System, method and computer program product for monitoring and controlling network connections from a supervisory operating system
First Claim
1. A computer program embodied on a computer readable medium for defeating a denial of service attack, wherein the computer program runs as an application of a real-time supervisory operating system, which runs a secondary operating system as an application thereof, the computer program comprising:
- a computer code segment that scans all TCP control blocks in the secondary operating system;
a computer code segment that, for each of said control blocks, performs the following acts;
determines whether the control block indicates that the state of the TCP port associated with the control block is SYN_RECEIVED and increments a counter if it is determined that the state of the TCP port is SYN_RECEIVED;
a computer code segment that determines whether the value of the counter is greater than a first configurable threshold; and
a computer code segment that sets a denial of service attack warning flag to TRUE if the counter is determined to be greater than the first configurable threshold.
4 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product that is designed to support high-availability, rapid fault recovery, out of band condition signaling and/or other quality of service assurances and security in a networked environment. In one aspect, a method of the invention includes the step of providing a processing system with a dual-kernel or multi-kernel software operating system. The operating system includes a supervisory operating system and a secondary operating system that provides network functions to user applications. The method also includes the step of providing a Network Control Software (NCS) in the supervisory operating system. The NCS is configured to transparently monitor and control network operations in the secondary operating system.
102 Citations
36 Claims
-
1. A computer program embodied on a computer readable medium for defeating a denial of service attack, wherein the computer program runs as an application of a real-time supervisory operating system, which runs a secondary operating system as an application thereof, the computer program comprising:
-
a computer code segment that scans all TCP control blocks in the secondary operating system;
a computer code segment that, for each of said control blocks, performs the following acts;
determines whether the control block indicates that the state of the TCP port associated with the control block is SYN_RECEIVED and increments a counter if it is determined that the state of the TCP port is SYN_RECEIVED;
a computer code segment that determines whether the value of the counter is greater than a first configurable threshold; and
a computer code segment that sets a denial of service attack warning flag to TRUE if the counter is determined to be greater than the first configurable threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
a computer code segment that determines whether the value of the counter is less than a second configurable threshold; and
a computer code segment that sets a denial of service attack warning flag to FALSE if the counter is determined to be less than the second configurable threshold.
-
-
3. The computer program of claim 2, wherein the second configurable threshold is less than the first configurable threshold.
-
4. The computer program of claim 1, further comprising a computer code segment that examines a TCP control block and determines the sequence number of the last TCP packet transmitted by the TCP port associated with the TCP control block.
-
5. The computer program of claim 4, further comprising a computer code segment that compares the determined sequence number to the sequence number of the last TCP packet transmitted onto a network and associated with said TCP port associated with the TCP control block.
-
6. The computer program of claim 5, further comprising a computer code segment that issues a warning if said determined sequence number is greater than said sequence number of the last TCP packet transmitted onto the network by more than a predetermined amount.
-
7. The computer program of claim 1, further comprising a computer code segment that examines a TCP control block and determines the next sequence number that the TCP port associated with the TCP control block expects to receive.
-
8. The computer program of claim 7, further comprising a computer code segment that compares the determined sequence number to the sequence number of the last TCP packet that was received from a network and associated with the TCP port.
-
9. The computer program of claim 8, further comprising a computer code segment that issues a warning if the difference between said determined sequence number and the sequence number of the last TCP packet that was received from the network is greater than a predetermined amount.
-
10. In a computer having a real-time supervisory operating system that runs a secondary operating system as an application thereof, a method for defeating a denial of service attack, the method comprising:
-
examining a plurality of TCP control blocks in the secondary operating system;
for each one of said plurality of TCP control blocks, determining whether the control block indicates that the state of a TCP port associated with the control block is SYN_RECEIVED and incrementing a counter if it is determined that the state of the TCP port is SYN_RECEIVED;
determining whether the value of the counter is greater than a first threshold; and
issuing a denial of service attack warning if the counter is determined to be greater than the first threshold. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
determining whether the value of the counter is less than a second threshold; and
setting a denial of service attack warning flag to FALSE if the counter is determined to be less than the second threshold.
