Method and apparatus for deflecting flooding attacks

US 7,234,161 B1
Filed: 12/31/2002
Issued: 06/19/2007
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. Method for regulating the passage of packets between a host system and a client system in a network computing environment, said method comprising the steps of:

receiving a first packet from the client system, wherein said first packet contains information representative of a request for start of connection;

recording packet information of said first packet;

passing said first packet to the host system;

receiving a second packet from the host system, wherein said second packet contains information representative of an acknowledgement by the host system of said request for start of connection;

passing said second packet to the client system;

monitoring a response by the client system to said second packet for occurrence within a timer threshold;

sending a reset signal to the host system for shutting down a half-open connection if said response by the client system to said second packet is not received within said timer threshold;

receiving a delayed response from the client system to said second packet after said elapse of said timer threshold; and

raising said timer threshold to be more lenient to the client system that previously forwarded said delayed response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for deflecting connection flooding attacks. Specifically, the stateful firewall allows all connection attempts to flow into the destination host, but monitors the connection attempts to ensure that only legitimate connections are allowed. If the firewall detects that a connection is half-open for longer than a certain timer threshold, it will instruct the destination host to tear down the half-open connection, thereby freeing up resources in the destination host for other connection attempts. The timer threshold can be dynamically adjusted if a connection flooding attack is detected.

Citations

25 Claims

1. Method for regulating the passage of packets between a host system and a client system in a network computing environment, said method comprising the steps of:
- receiving a first packet from the client system, wherein said first packet contains information representative of a request for start of connection;
  
  recording packet information of said first packet;
  
  passing said first packet to the host system;
  
  receiving a second packet from the host system, wherein said second packet contains information representative of an acknowledgement by the host system of said request for start of connection;
  
  passing said second packet to the client system;
  
  monitoring a response by the client system to said second packet for occurrence within a timer threshold;
  
  sending a reset signal to the host system for shutting down a half-open connection if said response by the client system to said second packet is not received within said timer threshold;
  
  receiving a delayed response from the client system to said second packet after said elapse of said timer threshold; and
  
  raising said timer threshold to be more lenient to the client system that previously forwarded said delayed response.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein said packet information comprises a source Internet Protocol (IP) address,a destination Internet Protocol (IP) address,a source Transmission Control Protocol (TCP) port,a destination Transmission Control Protocol (TCP) port, anda client-specified TCP initial sequence number.
  - 3. The method of claim 1, wherein said packet information comprises a client'"'"'s receive window size.
  - 4. The method of claim 1, wherein said first packet is a SYN packet in accordance with the Transmission Control Protocol (TCP).
  - 5. The method of claim 1, wherein said second packet is a SYN-ACK packet in accordance with the Transmission Control Protocol (TCP).
  - 6. The method of claim 1, wherein said response by the client system to said second packet is an ACK packet in accordance with the Transmission Control Protocol (TCP).

7. Method for regulating the passage of packets between a host system and a client system in a network computing environment, said method comprising the steps of:
- receiving a first packet from the client system, wherein said first packet contains information representative of a request for start of connection;
  
  recording packet information of said first packet;
  
  passing said first packet to the host system;
  
  receiving a second packet from the host system, wherein said second packet contains information representative of an acknowledgement by the host system of said request for start of connection;
  
  passing said second packet to the client system;
  
  monitoring a response by the client system to said second packet for occurrence within a timer threshold;
  
  sending a reset signal to the host system for shutting down a half-open connection if said response by the client system to said second packet is not received within said timer threshold;
  
  receiving a third packet from the client system as a delayed response to said second packet after said elapse of said timer threshold;
  
  generating a fourth packet on behalf of the client system, wherein said fourth packet contains information representative of a request for start of connection and is based on information stored from said first packet; and
  
  passing said fourth packet to the host system.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising the steps of:
    - receiving a fifth packet from the host system, wherein said fifth packet contains information representative of an acknowledgement by the host system of said request for start of connection; and
      
      passing said third packet to the host system.
  - 9. The method of claim 8, wherein said fourth packet is a SYN packet in accordance with the Transmission Control Protocol (TCP).
  - 10. The method of claim 8, wherein said fifth packet is a SYN-ACK packet in accordance with the Transmission Control Protocol (TCP).
  - 11. The method of claim 8, wherein said third packet is an ACK packet in accordance with the Transmission Control Protocol (TCP).
  - 12. The method of claim 8, wherein a sequence number is translated in forming said fourth packet.

