Prevention of denial of service attacks
First Claim
1. A method, wherein a first acknowledgement was determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, the method comprising:
- receiving a second acknowledgement responsive to the first acknowledgement;
identifying a second source corresponding to the second acknowledgment;
determining a second hash value by applying the hash function to the second source;
extracting the second hash value from the second acknowledgement;
extracting the first time stamp from the second acknowledgement;
comparing the first and second hash values; and
establishing a communication session based at least in part on the comparing.
2 Assignments
0 Petitions
Accused Products
Abstract
Denial of service type attacks are attacks where the nature of a system used to establish communication sessions is exploited to prevent the establishment of sessions. For example, to establish a Transmission Control Protocol (TCP)/Internet Protocol (IP) communication session, a three-way handshake is performed between communication endpoints. When a connection request is received, resources are allocated towards establishing the communication session. Malicious entities can attack the handshake by repeatedly only partially completing the handshake, causing the receiving endpoint to run out of resources for allocating towards establishing sessions, thus preventing legitimate connections. Illustrated embodiments overcome such attacks by delaying allocating resources until after the three-way handshake is successfully completed.
115 Citations
30 Claims
-
1. A method, wherein a first acknowledgement was determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, the method comprising:
-
receiving a second acknowledgement responsive to the first acknowledgement; identifying a second source corresponding to the second acknowledgment; determining a second hash value by applying the hash function to the second source; extracting the second hash value from the second acknowledgement; extracting the first time stamp from the second acknowledgement; comparing the first and second hash values; and establishing a communication session based at least in part on the comparing. - View Dependent Claims (2, 3, 4)
-
-
5. A method, wherein a first acknowledgement was determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, the method comprising:
-
receiving a second acknowledgement responsive to the first acknowledgement; identifying a second source corresponding to the second acknowledgment; determining a second hash value by applying the hash function to the second source; extracting the first time stamp from the second acknowledgement; and establishing a communication session based at least in part on comparing the first and second hash values. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An article, comprising a processing device accessible media storing data for operating one or more processing devices, wherein a first acknowledgement is determined based at least in part on a first hash value from applying a hash function to a source of a communication initiation request and a first time stamp, and wherein the data, when accessed, results in the one or more processing devices performing:
-
receiving a second acknowledgement responsive to the first acknowledgement; identifying a second source corresponding to the second acknowledgment; determining a second hash value by applying the hash function to at least the second source; extracting the first time stamp from the second acknowledgement; and establishing a communication session based at least in part on comparing the first and second hash values. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A system of cooperatively executing circuitry, comprising:
-
a first circuitry configured to perform accessing a first acknowledgement based at least in part on a first hash value determined based at least in part on applying a hash function to a communication initiation request and a first time stamp; a second circuitry configured to perform accessing a second acknowledgement responsive to the first acknowledgement, identifying a second source corresponding to the second acknowledgment, determining a second hash value by applying the hash function to the second source, extracting the first time stamp from the second acknowledgement; and a third circuitry configured to perform establishing a communication session based at least in part on comparing the first and second hash values. - View Dependent Claims (30)
-
Specification