System and method for defeating SYN attacks

US 7,391,725 B2
Filed: 05/18/2004
Issued: 06/24/2008
Est. Priority Date: 05/18/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A server operating on an Internet Protocol (IP) network and running Transport Control Protocol to allow the establishment of one or more TCP connections with one or more clients, the server being configured to defeat a SYN flood attack, comprising:

a network interface card (NIC) receiving packets over the network and inserting the packets into at least one queue; and

a TCP/IP stack processing packets from the at least one queue, wherein the TCP/IP stack intentionally drops SYN packets at a SYN drop rate that is at least partly dependent upon a load on the server, the load being determined based on packet processing on the NIC.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for defeating SYN attacks are provided. When the number of packets received by a server is above the capacity of the server, the server assumes that a SYN attack is in progress. The server randomly drops SYN packets without processing them. The percentage of SYN packets dropped is increased while the load on the server exceeds capacity, and decreased while the load on the server does not exceed capacity. Under attack conditions, a percentage of TCP connections are still maintained.

102 Citations

View as Search Results

30 Claims

1. A server operating on an Internet Protocol (IP) network and running Transport Control Protocol to allow the establishment of one or more TCP connections with one or more clients, the server being configured to defeat a SYN flood attack, comprising:
- a network interface card (NIC) receiving packets over the network and inserting the packets into at least one queue; and
  
  a TCP/IP stack processing packets from the at least one queue, wherein the TCP/IP stack intentionally drops SYN packets at a SYN drop rate that is at least partly dependent upon a load on the server, the load being determined based on packet processing on the NIC.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The server of claim 1, wherein the SYN drop rate is increased when the load on the server is above a threshold, and the SYN drop rate is decreased when the load on the server is not above the threshold.
  - 3. The server of claim 2, wherein the load on the server is determined by a length of the at least one queue.
  - 4. The server of claim 2, wherein the NIC drops packets at a NIC drop rate and the load on the server is determined by the NIC drop rate.
  - 5. The server of claim 4, wherein the TCP/IP stack comprises a random number generator and a comparison mechanism, the comparison mechanism being adapted and configured, for each SYN packet, to compare a random number to the SYN drop rate.
  - 6. The server of claim 4, wherein the SYN drop rate is increased by the minimum of a first coefficient and a second coefficient multiplied by the NIC drop rate.
  - 7. The server of claim 6, wherein the first coefficient is 0.01 and the second coefficient is 0.20.
  - 8. The server of claim 4, wherein the SYN drop rate decreases when the NIC drop rate is not greater than zero.
  - 9. The server of claim 8, wherein the SYN drop rate is decreased by a coefficient.
  - 10. The server of claim 9, wherein the coefficient is 0.01.

11. A method for defeating a SYN flood attack on a server, operating on an Internet Protocol (IP) network and running Transport Control Protocol to allow the establishment of one or more TCP connections with one or more clients, comprising:
- receiving a plurality of packets, the packets including SYN packets and non-SYN packets;
  
  determining a load on the server the load being determined based on packet processing on a Network Interface Card (NIC);
  
  adjusting a SYN packet drop rate according to the load on the server, wherein the SYN packet drop rate determines how many SYN packets are dropped while processing TCP/IP packets on the server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein adjusting a SYN packet drop rate further comprises increasing the SYN packet drop rate when the load on the server is determined to be above a threshold, and decreasing the SYN packet drop rate when the load on the server is determined to be not above the threshold.
  - 13. The method of claim 12, wherein the load on the server is determined by a length of at least one queue on the NIC containing packets awaiting processing.
  - 14. The method of claim 12, wherein a NIC drop rate signifies how many packets are being dropped by the NIC due to the load on the server, and the SYN packet drop rate is adjusted based at least partly on the NIC drop rate.
  - 15. The method of claim 14, further including increasing the SYN packet drop rate when the NIC drop rate is greater than zero.
  - 16. The method of claim 15, wherein the SYN packet drop rate is increased by the minimum of a first coefficient and a second coefficient multiplied by the NIC drop rate.
  - 17. The method of claim 16, wherein the first coefficient is 0.01 and the second coefficient is 0.20.
  - 18. The method of claim 14, further including decreasing the SYN packet drop rate when the NIC drop rate is not greater than zero.
  - 19. The method of claim 18, wherein the SYN packet drop rate is decreased by a coefficient.
  - 20. The method of claim 19, wherein the method further comprises for each SYN packet received, comparing a random number to the SYN packet drop rate and dropping the SYN packet if the random number is less than SYN packet drop rate.

21. A computer-readable medium having computer-executable instructions for performing the steps comprising:
- receiving a plurality of packets over a network, the packets including SYN packets and non-SYN packets;
  
  determining a load on the server, the load being determined based on packet processing on a Network Interface Card (NIC); and
  
  adjusting a SYN packet drop rate according to the load on the server, wherein the SYN packet drop rate determines how many SYN packets are dropped by a TCP/IP stack.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The computer readable medium of claim 21, wherein the step of adjusting a SYN packet drop rate further comprises increasing the SYN packet drop rate when the load on the server is determined to be above a threshold, and decreasing the SYN packet drop rate when the load on the server is determined to be not above the threshold.
  - 23. The computer readable medium of claim 22, wherein the load on the server is determined by a length of at least one queue on the NIC containing packets awaiting processing.
  - 24. The computer readable medium of claim 22, wherein a NIC drop rate signifies how many packets are being dropped by a NIC due to the load on the server, and the SYN packet drop rate is adjusted based at least partly on the NIC drop rate.
  - 25. The computer-readable medium of claim 24, the steps further comprising increasing the SYN packets drop rate when the NIC drop rate is greater than zero.
  - 26. The computer-readable medium of claim 25, wherein the SYN packet drop rate is increased by the minimum of a first coefficient and a second coefficient multiplied by the NIC drop rate.
  - 27. The computer-readable medium of claim 26, wherein the first coefficient is 0.01 and the second coefficient is 0.20.
  - 28. The computer-readable medium of claim 24, the steps further comprising decreasing the SYN packet drop rate when the NIC drop rate is not greater than zero.
  - 29. The computer-readable medium of claim 28, wherein the SYN packet drop rate is decreased by a coefficient of 0.01.
  - 30. The computer-readable medium of claim 21, further having computer executable instruction for performing steps comprising:
    - determining the load based on packet processing on the NIC.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Huitema, Christian, Kaniyar, Sanjay N., Sanders, Henry L.
Primary Examiner(s)
HSU, ALPUS

Application Number

US10/847,341
Publication Number

US 20050259644A1
Time in Patent Office

1,498 Days
Field of Search

370/230.1, 370/242, 370/395.52, 709/203, 709/228, 726/22
US Class Current

370/230.1
CPC Class Codes

H04L 63/1458   Denial of Service

H04L 69/14   Multichannel or multilink p...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

System and method for defeating SYN attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for defeating SYN attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links