Securing an access provider

US 7,743,144 B1
Filed: 11/03/2003
Issued: 06/22/2010
Est. Priority Date: 08/24/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method of monitoring access requests to access providers comprising:

observing, using an intermediary device other than an access providing host that assigns resources responsive to inbound access requests, information identifying a requestor based on receipt of the requestor'"'"'s submission of an access request to a first access providing host;

accessing, using the intermediary device, stored information identifying previous requestors, of the first access providing host as well as of other access providing hosts, that are determined to have submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request;

comparing, using the intermediary device, the observed information identifying the requestor to the stored information identifying previous requestors; and

when the comparison reveals that the requestor has submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, denying, using the intermediary device, the access request submitted by the requestor while denying passage of the access request to the first access providing host,wherein the intermediary device is a switch capable of performing load balancing for the first access providing host as well as the other access providing hosts.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To secure an access provider, communications to/from the access provider are monitored for a partially-completed connection transaction. Detected partially-completed connection transactions are terminated when they remain in existence for a period of time that exceeds a threshold period of time. The monitoring may include detecting partially-completed connection transactions initiated by an access requestor, measuring the period of time that a partially-completed connection transaction remains in existence, comparing the period of time with the threshold period of time, and resetting a communication port located on the access provider.

120 Citations

35 Claims

1. A method of monitoring access requests to access providers comprising:
- observing, using an intermediary device other than an access providing host that assigns resources responsive to inbound access requests, information identifying a requestor based on receipt of the requestor'"'"'s submission of an access request to a first access providing host;
  
  accessing, using the intermediary device, stored information identifying previous requestors, of the first access providing host as well as of other access providing hosts, that are determined to have submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request;
  
  comparing, using the intermediary device, the observed information identifying the requestor to the stored information identifying previous requestors; and
  
  when the comparison reveals that the requestor has submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, denying, using the intermediary device, the access request submitted by the requestor while denying passage of the access request to the first access providing host,wherein the intermediary device is a switch capable of performing load balancing for the first access providing host as well as the other access providing hosts.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein denying, using the intermediary device, the access request submitted by the requestor while denying passage of the access request to the first access providing host comprises denying, using the intermediary device, the access request submitted by the requestor when the comparison reveals that the requestor has submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request based on a previous access request submitted to an access providing host other than the first access providing host.
  - 3. The method of claim 1 further comprising:
    - denying the access request in response to a determination that a return address included in the access request differs from an actual return address of the requestor'"'"'s device.
  - 4. The method of claim 1 further comprising, when the comparison reveals that the requestor has not submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, monitoring, using the intermediary device, a partially-completed connection transaction resulting from the access request to determine whether a time out condition occurs prior to requestor submission of an acknowledgement corresponding to the access request.
  - 5. The method of claim 4 further comprising, to the extent that a time out condition is determined to exist, adding, using the intermediary device, information identifying the requestor to the stored information identifying previous requestors for use in comparing against future requestors that submit an access request.

6. A networking device, other than an access providing host that assigns resources responsive to inbound access requests, comprising:
- a processor; and
  
  a memory encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising;
  
  observing information identifying a requestor based on receipt of the requestor'"'"'s submission of an access request to a first access providing host;
  
  accessing stored information identifying previous requestors, of the first access providing host as well as of other access providing hosts, that are determined to have submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request;
  
  comparing the observed information identifying the requestor to the stored information identifying previous requestors; and
  
  when the comparison reveals that the requestor has submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, denying the access request submitted by the requestor while denying passage of the access request to the first access providing host,wherein the networking device is a switch capable of performing load balancing for the first access providing host as well as the other access providing hosts.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The networking device of claim 6 wherein denying the access request submitted by the requestor while denying passage of the access request to the first access providing host comprises denying the access request submitted by the requestor when the comparison reveals that the requestor has submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request based on a previous access request submitted to an access providing host other than the first access providing host.
  - 8. The networking device of claim 6 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising:
    - denying the access request in response to a determination that a return address included in the access request differs from an actual return address of the requestor'"'"'s device.
  - 9. The networking device of claim 6 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising, when the comparison reveals that the requestor has not submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, monitoring a partially-completed connection transaction resulting from the access request to determine whether a time out condition occurs prior to requestor submission of an acknowledgement corresponding to the access request.
  - 10. The networking device of claim 9 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising, to the extent that a time out condition is determined to exist, adding information identifying the requestor to the stored information identifying previous requestors for use in comparing against future requestors that submit an access request.

