Using TCP to authenticate IP source addresses

US 7,979,694 B2
Filed: 03/02/2004
Issued: 07/12/2011
Est. Priority Date: 03/03/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating an Internet Protocol (IP) source address in a Transmission Control Protocol (TCP) communication directed over a network to a target computer, the method comprising:

intercepting a SYN request packet from the IP source address to open a connection to the target computer in accordance with a TCP three-way handshake procedure;

sending to the IP source address a reply to the intercepted SYN request packet that deviates from the three-way TCP handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet when opening a new TCP connection;

analyzing a response from the IP source address to the TCP ACK reply in order to make an assessment of legitimacy of the IP source address; and

upon determining, based on the assessment, that the IP source address is legitimate, permitting the target computer to complete the handshake procedure so as to open the connection with the IP source address.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes intercepting a request directed over a network from a source address to open a connection to a target computer in accordance with a handshake procedure specified by a predetermined communication protocol. A reply to the request that deviates from the specified handshake procedure is sent to the source address. A response from the source address to the reply is analyzed in order to make an assessment of legitimacy of the source address. Upon determining, based on the assessment, that the source address is legitimate, the target computer is permitted to complete the handshake procedure so as to open the connection with the source address.

134 Citations

View as Search Results

69 Claims

1. A method for authenticating an Internet Protocol (IP) source address in a Transmission Control Protocol (TCP) communication directed over a network to a target computer, the method comprising:
- intercepting a SYN request packet from the IP source address to open a connection to the target computer in accordance with a TCP three-way handshake procedure;
  
  sending to the IP source address a reply to the intercepted SYN request packet that deviates from the three-way TCP handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet when opening a new TCP connection;
  
  analyzing a response from the IP source address to the TCP ACK reply in order to make an assessment of legitimacy of the IP source address; and
  
  upon determining, based on the assessment, that the IP source address is legitimate, permitting the target computer to complete the handshake procedure so as to open the connection with the IP source address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein intercepting the request comprises intercepting a first incoming packet comprising a field that is indicative of a number of hops traversed by the first incoming packet since having been sent from the source address, and making a record of a first value of the field appearing in the first incoming packet, andwherein analyzing the response comprises receiving a second incoming packet from the source address, and reading from the second incoming packet a second value of the field that is indicative of the number of hops traversed by the second incoming packet, and comparing the first and second values of the field in order to assess the legitimacy of the source address.
  - 3. The method according to claim 2, wherein making the record comprises encoding the first value of the field in an outgoing packet, and wherein sending the reply comprises sending the outgoing packet to the source address, so as to cause the encoded first value to be incorporated in the second incoming packet.
  - 4. The method according to claim 2, wherein the first, second and third packets are Internet Protocol (IP) packets, and wherein the field comprises a Time-To-Live (TTL) field in a header of the IP packets.
  - 5. The method according to claim 4, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein encoding the first value comprises encoding the first value of the TTL field in an acknowledgment number field in a TCP header of the second packet.
  - 6. The method according to claim 1, wherein intercepting the request comprises intercepting a first packet comprising a sequence number, andwherein sending the reply comprises sending a second packet to the source address, acknowledging the first packet and containing an acknowledgment number based on the sequence number in accordance with the protocol, andwherein analyzing the response comprises disqualifying the source address if the source address responds to the second packet.
  - 7. The method according to claim 6, wherein analyzing the response comprises determining the source address to be legitimate if the source address retransmits the first packet without responding to the second packet.
  - 8. The method according to claim 1, and comprising opening a proxy connection between a guard device and the source address, and permitting the source address to access the target computer only via the proxy connection as long as the legitimacy of the source address is not established.
  - 9. The method according to claim 8, and comprising making a determination that the source address is legitimate responsively to use of the proxy connection, and responsively to the determination, causing the connection to be opened directly between the source address and the target computer while closing the proxy connection.

