Method and system for addressing attacks on a computer connected to a network

US 7,854,000 B2
Filed: 10/26/2004
Issued: 12/14/2010
Est. Priority Date: 10/26/2004
Status: Active Grant

First Claim

Patent Images

1. A method for addressing attacks on a computer connected to a network comprising:

receiving at a router a TCP SYN request to be screened;

comparing the received TCP SYN request to be screened to at least one stored tuple representative of one or more SYN requests previously received at the router and determining that the received TCP SYN request to be screened matches the stored tuple; and

in response to the determination that the received TCP SYN request to be screened matches the stored tuple, incrementing a counter associated with the stored tuple; and

in response to the counter reaching a threshold;

preventing the router from sending a TCP SYN+ACK response in response to the TCP SYN request to be screened;

dropping the TCP SYN request to be screened; and

preventing the router from allocating a transmission control block (TCB) for the TCP SYN request to be screened.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for addressing attacks on a computer connected to a network includes receiving at a router a TCP SYN request to be screened. The method also includes comparing the received TCP SYN request to be screened to at least one stored tuple representative of one or more SYN requests previously received at the router and determining that the received TCP SYN request to be screened matches the stored tuple. In response to determining that the received TCP SYN request to be screened matches the stored tuple, the TCP SYN+ACK response is prevented from being sent by the router in response to the TCP SYN request to be screened.

16 Citations

View as Search Results

42 Claims

1. A method for addressing attacks on a computer connected to a network comprising:
- receiving at a router a TCP SYN request to be screened;
  
  comparing the received TCP SYN request to be screened to at least one stored tuple representative of one or more SYN requests previously received at the router and determining that the received TCP SYN request to be screened matches the stored tuple; and
  
  in response to the determination that the received TCP SYN request to be screened matches the stored tuple, incrementing a counter associated with the stored tuple; and
  
  in response to the counter reaching a threshold;
  
  preventing the router from sending a TCP SYN+ACK response in response to the TCP SYN request to be screened;
  
  dropping the TCP SYN request to be screened; and
  
  preventing the router from allocating a transmission control block (TCB) for the TCP SYN request to be screened.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the stored tuple is representative of a plurality of SYN requests previously received at the router that have the same indicated source.
  - 3. The method of claim 1, wherein the stored tuple is representative of a plurality of SYN requests previously received at the router that have the same indicated source and destination.
  - 4. The method of claim 1, wherein the plurality of SYN requests comprises at least 100 SYN requests received by the router no more than 30 seconds before receiving the received TCP SYN request to be screened.
  - 5. The method of claim 1, wherein the at least one tuple is stored in a first cache.
  - 6. The method of claim 5, and further comprising moving the at least one tuple into the first cache from a second cache.
  - 7. The method of claim 5, and further comprising moving the at least one tuple into the first cache from a second cache in response to determining that a plurality of TCP SYN requests matching the at least one tuple have been received by the router within a period of 10 seconds.
  - 8. The method of claim 5, and further comprising moving the at least one tuple into the first cache from a second cache in response to detetinining that a plurality of TCP SYN requests matching the at least one tuple have been received by the router and retained in the second cache.
  - 9. The method of claim 6, and further comprising setting a threshold timer when the number of SYN requests matching the at least one tuple stored in the first cache exceeds a particular number within a particular timeframe.
  - 10. The method of claim 9, wherein the act of preventing response to the TCP SYN request to be screened comprises preventing the TCP SYN request to be screened only if the threshold timer is set and has not expired.
  - 11. The method of claim 1, and further comprising storing the source MAC address for the received TCP SYN request to be screened in identifying the source of the received TCP SYN request to be screened.

