponding source address to a number of entries in a database;
sending a ACK packet to the destination host for each of the number of SYN packets having the corresponding source address classified in the suspect source address category to complete formation of a corresponding TCP connection with the destination host;
sending a RST packet to the destination host for the each of the number of SYN packets classified in the unacceptable source address category to close a respective connection with the destination host; and
wherein TCP packets designating the designation host are received by the destination host.
-
Specification