10. A method for authenticating communication traffic, comprising:
- intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure;
  
  reading from the SYN packet a first value of a Time-To-Live (TTL) field;
  
  sending to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet;
  
  receiving a TCP RST packet sent from the source address in response to the ACK packet;
  
  reading a TCP sequence number and a second value of the TTL field from the RST packet; and
  
  comparing the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method according to claim 10, wherein comparing the TCP sequence number comprises decoding the TCP sequence number in order to recover the first value of the TTL field, and determining the source address to be legitimate if the first and second values of the TTL field are equal to within a predetermined tolerance.
  - 12. The method according to claim 10, and comprising sending a TCP SYN-ACK packet to the source address after a timeout period and, upon receiving an incoming TCP ACK packet from the source address in response to the SYN-ACK packet, permitting the source address to communicate with the target computer even if no RST packet was received in response to the ACK packet sent to the source address.
  - 13. The method according to claim 12, wherein permitting the source address to communicate comprises opening a TCP proxy connection between a guard device and the source address, and permitting the source address to access the target computer via the proxy connection.
  - 14. The method according to claim 10, and comprising, upon failing to determine the source address to be legitimate based upon receiving the RST packet:
    - reading a TCP sequence number from the SYN packet;
      
      sending a further ACK packet to the source address, while setting a TCP acknowledgment number of the further ACK packet to a value greater by one than the sequence number of the SYN packet; and
      
      assessing the legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
  - 15. The method according to claim 10, and comprising permitting the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

16. A method for authenticating communication traffic, comprising:
- intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, the SYN packet comprising a TCP sequence number;
  
  sending to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a first TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet;
  
  receiving a TCP RST packet sent from the source address in response to the first ACK packet;
  
  responsively to receiving the TCP RST packet, sending a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet; and
  
  assessing legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- View Dependent Claims (17)
- - 17. The method according to claim 16, wherein assessing the legitimacy of the source address comprises determining the source address to be legitimate if a further TCP RST packet is not received from the source address in response to the second ACK packet.

18. A method for authenticating communication traffic, comprising:
- intercepting a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure;
  
  reading a TCP sequence number from the intercepted SYN packet;
  
  sending to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet; and
  
  upon receiving a TCP RST packet sent from the source address in response to the ACK packet, determining the source address to be illegitimate.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method according to claim 18, and comprising receiving a retransmission of the SYN packet from the source address after a timeout, without having received the RST packet, and permitting the source address to make a TCP connection with the target computer responsively to the retransmission.
  - 20. The method according to claim 18, wherein sending the TCP ACK packet comprises sending a first ACK packet, the method further comprising:
    - reading from the SYN packet a first value of a Time-To-Live (TTL) field;
      
      in reply to the SYN packet, sending a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet;
      
      receiving a further TCP RST packet sent from the source address in response to the second ACK packet;
      
      reading the TCP sequence number and a second value of the TTL field from the further RST packet; and
      
      comparing the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 21. The method according to claim 18, wherein intercepting the SYN packet comprises intercepting a first SYN packet, and wherein sending the TCP ACK packet comprises sending a first ACK packet, the method further comprising:
    - intercepting a second SYN packet from the source address, subsequent to the first SYN packet;
      
      reading from the second SYN packet a first value of a Time-To-Live (TTL) field;
      
      in reply to the second SYN packet, sending a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet;
      
      receiving a further TCP RST packet sent from the source address in response to the second ACK packet;
      
      reading the TCP sequence number and a second value of the TTL field from the further RST packet; and
      
      comparing the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 22. The method according to claim 21, wherein intercepting the second SYN packet comprises receiving a retransmission of the first SYN packet from the source address, without having received the RST packet.
  - 23. The method according to claim 18, and comprising permitting the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

24. Apparatus for authenticating an Internet Protocol (IP) source address in a Transmission Control Protocol (TCP) communication directed over a network to a target computer, comprising a guard device, which is coupled to intercept a SYN request from the IP source address to open a connection to the target computer in accordance with a TCP three-way handshake procedure, and is adapted to send to the IP source address a reply to the intercepted SYN request packet that deviates from the handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet when opening a new TCP connection, to analyze a response from the IP source address to the TCP ACK reply in order to make an assessment of legitimacy of the IP source address, and upon determining, based on the assessment, that the IP source address is legitimate, to permit the target computer to complete the handshake procedure so as to open the connection with the IP source address.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32)
- - 25. The apparatus according to claim 24, wherein the request comprises a first incoming packet comprising a field that is indicative of a number of hops traversed by the first packet since having been sent from the source address, andwherein the guard device is adapted to make a record of a first value of the field appearing in the first incoming packet, and to read from the second incoming packet a second value of the field that is indicative of the number of hops traversed by the second incoming packet, and to compare the first and second values of the field in order to assess the legitimacy of the source address.
  - 26. The apparatus according to claim 25, wherein the reply comprises an outgoing packet sent to the source address, and wherein the guard device is adapted to encode the first value of the field in the outgoing packet, so as to cause the encoded first value to be incorporated in the second incoming packet.
  - 27. The apparatus according to claim 25, wherein the first, second and third packets are Internet Protocol (IP) packets, and wherein the field comprises a Time-To-Live (TTL) field in a header of the IP packets.
  - 28. The apparatus according to claim 27, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the guard device is adapted to encode the first value of the TTL field in an acknowledgment number field in a TCP header of the second packet.
  - 29. The apparatus according to claim 24, wherein the request comprises a first packet comprising a sequence number, andwherein the reply comprises a second packet, sent by the guard device to the source address, such that the second packet acknowledges the first packet and contains an acknowledgment number based on the sequence number in accordance with the protocol, andwherein the guard device is adapted to disqualify the source address if the source address responds to the second packet.
  - 30. The apparatus according to claim 29, wherein the guard device is adapted to determine the source address to be legitimate if the source address retransmits the first packet without responding to the second packet.
  - 31. The apparatus according to claim 24, wherein the guard device is adapted to open a proxy connection with the source address, and to permit the source address to access the target computer only via the proxy connection as long as the legitimacy of the source address is not established.
  - 32. The apparatus according to claim 31, wherein the guard device is adapted to make a determination that the source address is legitimate responsively to use of the proxy connection, and responsively to the determination, to cause the connection to be opened directly between the source address and the target computer while closing the proxy connection.

33. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, and is adapted to read from the intercepted SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the intercepted SYN packet, to send a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet,wherein the guard device is coupled to receive a TCP RST packet sent from the source address in response to the ACK packet, and is adapted to read a TCP sequence number and a second value of the TTL field from the RST packet, and to compare the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- View Dependent Claims (34, 35, 36, 37, 38)
- - 34. The apparatus according to claim 33, wherein the guard device is adapted to decode the TCP sequence number in order to recover the first value of the TTL field, and to determine the source address to be legitimate if the first and second values of the TTL field are equal to within a predetermined tolerance.
  - 35. The apparatus according to claim 33, wherein the guard device is further adapted to send a TCP SYN-ACK packet to the source address after a timeout period and, upon receiving an incoming TCP ACK packet from the source address in response to the SYN-ACK packet, to permit the source address to communicate with the target computer even if no RST packet was received in response to the ACK packet sent to the source address.
  - 36. The apparatus according to claim 35, wherein the guard device is adapted to open a TCP proxy connection between the guard device and the source address, and to permit the source address to access the target computer via the proxy connection.
  - 37. The apparatus according to claim 33, and wherein the guard device is adapted, upon failing to determine the source address to be legitimate based upon receiving the RST packet, to read a TCP sequence number from the SYN packet, to send a further ACK packet to the source address, while setting a TCP acknowledgment number of the further ACK packet to a value greater by one than the sequence number of the SYN packet, and to assess the legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
  - 38. The apparatus according to claim 33, wherein the guard device is adapted to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

39. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, the SYN packet comprising a TCP sequence number, and which is adapted to send to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a first TCP ACK packet as a reply to the intercepted SYN packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet, and which is further adapted, upon receiving a TCP RST packet sent from the source address in response to the first ACK packet, to send a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet, and to assess legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- View Dependent Claims (40)
- - 40. The apparatus according to claim 39, wherein the guard device is adapted to determine the source address to be legitimate if a further TCP RST packet is not received from the source address in response to the second ACK packet.

41. Apparatus for authenticating communication traffic, comprising a guard device, which is coupled to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, and which is adapted to read a TCP sequence number from the intercepted SYN packet, to send to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet, and to determine the source address to be illegitimate upon receiving a TCP RST packet sent from the source address in response to the ACK packet.
- View Dependent Claims (42, 43, 44, 45, 46)
- - 42. The apparatus according to claim 41, wherein the guard device is adapted to permit the source address to make a TCP connection with the target computer responsively to the retransmission upon receiving a retransmission of the SYN packet from the source address after a timeout, without having received the RST packet.
  - 43. The apparatus according to claim 41, wherein the TCP ACK packet sent by the guard device is a first ACK packet, and wherein the guard device is further adapted to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, andwherein the guard device is coupled to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and is adapted to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 44. The apparatus according to claim 41, wherein the intercepted SYN packet comprises a first SYN packet, and wherein the TCP ACK packet sent by the guard device is a first ACK packet, andwherein the guard device is coupled to intercept a second SYN packet from the source address, subsequent to the first SYN packet, and is adapted to read from the second SYN packet a first value of a Time-To-Live (TTL) field, and to send a second ACK packet to the source address in reply to the second SYN packet, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, andwherein the guard device is coupled to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and is adapted to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 45. The apparatus according to claim 44, wherein the second SYN packet comprises a retransmission of the first SYN packet from the source address, which is received by the guard device without the guard device having received the RST packet.
  - 46. The apparatus according to claim 41, wherein the guard device is adapted to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