12. A system for addressing attacks on a computer connected to a network comprising:
- a non-transitory computer-readable medium;
  
  a first cache; and
  
  a computer program stored in the non-transitory computer readable medium operable to;
  
  receive a TCP SYN request to be screened;
  
  compare the received TCP SYN request to be screened to at least one tuple stored in the first cache that is representative of one or more SYN requests previously received at the system and determine that the received TCP SYN request to be screened matches the stored tuple; and
  
  in response to the determination that the received TCP SYN request matches the stored tuple, increment a counter associated with the stored tuple; and
  
  in response to the counter reaching a threshold;
  
  prevent the system from sending a TCP SYN+ACK response in response to the TCP SYN request to be screened;
  
  drop the TCP SYN request to be screened; and
  
  prevent the system from allocating a transmission control block (TCB) for the TCP SYN request to be screened.
- View Dependent Claims (13, 14, 15, 16, 17, 19, 20, 21)
- - 13. The system of claim 12, wherein the tuple is representative of a plurality of SYN requests previously received at the system that have the same indicated source.
  - 14. The system of claim 12, wherein the stored tuple is representative of a plurality of SYN requests previously received at the router that have the same indicated source and destination.
  - 15. The system of claim 12, wherein the plurality of SYN requests comprise at least 100 SYN requests received by the router no more than 30 seconds before receiving the received TCP SYN request to be screened.
  - 16. The system of claim 12, and further comprising a second cache and wherein the computer program is further operable to move the at least one tuple into the first cache from the second cache.
  - 17. The system of claim 12, and further comprising a second cache and wherein the computer program is further operable to move the at least one tuple into the first cache from the second cache in response to determining that a plurality of TCP SYN requests matching the at least one tuple have been received by the system within a period of 10 seconds.
  - 19. The system of claim 16, wherein the computer program is further operable to set a threshold timer when the number of SYN requests matching the at least one tuple stored in the first cache exceeds a particular number within a particular timeframe.
  - 20. The system of claim 19, wherein the computer program is operable to prevent response to the TCP SYN requests by preventing the TCP SYN request only if the threshold timer is set and has not expired.
  - 21. The system of claim 12, wherein the computer program is further operable to store the source MAC address for the received TCP SYN request to be screened and identify the source of the received TCP SYN request to be screened.

18. The system of Clam 12, and further comprising a second cache and wherein the computer program is operable to move the at least one tuple into the first cache from a second cache in response to determining that a plurality of TCP SYN requests matching the at least one tuple have been received by the system and retained in the second cache.

22. Logic encoded in a non-transitory computer readable medium configured, when executed, to:
- receive a TCP SYN request to be screened;
  
  compare the received TCP SYN request to be screened to at least one stored tuple representative of one or more SYN requests previously received and determine that the received TCP SYN request to be screened matches the stored tuple; and
  
  in response to the determination that the received TCP SYN request matches the stored tuple, increment a counter associated with the stored tuple; and
  
  in response to the counter reaching a threshold;
  
  prevent sending a TCP SYN+ACK response in response to the TCP SYN request to be screened;
  
  drop the TCP SYN request to be screened; and
  
  prevent allocating a transmission control block (TCB) for the TCP SYN request to be screened.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 23. The logic of claim 22, wherein the stored tuple is representative of a plurality of SYN requests previously received that have the same indicated source.
  - 24. The logic of claim 22, wherein the stored tuple is representative of a plurality of SYN requests previously received that have the same indicated source and destination.
  - 25. The logic of claim 22, wherein the plurality of SYN requests comprise at least 100 SYN requests received no more than 30 seconds before receiving the received TCP SYN request to be screened.
  - 26. The logic of claim 22, the at least one tuple is stored in a first cache.
  - 27. The logic of claim 26, wherein the logic is further configured to move the at least one tuple into the first cache from a second cache.
  - 28. The logic of claim 26, wherein the logic is further configured to move the at least one tuple into the first cache from a second cache in response to determining a plurality of TCP SYN requests matching the at least one tuple have been received by within a period of 10 seconds.
  - 29. The logic of claim 26, and further comprising moving the at least one tuple into the first cache from a second cache in response to determining that a plurality of TCP SYN requests matching the at least one tuple have been received and retained in the second cache.
  - 30. The logic of claim 27, and further comprising setting a threshold timer when the number of SYN requests matching the at least one tuple stored in the first cache exceeds a particular number within a particular timeframe.
  - 31. The logic of claim 30, wherein the logic is further configured to prevent response to the TCP SYN request by preventing the TCP SYN request only if the threshold timer is set and has not expired.
  - 32. The logic of claim 22, wherein the logic is further configured to store the source MAC address for the received TCP SYN request to be screened and identify the source of the received TCP SYN request to be screened.

