Symmetric connection detection

US 7,623,466 B2
Filed: 04/20/2006
Issued: 11/24/2009
Est. Priority Date: 04/20/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:

a flow identification unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host;

storage means, for storing said flow descriptor based on a relationship between said Src and Dst;

an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and

a controller for controlling operation of said flow identification unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication,wherein said storage means comprises a first container for storing flow descriptors obtained from connection set-up datagrams with a Src>

Dst, and a second container for storing flow descriptors obtained from connection set-up datagrams with a Src<

Dst.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Symmetric Connection Detection (SCD) is a method of detecting when a connection has been fully established in a resource-constrained environment, and works in high-speed routers, at line speed. Many network monitoring applications are only interested in connections that become fully established, so other connection attempts, such as port scanning attempts, simply waste resources if not filtered. SCD filters out unsuccessful connection attempts using a simple combination of Bloom filters to track the state of connection establishment for every flow in the network. Unsuccessful flows can be filtered out to a very high degree of accuracy, depending on the size of the bloom filter and traffic rate. The SCD methodology can also easily be adapted to accomplish port scan detection, and to detect or filter other types of invalid TCP traffic.

17 Citations

View as Search Results

18 Claims

1. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:
- a flow identification unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host;
  
  storage means, for storing said flow descriptor based on a relationship between said Src and Dst;
  
  an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and
  
  a controller for controlling operation of said flow identification unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication,wherein said storage means comprises a first container for storing flow descriptors obtained from connection set-up datagrams with a Src>
  
  Dst, and a second container for storing flow descriptors obtained from connection set-up datagrams with a Src<
  
  Dst.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein said flow identification unit comprises:
    - a detection unit for detecting a connection set-up datagram for said connection; and
      
      a flow descriptor calculating unit for calculating said flow descriptor from address data extracted from said connection set-up datagram.
  - 3. The system of claim 1, wherein said access interface comprises a flow storing mechanism for storing said flow descriptor in said first container if said flow descriptor is not already stored in said second container.
  - 4. The system of claim 1, wherein said access interface comprises:
    - a search mechanism for performing a look-up in said second container for a flow descriptor obtained from connection set-up datagrams with a Src >
      
      Dst, and performing a look-up in said first container for a flow descriptor obtained from connection set-up datagrams with a Src <
      
      Dst.
  - 5. The system of claim 1, further comprising a flow removal mechanism for removing all flow descriptors from said storage means after a preset amount of time.
  - 6. The system of claim 1, further comprising flow monitoring means for monitoring said connection once said control unit acknowledges that said connection has been established.
  - 7. The system of claim 1, wherein said flow identification unit is capable of calculating said flow descriptor from connection release datagrams, and wherein said control unit is capable of establishing that a respective connection has been released based on said flow descriptor calculated from the connection release datagrams.
  - 8. The system of claim 1, wherein said containers are Bloom filters having a plurality of small counter elements.

9. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:
- a flow identification unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host;
  
  storage means, for storing said flow descriptor based on a relationship between said Src and Dst;
  
  an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and
  
  a controller for controlling operation of said descriptor calculating unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication,wherein said controller informs said access interface if the source address Src in said set-up datagram is greater than the destination address Dst.

10. A method for identifying establishment of a connection in a data network between a source host with a source address (Src) and a destination host with a destination address (Dst), comprising:
- detecting a first connection set-up datagram transmitted from said source host to said destination host and identifying said connection set-up datagram as a connection request;
  
  detecting a second connection set-up datagram transmitted from said destination host to said source host and identifying said second connection set-up datagram as a request acknowledged datagram;
  
  generating a connection established indication if both said connection request datagram and said request acknowledged datagram have been identified in this orderwherein detecting a first connection set-up datagram comprises;
  
  providing a first container for tracking connections with Src >
  
  Dst and a second container for tracking connections with Src <
  
  Dst;
  
  determining if a source address Src₁in said first connection set-up datagram is greater than a the destination address Dst₁in said first connection set-up datagram;
  
  calculating a flow descriptor unique to said connection from said first connection set-up datagram; and
  
  storing said first flow descriptor in said first container if Src₁>
  
  Dst₁and storing said first flow descriptor in said second container if Src₁<
  
  Dst₁.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising triggering traffic flow monitoring activities of interest for the respective connection in response to said connection established indication.
  - 12. The method of claim 10, wherein said detecting a second connection set-up datagram comprises:
    - determining if a source address Src₂in said second connection set-up datagram is greater than a destination address Dst₂in said second connection set-up datagram;
      
      calculating a flow descriptor from said second connection set-up datagram;
      
      whenever Src₂>
      
      Dst₂, searching if said flow descriptor is already stored in said second container; and
      
      providing a flow present indication if said flow descriptor is already stored in said second container, confirming that said source host and destination host have exchanged said connection request and request acknowledge datagrams,wherein said flow present indication enables said generating a connection established indication.
  - 13. The method of claim 12, further comprising storing said flow descriptor calculated from said second connection set-up datagram in said first container.
  - 14. The method of claim 12, further comprising removing said flow descriptor calculated from said first connection set-up datagram from said second container.
  - 15. The method of claim 10, wherein said detecting a second connection set-up datagram transmitted from said destination host to said source host and identifying said second connection set-up datagram as a request acknowledged datagram comprises:
    - determining if a source address Src₂in said second connection set-up datagram is greater than a destination address Dst₂in said second connection set-up datagram;
      
      calculating a flow descriptor from said second connection set-up datagram;
      
      whenever Src₂<
      
      Dst₂, searching if said flow descriptor is already stored in said first container;
      
      and providing a flow present indication if said flow descriptor is already stored in said first container, confirming that said source host and destination host exchanged said connection request and request acknowledge datagrams,wherein said flow present indication enables said generating a connection established indication.
  - 16. The method of claim 15, further comprising storing said flow descriptor calculated from said second connection set-up datagram in said second container.
  - 17. The method of claim 15, further comprising removing said flow descriptor calculated from said first connection set-up datagram from said first container.
  - 18. The method of claim 10, further comprising removing all said flow descriptors from said first and second containers at predetermined intervals of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Whitehead, Bradley James
Primary Examiner(s)
Ryman; Daniel J.
Assistant Examiner(s)
BLANTON, JOHN D

Application Number

US11/407,221
Publication Number

US 20070248084A1
Time in Patent Office

1,314 Days
Field of Search

370/389
US Class Current

370/250
CPC Class Codes

H04L 63/1466   Active attacks involving in...

H04L 67/14   Session management for real...

H04L 67/306   User profiles

Symmetric connection detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Symmetric connection detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others