Prevention of denial of service attacks

US 7,254,133 B2
Filed: 07/15/2002
Issued: 08/07/2007
Est. Priority Date: 07/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method, wherein a first acknowledgement was determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, the method comprising:

receiving a second acknowledgement responsive to the first acknowledgement;

identifying a second source corresponding to the second acknowledgment;

determining a second hash value by applying the hash function to the second source;

extracting the second hash value from the second acknowledgement;

extracting the first time stamp from the second acknowledgement;

comparing the first and second hash values; and

establishing a communication session based at least in part on the comparing.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Denial of service type attacks are attacks where the nature of a system used to establish communication sessions is exploited to prevent the establishment of sessions. For example, to establish a Transmission Control Protocol (TCP)/Internet Protocol (IP) communication session, a three-way handshake is performed between communication endpoints. When a connection request is received, resources are allocated towards establishing the communication session. Malicious entities can attack the handshake by repeatedly only partially completing the handshake, causing the receiving endpoint to run out of resources for allocating towards establishing sessions, thus preventing legitimate connections. Illustrated embodiments overcome such attacks by delaying allocating resources until after the three-way handshake is successfully completed.

115 Citations

View as Search Results

30 Claims

1. A method, wherein a first acknowledgement was determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, the method comprising:
- receiving a second acknowledgement responsive to the first acknowledgement;
  
  identifying a second source corresponding to the second acknowledgment;
  
  determining a second hash value by applying the hash function to the second source;
  
  extracting the second hash value from the second acknowledgement;
  
  extracting the first time stamp from the second acknowledgement;
  
  comparing the first and second hash values; and
  
  establishing a communication session based at least in part on the comparing.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein establishing the communication session further comprises:
    - extracting a second time stamp from the second acknowledgement; and
      
      determining a difference between the first and second time stamps is within a time out period.
  - 3. The method of claim 2, wherein the time out period is a TCP connection establishment time out.
  - 4. The method of claim 1, wherein said extracting comprises XORing values against the second acknowledgement.

5. A method, wherein a first acknowledgement was determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, the method comprising:
- receiving a second acknowledgement responsive to the first acknowledgement;
  
  identifying a second source corresponding to the second acknowledgment;
  
  determining a second hash value by applying the hash function to the second source;
  
  extracting the first time stamp from the second acknowledgement; and
  
  establishing a communication session based at least in part on comparing the first and second hash values.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 6. The method of claim 5, wherein selected ones of said acknowledgements comprise a sequence number, the sequence number determined at least in part on XORing an identifying characteristic of the initiation request and a selected one of the time stamp or a scrambled time stamp.
  - 7. The method of claim 5, further comprising establishing the communication session after receiving the second acknowledgement.
  - 8. The method of claim 5, wherein the first acknowledgement is configured with a first sequence number based at least in part on an identifying characteristic of the initiation request and the time stamp, the method further comprising:
    - validating that the second acknowledgement comprises an acknowledgement number determined by incrementing the first sequence number.
  - 9. The method of claim 5, further comprising:
    - establishing a second communication session with a server; and
      
      bridging the communication session and the second communication session.
  - 10. The method of claim 9, further comprising:
    - the communication session having a first sequence of packets having first sequence numbers;
      
      the second communication session having a second sequence of packets having second sequence numbers; and
      
      said bridging comprising translating packets from the source to correspond to the second sequence numbers, and forwarding translated packets to the server.
  - 11. The method of claim 5, further comprising:
    - establishing the communication session with a source, the communication session comprising packets associated with a first sequence;
      
      establishing a second communication session with a server, the second communication session comprising packets associated with a second sequence; and
      
      associating packets received from the source with the second sequence.
  - 12. The method of claim 11, wherein associating packets received from the source with the second sequence comprises:
    - translating a first sequence identifier of a packet received from the source into a second sequence identifier corresponding to the second sequence.
  - 13. The method of claim 5, further comprising:
    - establishing the communication session with a source, the communication session comprising packets associated with a first sequence;
      
      establishing a second communication session with a server, the second communication session comprising packets associated with a second sequence; and
      
      associating packets received from the server with the first sequence.
  - 14. The method of claim 13, wherein associating packets received from the server with the first sequence comprises:
    - translating a first sequence identifier of a packet received from the server into a second sequence identifier corresponding to the first sequence.
  - 15. The method of claim 5, wherein establishing the communication session further comprises:
    - extracting a second time stamp from the second acknowledgement; and
      
      determining a difference between the first and second time stamps is within a time out period.

