Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
First Claim
Patent Images
1. A method comprising:
- in response to a firewall receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;
in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection;
sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;
after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
sending the constructed SYN packet to the first node to further enable a secure connection.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for operating a firewall includes: in response to the firewall receiving a TCP SYN request packet that is sent towards a first node from a second node, the TCP SYN request packet comprising a sequence value (“seq”), sending to the second node a SYN|ACK packet, the SYN|ACK packet comprising a seq and an ack_sequence value (“ack_seq”), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1; and in response to the firewall receiving a TCP RST packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection.
-
Citations
21 Claims
-
1. A method comprising:
-
in response to a firewall receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection; sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and sending the constructed SYN packet to the first node to further enable a secure connection. - View Dependent Claims (2, 3)
-
-
4. An apparatus comprising:
-
at least one data processor configured to send, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the network node, IP address information, and a HASH function, wherein the secret value is not known to the second node; anda computer-readable medium configured to store the secret value, wherein the at least one data processor is further configured; to verify, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, for designating the connection with the second node as an authorized connection; to send, in response to receiving the TCP SYN request, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;to use, after designating the connection with the second node as an authorized connection, the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and to send the constructed SYN packet to the first node to further enable a secure connection, wherein the apparatus is configured to operate as a firewall. - View Dependent Claims (5)
-
-
6. A computer-readable medium storing program instructions for operating a firewall, execution of said program instructions resulting in operations comprising:
-
in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection; sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and sending the constructed SYN packet to the first node to further enable a secure connection. - View Dependent Claims (7)
-
-
8. A method for operating a firewall, comprising:
-
determining that a trigger condition is met; and in response to determining that the trigger condition is met, switching from a Stateful mode to a Stateless mode, wherein the Stateless mode comprises; in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;in response to receiving the TCP SYN request packet, sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection; after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and sending the constructed SYN packet to the first node to further enable a secure connection. - View Dependent Claims (9, 10)
-
-
11. An apparatus comprising at least one data processor and a computer-readable medium, wherein the data processor is configured, responsive to a trigger condition, to switch the apparatus from a Stateful mode to a Stateless mode, wherein the Stateless mode comprises:
-
the at least one data processor sending, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the apparatus, IP address information, and a HASH function, wherein the secret value is not known to the second node;the at least one data processor sending, in response to receiving the TCP SYN request packet, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;the at least one data processor verifying, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, for designating the connection with the second node as an authorized connection; after designating the connection with the second node as an authorized connection, the at least one data processor using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and the at least one data processor sending the constructed SYN packet to the first node to further enable a secure connection, wherein the computer-readable medium is configured to store the secret value, wherein the apparatus is configured to operate as a firewall. - View Dependent Claims (12, 13)
-
-
14. A computer-readable medium storing program instructions for operating a firewall, execution of said program instructions resulting in operations comprising switching from a Stateful mode to a Stateless mode when a trigger condition is met, wherein the Stateless mode comprises:
-
in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;in response to receiving the TCP SYN request packet, sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection; after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and sending the constructed SYN packet to the first node to further enable a secure connection. - View Dependent Claims (15, 16)
-
-
17. A wireless network enabled to transfer packet data between a wireless node and a data communication network, comprising:
-
a wireless network security component, said wireless network security component comprising; means for sending, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
seq”
), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
ack_seq”
), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;means for verifying, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, for designating the connection with the second node as an authorized connection; means for sending, in response to receiving the TCP SYN request, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
seq”
) equal to the seq of the TCP SYN request packet;means for using, after designating the connection with the second node as an authorized connection, the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and means for sending the constructed SYN packet to the first node to further enable a secure connection. - View Dependent Claims (18, 19, 20, 21)
-
Specification