Thwarting connection-based denial of service attacks
First Claim
1. A method executed on a device for defending a server against SYN flood attacks, the method comprises:
- during a connection setup initiated by sending a SYN packet from a client to a server;
forwarding a received SYN ACK packet from the server to the client;
maintaining a half-open connection for a variable timeout period and if an ACK packet does not arrive from the client to the server,sending a RST by the device to the server to cause the server to close the half-open connection.
23 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
-
Citations
28 Claims
-
1. A method executed on a device for defending a server against SYN flood attacks, the method comprises:
-
during a connection setup initiated by sending a SYN packet from a client to a server; forwarding a received SYN ACK packet from the server to the client; maintaining a half-open connection for a variable timeout period and if an ACK packet does not arrive from the client to the server, sending a RST by the device to the server to cause the server to close the half-open connection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method executed on a gateway for defending a server against SYN flood attacks, the method comprises:
-
during a connection setup initiated by sending a SYN packet from a client to a server; tracking ratios of SYNs to SYN ACKs; comparing the ratios to threshold values; and sending an alarm to a control center when the ratio exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack. - View Dependent Claims (10, 11)
-
-
12. A gateway device disposed between a data center and a network for thwarting denial of service attacks on the data center, the gateway device comprises:
-
a computing device comprising; a monitoring process that monitors network connection setups initiated by sending SYN packets from a client to the data center, the monitoring process including a SYN ACK forward process to forward received SYN ACK packets from a server to the client; a process to determine a variable time out period; a process to maintain a half open connection open for the variable timeout period; a reset process to send a reset packet to the server to cause the server to close the half-open connection when an ACK packet does not arrive from the client to the server during the timeout period; and a packet forwarding process to forward the ACK packet when the ACK packet is received from the client by the server, and to establish an open connection. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A gateway device disposed between a data center and a network for thwarting denial of service attacks on the data center, the gateway device comprising:
-
a computing device comprising a monitoring process that monitors network connection setups initiated by sending SYN packets from a client to the data center, the monitoring process comprising a process to; determine ratios of SYN packets to SYN ACK packets; compare the determined ratio to a threshold value; and send an alarm to a control center when at least one of the ratio exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack. - View Dependent Claims (19, 20)
-
-
21. A computer program product residing on a computer readable medium for defending a server against SYN flood attacks, the computer program product executed on a device, the computer program product comprising instructions to cause the device to:
-
forward, in response to a SYN packet received from a client to by the server, a SYN ACK packet from the server to the client; maintain a half-open connection open for a variable timeout period; and close the half-open connection by sending a RST to the server if an ACK packet does not arrive from the client to the server;
orforward a received ACK to the server if the ACK packet does arrive from the client to the server. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A computer program product residing on a computer readable medium for defending a server against SYN flood attacks, the computer program product executed on a device, the computer program product comprising instructions to cause the device to:
-
during a connection setup initiated by sending a SYN packet from a client to a server; determine ratios of SYNs to SYN ACKs; compare the determined ratios to threshold values; and send an alarm message to a control center when at least one of the ratios exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack. - View Dependent Claims (28)
-
Specification