33. A router comprising:
- a routing unit configured to receive and transmit packets;
  
  a first cache; and
  
  an attack mitigator configured to;
  
  receive a TCP SYN request to be screened;
  
  compare the received TCP SYN request to be screened to at least one tuple stored in the first cache that is representative of one or more SYN requests previously received at the router and determine that the received TCP SYN request to be screened matches the stored tuple; and
  
  in response to the determination that the received TCP SYN request matches the stored tuple, increment a counter associated with the stored tuple; and
  
  in response to the counter reaching a threshold;
  
  prevent the router from sending a TCP SYN+ACK response in response to the TCP SYN request to be screened;
  
  drop the TCP SYN request to be screened; and
  
  prevent the router from allocating a transmission control block (TCB) for the TCP SYN request to be screened.
- View Dependent Claims (34, 35, 36, 37, 38, 40, 41)
- - 34. The router of claim 33, wherein the tuple is representative of a plurality of SYN requests previously received at the router that have the same indicated source.
  - 35. The router of claim 33, wherein the stored tuple is representative of a plurality of SYN requests previously received at the router that have the same indicated source and destination.
  - 36. The router of claim 33, wherein the plurality of SYN requests comprise at least 100 SYN requests received by the router no more than 30 seconds before receiving the received TCP SYN request to be screened.
  - 37. The router of claim 33, and further comprising a second cache and wherein an attack mitigator is further configured to move the at least one tuple into the first cache from the second cache.
  - 38. The router of claim 33, and further comprising a second cache and wherein an attack mitigator is further configured to move the at least one tuple into the first cache from the second cache in response to determining that a plurality of TCP SYN requests matching the at least one tuple have been received by the system within a period of 10 seconds.
  - 40. The router of claim 33, wherein an attack mitigator is further configured to set a threshold timer when the number of SYN requests matching the at least one tuple stored in the first cache exceeds a particular number within a particular timeframe.
  - 41. The router of claim 33, wherein an attack mitigator is configured to prevent response to the TCP SYN requests by preventing the TCP SYN+ACK response only if the threshold timer is set and has not expired.

39. The router of Clam 33, and further comprising a second cache and wherein an attack mitigator is configured to move the at least one tuple into the first cache from a second cache in response to determining that a plurality of TCP SYN requests matching the at least one tuple have been received by the system and retained in the second cache.

42. A system for addressing attacks on a computer connected to a network comprising:
- means for receiving at a router a TCP SYN request to be screened;
  
  means for comparing the received TCP SYN request to be screened to at least one stored tuple representative of one or more SYN requests previously received at the router and for determining that the received TCP SYN request to be screened matches the stored tuple; and
  
  means for incrementing a counter associated with the stored tuple; and
  
  in response to the counter reaching a threshold;
  
  means for preventing the router from sending a TCP SYN+ACK response in response to the TCP SYN request to be screened;
  
  means for dropping the TCP SYN request to be screened; and
  
  means for preventing the router from allocating a transmission control block (TCB) for the TCP SYN request to be screened.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Venkat, Balaji, Raman, Shankar, Ramani, Venkat, Subramanian, Srinivas
Primary Examiner(s)
Homayounmehr; Farid
Assistant Examiner(s)
Shaifer Harriman; Dant B

Application Number

US10/973,188
Publication Number

US 20060168649A1
Time in Patent Office

2,240 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Method and system for addressing attacks on a computer connected to a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for addressing attacks on a computer connected to a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links