13. Method for regulating the passage of packets between a host system and a client system in a network computing environment, said method comprising the steps of:
- receiving a first packet from the client system, wherein said first packet contains information representative of a request for start of connection;
  
  recording packet information of said first packet;
  
  passing said first packet to the host system;
  
  receiving a second packet from the host system, wherein said second packet contains information representative of an acknowledgement by the host system of said request for start of connection;
  
  passing said second packet to the client system;
  
  monitoring a response by the client system to said second packet for occurrence within a timer threshold;
  
  sending a reset signal to the host system for shutting down a half-open connection if said response by the client system to said second packet is not received within said timer threshold;
  
  receiving a delayed response from the client system to said second packet after said elapse of said timer threshold;
  
  receiving a third packet from the client system as a delayed response to said second packet after said elapse of said timer threshold;
  
  generating a fourth packet on behalf of the client system, wherein said fourth packet contains information representative of a request for start of connection; and
  
  passing said fourth packet to the host system.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The method of claim 13, further comprising the steps of:
    - receiving a fifth packet from the host system, wherein said fifth packet contains information representative of an acknowledgement by the host system of said request for start of connection; and
      
      passing said third packet to the host system.
  - 15. The method of claim 14, wherein said fourth packet is a SYN packet in accordance with the Transmission Control Protocol (TCP).
  - 16. The method of claim 14, wherein said fifth packet is a SYN-ACK packet in accordance with the Transmission Control Protocol (TCP).
  - 17. The method of claim 14, wherein said third packet is an ACK packet in accordance with the Transmission Control Protocol (TCP).
  - 18. The method of claim 14, wherein a sequence number is translated in forming said fourth packet.
  - 19. The method of claim 14, further comprising the step of:
    - raising said timer threshold to be more lenient to the client system that previously forwarded said delayed response.
  - 20. The method of claim 14, wherein said packet information comprisesa source Internet Protocol (IP) address,a destination Internet Protocol (IP) address,a source Transmission Control Protocol (TCP) port,a destination Transmission Control Protocol (TCP) port, anda client-specified TCP initial sequence number.
  - 21. The method of claim 14, wherein said packet information comprises a client'"'"'s receive window size.
  - 22. The method of claim 14, wherein said first packet is a SYN packet in accordance with the Transmission Control Protocol (TCP).
  - 23. The method of claim 14, wherein said second packet is a SYN-ACK packet in accordance with the Transmission Control Protocol (TCP).
  - 24. The method of claim 14, wherein said response by the client system to said second packet is an ACK packet in accordance with the Transmission Control Protocol (TCP).

25. A computer readable storage medium holding code that when executed causes a computing device to transact a validated application session in a networked computing environment by performing the steps of:
- receiving a first packet from the client system, wherein said first packet contains information representative of a request for start of connection;
  
  recording packet information of said first packet;
  
  passing said first packet to the host system;
  
  receiving a second packet from the host system, wherein said second packet contains information representative of an acknowledgement by the host system of said request for start of connection;
  
  passing said second packet to the client system;
  
  monitoring a response by the client system to said second packet for occurrence within a timer threshold;
  
  sending a reset signal to the host system for shutting down a half-open connection if said response by the client system to said second packet is not received within said timer threshold;
  
  receiving a delayed response from the client system to said second packet after said elapse of said timer threshold;
  
  receiving a third packet from the client system as a delayed response to said second packet after said elapse of said timer threshold;
  
  generating a fourth packet on behalf of the client system, wherein said fourth packet contains information representative of a request for start of connection; and
  
  passing said fourth packet to the host system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Nanda, Sameer, Maufer, Thomas A.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
SZYMANSKI, THOMAS M

Application Number

US10/334,656
Time in Patent Office

1,631 Days
Field of Search

726/11, 726/12
US Class Current

726/12
CPC Class Codes

H04L 63/0254   Stateful filtering

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Method and apparatus for deflecting flooding attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for deflecting flooding attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links