11. A storage medium encoded with instructions that, when executed by a processing device, operate to cause the processing device to perform operations comprising:
- observing, using an intermediary device other than an access providing host that assigns resources responsive to inbound access requests, information identifying a requestor based on receipt of the requestor'"'"'s submission of an access request to a first access providing host;
  
  accessing, using the intermediary device, stored information identifying previous requestors, of the first access providing host as well as of other access providing hosts, that are determined to have submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request;
  
  comparing, using the intermediary device, the observed information identifying the requestor to the stored information identifying previous requestors; and
  
  when the comparison reveals that the requestor has submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, denying, using the intermediary device, the access request submitted by the requestor while denying passage of the access request to the first access providing host,wherein the intermediary device is a switch capable of performing load balancing for the first access providing host as well as the other access providing hosts.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The storage medium of claim 11 wherein denying, using the intermediary device, the access request submitted by the requestor while denying passage of the access request to the first access providing host comprises denying, using the intermediary device, the access request submitted by the requestor when the comparison reveals that the requestor has submitted-a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request based on a previous access request submitted to an access providing host other than the first access providing host.
  - 13. The storage medium of claim 11 wherein the storage medium is further encoded with instructions that, when executed by the processing device, operate to cause the processing device to perform operations comprising:
    - denying the access request in response to a determination that a return address included in the access request differs from an actual return address of the requestor'"'"'s device.
  - 14. The storage medium of claim 11 wherein the storage medium is further encoded with instructions that, when executed by the processing device, operate to cause the processing device to perform operations comprising, when the comparison reveals that the requestor has not submitted a previous access request that has timed out prior to submission of an acknowledgement corresponding to the previous access request, monitoring, using the intermediary device, a partially-completed connection transaction resulting from the access request to determine whether a time out condition occurs prior to requestor submission of an acknowledgement corresponding to the access request.
  - 15. The storage medium of claim 14 wherein the storage medium is further encoded with instructions that, when executed by the processing device, operate to cause the processing device to perform operations comprising, to the extent that a time out condition is determined to exist, adding, using the intermediary device, information identifying the requestor to the stored information identifying previous requestors for use in comparing against future requestors that submit an access request.

16. A method of handling connection transactions, the method comprising:
- receiving, at an intermediary device, a connection transaction request from a requestor device that requests access to an access providing host;
  
  using information identifying requestor devices, of other access providing hosts, that previously submitted a partially-completed connection transaction request to determine whether to block the connection transaction request to the access providing host; and
  
  blocking, at the intermediary device, the connection transaction request in response to a determination to block the connection transaction request,wherein the intermediary device is a switch capable of performing load balancing for the access providing host as well as the other access providing hosts.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The method of claim 16 wherein using information identifying requestor devices, of other access providing hosts, that previously submitted a partially-completed connection transaction request to determine whether to block the connection transaction request to the access providing host comprises monitoring connection transaction requests across multiple access providing hosts.
  - 18. The method of claim 17 wherein monitoring connection transaction requests across multiple access providing hosts comprises measuring timing of connection transaction requests across multiple access providing hosts.
  - 19. The method of claim 16 wherein using information identifying requestor devices, of other access providing hosts, that previously submitted a partially-completed connection transaction request to determine whether to block the connection transaction request to the access providing host comprises comparing, at the intermediary device, an identity of the requestor device to information identifying requestor devices, of the access providing host as well as the other access providing hosts, that previously submitted a partially-completed connection transaction request that reached a time out condition prior to receipt of an acknowledgement corresponding to the partially-completed connection transaction request.
  - 20. The method of claim 16 further comprising, in response to a determination not to block the connection transaction request, determining, at the intermediary device, whether the connection transaction request results in a partially-completed connection transaction in which a time out condition is reached prior to receipt of an acknowledgement corresponding to the connection transaction request.
  - 21. The method of claim 20 further comprising, in response to a determination that the connection transaction request has reached a time out condition prior to receipt of an acknowledgement corresponding to the connection transaction request, terminating the connection transaction request.
  - 22. The method of claim 20 further comprising, in response to a determination that the connection transaction request has reached a time out condition prior to receipt of an acknowledgement corresponding to the connection transaction request, adding the requestor device to the information identifying requestor devices that previously submitted a partially-completed connection transaction request to enable blocking of future connection transaction requests received from the requestor device.
  - 23. The method of claim 16 wherein, at the time of blocking the connection transaction request, the intermediary device has not previously received, from the requestor device, a connection transaction request that requested access to the access providing host.
  - 24. The method of claim 16 further comprising delaying termination of a partially-completed connection transaction based on the connection transaction request to allow the intermediary device to continue monitoring communications from the requestor device to the access providing host as well as the other access providing hosts.
  - 25. The method of claim 16 further comprising:
    - blocking, at the intermediary device, the connection transaction request in response to a determination that a return address included in the connection transaction request differs from an actual return address of the requestor device.