-
-
12. The method of claim 11, wherein the second threshold is less than the first threshold.
-
13. The method of claim 10, further comprising determining the sequence number of the last TCP packet transmitted by a TCP port.
-
14. The method of claim 13, further comprising comparing the determined sequence number to the sequence number of the last TCP packet transmitted onto a network and associated with said TCP port.
-
15. The method of claim 14, further comprising issuing a warning if said determined sequence number is greater than said sequence number of the last TCP packet transmitted onto the network by more than a predetermined amount.
-
16. The method of claim 10, further comprising determining the next sequence number that a TCP port expects to receive.
-
17. The method of claim 16, further comprising comparing the determined sequence number to the sequence number of the last TCP packet that was received from a network and associated with the TCP port.
-
18. The method of claim 17, further comprising issuing a warning if the difference between said determined sequence number and the sequence number of the last TCP packet that was received from the network is greater than a predetermined amount.
-
19. In a computer having a real-time supervisory operating system that runs a secondary operating system as an application thereof, a system for defeating a denial of service attack, the system comprising:
-
means for examining a plurality of TCP control blocks in the secondary operating system;
means for determining whether a TCP control block indicates that the state of a TCP port associated with the control block is SYN_RECEIVED and incrementing a counter if it is determined that the state of the TCP port is SYN_RECEIVED;
means for determining whether the value of the counter is greater than a first threshold; and
means for issuing a denial of service attack warning if the counter is determined to be greater than the first threshold. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
means for determining whether the value of the counter is less than a second threshold; and
means for setting a denial of service attack warning flag to FALSE if the counter is determined to be less than the second threshold.
-
-
21. The system of claim 20, wherein the second threshold is less than the first threshold.
-
22. The system of claim 19, further comprising means for determining the sequence number of the last TCP packet transmitted by a TCP port.
-
23. The system of claim 22, further comprising means for comparing the determined sequence number to the sequence number of the last TCP packet transmitted onto a network and associated with said TCP port.
-
24. The system of claim 23, further comprising means for issuing a warning if said determined sequence number is greater than said sequence number of the last TCP packet transmitted onto the network by more than a predetermined amount.
-
25. The method of claim 22, further comprising issuing a warning if said determined sequence number is greater than said sequence number of the last TCP packet transmitted onto the network by more than a predetermined amount.
-
26. The system of claim 19, further comprising means for determining the next sequence number that a TCP port expects to receive.
-
27. The system of claim 26, further comprising means for comparing the determined sequence number to the sequence number of the last TCP packet that was received from a network and associated with the TCP port.
-
28. The system of claim 27, further comprising means for issuing a warning if the difference between said determined sequence number and the sequence number of the last TCP packet that was received from the network is greater than a predetermined amount.
-
29. In a computer having a real-time supervisory opera ting system that runs a secondary operating system as an application thereof, a method for defeating a denial of service attack, the method comprising:
-
using a process running under the real-time supervisory operating system to determine whether a TCP control block in the secondary operating system indicates that the state of a TCP port associated with the TCP control block is SYN_RECEIVED;
incrementing a counter if it is determined that the state of the TCP port is SYN_RECEIVED;
determining whether the value of the counter is greater than a first threshold; and
issuing a denial of service attack warning if the counter is determined to be greater than the first threshold. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
determining whether the value of the counter is less than a second threshold; and
setting a denial of service attack warning flag to FALSE if the counter is determined to be less than the second threshold.
-
-
31. The method of claim 30, wherein the second threshold is less than the first threshold.
-
32. The method of claim 29, further comprising determining the sequence number of the last TCP packet transmitted by a TCP port.
-
33. The method of claim 32, further comprising comparing the determined sequence number to the sequence number of the last TCP packet transmitted onto a network and associated with said TCP port.
-
34. The method of claim 29, further comprising determining the next sequence number that a TCP port expects to receive.
-
35. The method of claim 34, further comprising comparing the determined sequence number to the sequence number of the last TCP packet that was received from a network and associated with the TCP port.
-
36. The method of claim 35, further comprising issuing a warning if the difference between said determined sequence number and the sequence number of the last TCP packet that was received from the network is greater than a predetermined amount.
Specification