47. A computer software product for authenticating an Internet Protocol (IP) source address in a Transmission Control Protocol (TCP) communication directed over a network to a target computer, the product comprising non-transitory computer readable tangible media, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN request packet directed over a network from a source address to open a connection to a target computer in accordance with a TCP three-way handshake procedure, and further cause the guard computer to send to the IP source address a reply to the intercepted SYN request packet that deviates from the handshake procedure by sending to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN request packet instead of a SYN ACK packet when opening a new TCP connection, to analyze a response from the IP source address to the TCP ACK reply in order to make an assessment of legitimacy of the IP source address, and upon determining, based on the assessment, that the IP source address is legitimate, to permit the target computer to complete the handshake procedure so as to open the connection with the IP source address.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
- - 48. The product according to claim 47, wherein the request comprises a first incoming packet comprising a field that is indicative of a number of hops traversed by the first packet since having been sent from the source address, andwherein the instructions cause the guard computer to make a record of a first value of the field appearing in the first incoming packet, and to read from the second incoming packet a second value of the field that is indicative of the number of hops traversed by the second incoming packet, and to compare the first and second values of the field in order to assess the legitimacy of the source address.
  - 49. The product according to claim 48, wherein the reply comprises an outgoing packet sent to the source address, and wherein the instructions cause the guard computer to encode the first value of the field in the outgoing packet, so as to cause the encoded first value to be incorporated in the second incoming packet.
  - 50. The product according to claim 48, wherein the first, second and third packets are Internet Protocol (IP) packets, and wherein the field comprises a Time-To-Live (TTL) field in a header of the IP packets.
  - 51. The product according to claim 50, wherein the protocol comprises a Transmission Control Protocol (TCP), and wherein the instructions cause the guard computer to encode the first value of the TTL field in an acknowledgment number field in a TCP header of the second packet.
  - 52. The product according to claim 47, wherein the request comprises a first packet comprising a sequence number, andwherein the reply comprises a second packet, sent by the guard computer to the source address, such that the second packet acknowledges the first packet and contains an acknowledgment number based on the sequence number in accordance with the protocol, andwherein the instructions cause the guard computer to disqualify the source address if the source address responds to the second packet.
  - 53. The product according to claim 52, wherein the instructions cause the guard computer to determine the source address to be legitimate if the source address retransmits the first packet without responding to the second packet.
  - 54. The product according to claim 47, wherein the instructions cause the guard computer to open a proxy connection with the source address, and to permit the source address to access the target computer only via the proxy connection as long as the legitimacy of the source address is not established.
  - 55. The product according to claim 54, wherein the instructions cause the guard computer to make a determination that the source address is legitimate responsively to use of the proxy connection, and responsively to the determination, to cause the connection to be opened directly between the source address and the target computer while closing the proxy connection.

56. A computer software product for authenticating communication traffic, the product comprising non-transitory computer readable tangible media, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, and to read from the intercepted SYN packet a first value of a Time-To-Live (TTL) field, and to send to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while encoding the first value of the TTL field in a TCP acknowledgment number of the ACK packet,wherein the instructions further cause the guard computer to receive a TCP RST packet sent from the source address in response to the ACK packet, and to read a TCP sequence number and a second value of the TTL field from the RST packet, and to compare the TCP sequence number to the second value of the TTL field in order to assess legitimacy of the source address.
- View Dependent Claims (57, 58, 59, 60, 61)
- - 57. The product according to claim 56, wherein the instructions cause the guard computer to decode the TCP sequence number in order to recover the first value of the TTL field, and to determine the source address to be legitimate if the first and second values of the TTL field are equal to within a predetermined tolerance.
  - 58. The product according to claim 56, wherein the instructions further cause the guard computer to send a TCP SYN-ACK packet to the source address after a timeout period and, cause the guard computer, upon receiving an incoming TCP ACK packet from the source address in response to the SYN-ACK packet, to permit the source address to communicate with the target computer even if no RST packet was received in response to the ACK packet sent to the source address.
  - 59. The product according to claim 58, wherein the instructions cause the guard computer to open a TCP proxy connection between the guard computer and the source address, and to permit the source address to access the target computer via the proxy connection.
  - 60. The product according to claim 56, and wherein the instructions cause the guard computer, upon failing to determine the source address to be legitimate based upon receiving the RST packet, to read a TCP sequence number from the SYN packet, to send a further ACK packet to the source address, while setting a TCP acknowledgment number of the further ACK packet to a value greater by one than the sequence number of the SYN packet, and to assess the legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
  - 61. The product according to claim 56, wherein the instructions cause the guard computer to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