16. An article, comprising a processing device accessible media storing data for operating one or more processing devices, wherein a first acknowledgement is determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, and wherein the data, when accessed, results in the one or more processing devices performing:
- receiving a second acknowledgement responsive to the first acknowledgement;
  
  identifying a second source corresponding to the second acknowledgment;
  
  determining a second hash value by applying the hash function to at least the second source;
  
  extracting the first time stamp from the second acknowledgement; and
  
  establishing a communication session based at least in part on comparing the first and second hash values.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The article of claim 16, wherein the data for establishing the communication session further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - extracting a second time stamp from the second acknowledgement; and
      
      determining a difference between the first and second time stamps is within a time out period.
  - 18. The article of claim 16, wherein the time out period is a TCP connection establishment time out.
  - 19. The article of claim 16, wherein the data for said extracting further includes data, when accessed by the machine, results in the one or more processing devices performing at least XORing values against the second acknowledgement.
  - 20. The article of claim 16, wherein selected ones of said acknowledgements comprise a sequence number, the sequence number determined at least in part on XORing an identifying characteristic of the initiation request and a selected one of the time stamp or a scrambled time stamp.
  - 21. The article of claim 16, wherein the data further includes data, when accessed by the one or more processing devices, results in the machine performing:
    - establishing the communication session after receiving the second acknowledgement.
  - 22. The method of claim 16, wherein the first acknowledgement is configured with a first sequence number based at least in part on an identifying characteristic of the initiation request and the time stamp, and wherein the data further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - validating that the second acknowledgement comprises an acknowledgement number determined by incrementing the first sequence number.
  - 23. The article of claim 16, wherein the data further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - establishing a second communication session with a server; and
      
      bridging the communication session and the second communication session.
  - 24. The article of claim 23, wherein the data further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - the communication session having a first sequence of packets having first sequence numbers;
      
      the second communication session having a second sequence of packets having second sequence numbers; and
      
      said bridging comprising translating packets from the source to correspond to the second sequence numbers, and forwarding translated packets to the server.
  - 25. The article of claim 16, wherein the data further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - establishing the communication session with a source, the communication session comprising packets associated with a first sequence;
      
      establishing a second communication session with a server, the second communication session comprising packets associated with a second sequence; and
      
      associating packets received from the source with the second sequence.
  - 26. The article of claim 25, wherein the data for associating packets received from the source with the second sequence further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - translating a first sequence identifier of a packet received from the source into a second sequence identifier corresponding to the second sequence.
  - 27. The article of claim 16, wherein the data further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - establishing the communication session with a source, the communication session comprising packets associated with a first sequence;
      
      establishing a second communication session with a server, the second communication session comprising packets associated with a second sequence; and
      
      associating packets received from the server with the first sequence.
  - 28. The article of claim 27, wherein the data for associating packets received from the server with the first sequence wherein the data for associating packets received from the source with the second sequence further includes data, when accessed by the one or more processing devices, results in the one or more processing devices performing:
    - translating a first sequence identifier of a packet received from the server into a second sequence identifier corresponding to the first sequence.

29. A system of cooperatively executing circuitry, comprising:
- a first circuitry configured to perform accessing a first acknowledgement based at least in part on a first hash value determined based at least in part on applying a hash function to a communication initiation request and a first time stamp;
  
  a second circuitry configured to perform accessing a second acknowledgement responsive to the first acknowledgement, identifying a second source corresponding to the second acknowledgment, determining a second hash value by applying the hash function to the second source, extracting the first time stamp from the second acknowledgement; and
  
  a third circuitry configured to perform establishing a communication session based at least in part on comparing the first and second hash values.
- View Dependent Claims (30)
- - 30. The system of claim 29, wherein said circuitry configured to perform establishing the communication session further comprises circuitry to perform:
    - extracting a second time stamp from the second acknowledgement; and
      
      determining a difference between the first and second time stamps is within a time out period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Durham, David M., Govindarajan, Priya
Primary Examiner(s)
Duong; Frank

Application Number

US10/196,541
Publication Number

US 20040008681A1
Time in Patent Office

1,849 Days
Field of Search

None
US Class Current

370/394
CPC Class Codes

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

H04L 9/40   Network security protocols

Prevention of denial of service attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Prevention of denial of service attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links