Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth

US 7,613,193 B2
Filed: 02/03/2006
Issued: 11/03/2009
Est. Priority Date: 02/04/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

in response to a firewall receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“

seq”

), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“

ack_seq”

), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;

in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection;

sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“

seq”

) equal to the seq of the TCP SYN request packet;

after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and

sending the constructed SYN packet to the first node to further enable a secure connection.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for operating a firewall includes: in response to the firewall receiving a TCP SYN request packet that is sent towards a first node from a second node, the TCP SYN request packet comprising a sequence value (“seq”), sending to the second node a SYN|ACK packet, the SYN|ACK packet comprising a seq and an ack_sequence value (“ack_seq”), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1; and in response to the firewall receiving a TCP RST packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection.

Citations

21 Claims

1. A method comprising:
- in response to a firewall receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;
  
  in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection;
  
  sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  sending the constructed SYN packet to the first node to further enable a secure connection.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the ack_seq of the SYN|ACK packet is determined by:
    - ack_seq=make32(HASH(LK|IP|TCP)),where LK is the secret value, IP refers to a result of a concatenation of source IP address and destination IP address found in the SYN packet, TCP refers to a result of a concatenation of TCP port numbers, and the function make32 takes the string produced by the HASH function and generates a 32-bit number.
  - 3. The method of claim 1, whereinthe ack_seq of the SYN|ACK packet is computed as:
    - ack_seq=make32(HASH(LK|IP|TCP)),where LK is the secret value, where IP refers to a result of a concatenation of source IP address and destination IP address found in the SYN packet, TCP refers to a result of a concatenation of TCP port numbers, and where the function make32 takes the bits of the hash functions and forms them into a 32-bit number, andwherein the additional TCP packet comprises a pure data packet.

4. An apparatus comprising:
- at least one data processor configured to send, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the network node, IP address information, and a HASH function, wherein the secret value is not known to the second node; and
  
  a computer-readable medium configured to store the secret value,wherein the at least one data processor is further configured;
  
  to verify, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, for designating the connection with the second node as an authorized connection;
  
  to send, in response to receiving the TCP SYN request, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  to use, after designating the connection with the second node as an authorized connection, the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  to send the constructed SYN packet to the first node to further enable a secure connection, wherein the apparatus is configured to operate as a firewall.
- View Dependent Claims (5)
- - 5. The apparatus of claim 4, wherein the ack_seq of the SYN|ACK packet is determined by:
    - ack_seq=make32(HASH(LK|IP|TCP)),where LK is the secret value, IP refers to a result of a concatenation of source IP address and destination IP address found in the SYN packet, TCP refers to a result of a concatenation of TCP port numbers, and the function make32 takes the string produced by the HASH function and generates a 32-bit number.

6. A computer-readable medium storing program instructions for operating a firewall, execution of said program instructions resulting in operations comprising:
- in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;
  
  in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection;
  
  sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  sending the constructed SYN packet to the first node to further enable a secure connection.
- View Dependent Claims (7)
- - 7. The computer-readable medium of claim 6, wherein the ack_seq of the SYN|ACK packet is determined by:
    - ack_seq=make32(HASH(LK|IP|TCP)),where LK is the secret value, IP refers to a result of a concatenation of source IP address and destination IP address found in the SYN packet, TCP refers to a result of a concatenation of TCP port numbers, and the function make32 takes the string produced by the HASH function and generates a 32-bit number.

8. A method for operating a firewall, comprising:
- determining that a trigger condition is met; and
  
  in response to determining that the trigger condition is met, switching from a Stateful mode to a Stateless mode,wherein the Stateless mode comprises;
  
  in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;
  
  in response to receiving the TCP SYN request packet, sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection;
  
  after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  sending the constructed SYN packet to the first node to further enable a secure connection.
- View Dependent Claims (9, 10)
- - 9. The method of claim 8, wherein the trigger condition comprises memory consumption resulting from connection attempts equaling a threshold value.
  - 10. The method of claim 8, wherein the Stateful mode comprises:
    - in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
      
      seq”
      
      ), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
      
      ack_seq”
      
      ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1; and
      
      in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection.