62. A computer software product for authenticating communication traffic, the product comprising non-transitory computer readable tangible media, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, the intercepted SYN packet comprising a TCP sequence number, and further cause the guard computer to send to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a first TCP ACK packet as a reply to the intercepted SYN packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while setting a TCP acknowledgment number of the first ACK packet to a first value that is not greater by one than the sequence number of the SYN packet, and which instructions further cause the guard computer, upon receiving a TCP RST packet sent from the source address in response to the first ACK packet, to send a second ACK packet to the source address, while setting the TCP acknowledgment number of the second ACK packet to a second value that is greater by one than the sequence number of the SYN packet, and to assess legitimacy of the source address based upon a further response received from the source address following the further ACK packet.
- View Dependent Claims (63)
- - 63. The product according to claim 62, wherein the guard device is adapted to determine the source address to be legitimate if a further TCP RST packet is not received from the source address in response to the second ACK packet.

64. A computer software product for authenticating communication traffic, the product comprising non-transitory computer readable tangible media, in which program instructions are stored, which instructions, when read by a guard computer, cause the guard computer to intercept a SYN packet directed over a network from a source address to a target computer in accordance with a Transmission Control Protocol (TCP) three-way handshake procedure, and further cause the guard computer to read a TCP sequence number from the intercepted SYN packet, and to send to the IP source address a reply to the intercepted SYN request packet that deviates from the TCP three-way handshake procedure by sending a TCP ACK packet as a reply to the intercepted SYN packet instead of a SYN ACK packet to the source address when opening a new TCP connection, while setting a TCP acknowledgment number of the ACK packet to a value greater by one than the sequence number of the SYN packet, and to determine the source address to be illegitimate upon receiving a TCP RST packet sent from the source address in response to the ACK packet.
- View Dependent Claims (65, 66, 67, 68, 69)
- - 65. The product according to claim 64, wherein the instructions cause the guard computer to permit the source address to make a TCP connection with the target computer responsively to the retransmission upon receiving a retransmission of the SYN packet from the source address after a timeout, without having received the RST packet.
  - 66. The product according to claim 64, wherein the TCP ACK packet sent by the guard computer is a first ACK packet, and wherein the instructions cause the guard computer to read from the SYN packet a first value of a Time-To-Live (TTL) field, and in reply to the SYN packet, to send a second ACK packet to the source address, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, andwherein the instructions cause the guard computer to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 67. The product according to claim 64, wherein the intercepted SYN packet comprises a first SYN packet, and wherein the TCP ACK packet sent by the guard computer is a first ACK packet, andwherein the instructions cause the guard computer to intercept a second SYN packet from the source address, subsequent to the first SYN packet, and to read from the second SYN packet a first value of a Time-To-Live (TTL) field, and to send a second ACK packet to the source address in reply to the second SYN packet, while encoding the first value of the TTL field in a TCP acknowledgment number of the second ACK packet, and wherein the instructions cause the guard computer to receive a further TCP RST packet sent from the source address in response to the second ACK packet, and to read the TCP sequence number and a second value of the TTL field from the further RST packet, and to compare the TCP sequence number of the further RST packet to the second value of the TTL field in order to assess legitimacy of the source address.
  - 68. The product according to claim 67, wherein the second SYN packet comprises a retransmission of the first SYN packet from the source address, which is received by the guard computer without the guard computer having received the RST packet.
  - 69. The product according to claim 64, wherein the instructions cause the guard computer to permit the source address to make a TCP connection directly with the target computer upon determining the source address to be legitimate, while permitting the source address to access the target computer only via a proxy connection as long as the legitimacy of the source address is not established.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Tzadikario, Rephael, Shtein, Yehiel, Pazi, Guy, Touitou, Dan
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US10/792,653
Publication Number

US 20050021999A1
Time in Patent Office

2,688 Days
Field of Search

726/25, 713153-154, 709/229
US Class Current

713/154
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/163   In-band adaptation of TCP d...

Y04S 40/20   Information technology spec...

Using TCP to authenticate IP source addresses

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

134 Citations

69 Claims

Specification

Solutions

Use Cases

Quick Links

Using TCP to authenticate IP source addresses

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

134 Citations

69 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links