26. A networking device comprising:
- a processor; and
  
  a memory encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising;
  
  receiving a connection transaction request from a requestor device that requests access to an access providing host;
  
  using information identifying requestor devices, of other access providing hosts, that previously submitted a partially-completed connection transaction request to determine whether to block the connection transaction request to the access providing host; and
  
  blocking the connection transaction request in response to a determination to block the connection transaction request,wherein the networking device is a switch capable of performing load balancing for the access providing host as well as the other access providing hosts.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 27. The networking device of claim 26 wherein using information identifying requestor devices, of other access providing hosts, that previously submitted a partially-completed connection transaction request to determine whether to block the connection transaction request to the access providing host comprises monitoring connection transaction requests across multiple access providing hosts.
  - 28. The networking device of claim 27 wherein monitoring connection transaction requests across multiple access providing hosts comprises measuring timing of connection transaction requests across multiple access providing hosts.
  - 29. The networking device of claim 26 wherein using information identifying requestor devices, of other access providing hosts, that previously submitted a partially-completed connection transaction request to determine whether to block the connection transaction request to the access providing host comprises comparing an identity of the requestor device to information identifying requestor devices, of the access providing host as well as the other access providing hosts, that previously submitted a partially-completed connection transaction request that reached a time out condition prior to receipt of an acknowledgement corresponding to the partially-completed connection transaction request.
  - 30. The networking device of claim 26 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising:
    - in response to a determination not to block the connection transaction request, determining whether the connection transaction request results in a partially-completed connection transaction in which a time out condition is reached prior to receipt of an acknowledgement corresponding to the connection transaction request.
  - 31. The networking device of claim 30 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising:
    - in response to a determination that the connection transaction request has reached a time out condition prior to receipt of an acknowledgement corresponding to the connection transaction request, terminating the connection transaction request.
  - 32. The networking device of claim 30 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising:
    - in response to a determination that the connection transaction request has reached a time out condition prior to receipt of an acknowledgement corresponding to the connection transaction request, adding the requestor device to the information identifying requestor devices that previously submitted a partially-completed connection transaction request to enable blocking of future connection transaction requests received from the requestor device.
  - 33. The networking device of claim 26 wherein, at the time of blocking the connection transaction request, the networking device has not previously received, from the requestor device, a connection transaction request that requested access to the access providing host.
  - 34. The networking device of claim 26 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising:
    - delaying termination of a partially-completed connection transaction based on the connection transaction request to allow the networking device to continue monitoring communications from the requestor device to the access providing host as well as the other access providing hosts.
  - 35. The networking device of claim 26 wherein the memory is further encoded with machine readable instructions that, when executed by the processor, operate to cause the processor to perform operations comprising:
    - blocking the connection transaction request in response to a determination that a return address included in the connection transaction request differs from an actual return address of the requestor device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
AOL Inc. (Apollo Global Management, Inc.), Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Rolon, Terry, Robertson, Jonathan K., Hufford, Patrick, Stehnach, Thomas, Jalan, Rajkumar, Wright, Christopher J.
Primary Examiner(s)
Kang; Paul H
Assistant Examiner(s)
Shingles; Kristie D

Application Number

US10/698,933
Time in Patent Office

2,423 Days
Field of Search

709/224, 709/227, 709/217, 709/223, 709/225, 714/4
US Class Current

709/225
CPC Class Codes

H04L 45/50   using label swapping, e.g. ...

H04L 47/822   Collecting or measuring res...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Securing an access provider

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Securing an access provider

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links