11. An apparatus comprising at least one data processor and a computer-readable medium, wherein the data processor is configured, responsive to a trigger condition, to switch the apparatus from a Stateful mode to a Stateless mode, wherein the Stateless mode comprises:
- the at least one data processor sending, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the apparatus, IP address information, and a HASH function, wherein the secret value is not known to the second node;
  
  the at least one data processor sending, in response to receiving the TCP SYN request packet, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  the at least one data processor verifying, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, for designating the connection with the second node as an authorized connection;
  
  after designating the connection with the second node as an authorized connection, the at least one data processor using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  the at least one data processor sending the constructed SYN packet to the first node to further enable a secure connection,wherein the computer-readable medium is configured to store the secret value, wherein the apparatus is configured to operate as a firewall.
- View Dependent Claims (12, 13)
- - 12. The apparatus of claim 11, wherein the trigger condition comprises memory consumption resulting from connection attempts equaling a threshold value.
  - 13. The apparatus of claim 11, wherein the Stateful mode comprises:
    - the at least one data processor sending, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
      
      seq”
      
      ), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
      
      ack_seq”
      
      ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1; and
      
      the at least one data processor verifying, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection.

14. A computer-readable medium storing program instructions for operating a firewall, execution of said program instructions resulting in operations comprising switching from a Stateful mode to a Stateless mode when a trigger condition is met, wherein the Stateless mode comprises:
- in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;
  
  in response to receiving the TCP SYN request packet, sending an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection;
  
  after designating the connection with the second node as an authorized connection, using the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  sending the constructed SYN packet to the first node to further enable a secure connection.
- View Dependent Claims (15, 16)
- - 15. The computer-readable medium of claim 14, wherein the trigger condition comprises memory consumption resulting from connection attempts equaling a threshold value.
  - 16. The computer-readable medium of claim 14, wherein the Stateful mode comprises:
    - in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
      
      seq”
      
      ), sending to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
      
      ack_seq”
      
      ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1; and
      
      in response to receiving a transport control protocol reset (TCP RST) packet from the second node, verifying that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, designating the connection with the second node as an authorized connection.

17. A wireless network enabled to transfer packet data between a wireless node and a data communication network, comprising:
- a wireless network security component, said wireless network security component comprising;
  
  means for sending, in response to receiving a transport control protocol synchronization (TCP SYN) request packet that is sent towards a first node from a second node, said TCP SYN request packet comprising a sequence value (“
  
  seq”
  
  ), to the second node an acknowledgement and synchronization (SYN|ACK) packet, said SYN|ACK packet comprising a seq and an ack_sequence value (“
  
  ack_seq”
  
  ), where ack_seq of the SYN|ACK packet is not equal to the TCP SYN request packet'"'"'s seq+1, wherein the ack_seq of the SYN|ACK packet is determined by a function that utilizes a secret value known to the firewall, IP address information, and a HASH function, wherein the secret value is not known to the second node;
  
  means for verifying, in response to receiving a transport control protocol reset (TCP RST) packet from the second node, that the seq in the TCP RST packet matches the ack_seq of the SYN|ACK packet and, if it does, for designating the connection with the second node as an authorized connection;
  
  means for sending, in response to receiving the TCP SYN request, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
  
  seq”
  
  ) equal to the seq of the TCP SYN request packet;
  
  means for using, after designating the connection with the second node as an authorized connection, the seq of an additional received TCP RST packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
  
  means for sending the constructed SYN packet to the first node to further enable a secure connection.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The wireless network of claim 17, wherein a wireless node is the first node and a data communication network is the second node.
  - 19. The wireless network of claim 17, wherein a data communication network is the first node and a wireless node is the second node.
  - 20. The wireless network of claim 17, wherein the ack_seq of the SYN|ACK packet is determined by:
    - ack_seq=make32(HASH(LK|IP|TCP)),where LK is secret value, IP refers to a result of a concatenation of source IP address and destination IP address found in the SYN packet, TCP refers to a result of a concatenation of TCP port numbers, and the function make32 takes the string produced by the HASH function and generates a 32-bit number.
  - 21. The wireless network of claim 17, further comprising:
    - means for sending, in response to receiving the TCP SYN request, an additional transport control protocol (TCP) packet to the second node, where the additional TCP packet does not have a SYN or ACK flag but does comprise a sequence value (“
      
      seq”
      
      ) equal to the seq of the TCP SYN request packet;
      
      means for using, after designating the connection with the second node as an authorized connection, the seq of an additional received transport control protocol reset (TCP RST) packet to construct a synchronization (SYN) packet similar to the original TCP SYN request packet; and
      
      means for sending the constructed SYN packet to the first node to further enable a secure connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Swami, Yogesh P., Le, Franck
Primary Examiner(s)
Kumar; Pankaj
Assistant Examiner(s)
BERHANE, YOSIEF H

Application Number

US11/347,335
Publication Number

US 20060230129A1
Time in Patent Office

1,369 Days
Field of Search

726/11, 726/12, 370/401, 370/471, 370/349, 370/220, 370/335, 370/329, 370/352, 370/229, 370/235, 709/227, 709/250, 709/203
US Class Current

370/395.52
CPC Class Codes

H04L 63/1458   Denial of Service

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links