Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session
First Claim
1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:
- (A) determining which timestamp policy of plural different timestamp policies corresponds to an operating system of a target receiving the segments in a TCP connection, the different time stamp policies respectively corresponding to different operating systems;
(B) identifying a baseline timestamp based on a three way handshake in the TCP connection;
(C) monitoring, in a processor disposed between an origination and a destination of the TCP connection, segments in the TCP connection; and
(D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the operating system of the target, the timestamp policy indicating whether the processor is to filter out or forward the segments to the target based on the operating system of the target by comparing the timestamp of the segments to the baseline timestamp, the segments in the TCP connection further being filtered out and forwarded to the target differently by the different time stamp policies based on the kind of operating system,the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps,wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received.
3 Assignments
0 Petitions
Accused Products
Abstract
A method performed in an intrusion detection/prevention system, a system or a device for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable. The TCP connection can include TCP segments beginning with a three way handshake. A TCP segment can include a field for a timestamp. A timestamp policy of plural timestamp policies is identified, the timestamp policy corresponding to a target associated with the segments in a TCP connection. A baseline timestamp is identified based on a three way handshake in the TCP connection. Segments in the TCP connection are monitored. The segments in the TCP connection are filtered as indicated in the timestamp policy corresponding to the target, the timestamp policy indicating whether the segments are to be filtered out or forwarded to the target by comparing the timestamp of the segments to the baseline timestamp.
-
Citations
12 Claims
-
1. A method performed in an intrusion detection/prevention system for determining whether a transmission control protocol (TCP) segment in a TCP connection in a communication network is acceptable, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp, comprising:
-
(A) determining which timestamp policy of plural different timestamp policies corresponds to an operating system of a target receiving the segments in a TCP connection, the different time stamp policies respectively corresponding to different operating systems; (B) identifying a baseline timestamp based on a three way handshake in the TCP connection; (C) monitoring, in a processor disposed between an origination and a destination of the TCP connection, segments in the TCP connection; and (D) filtering the segments in the TCP connection as indicated in the timestamp policy corresponding to the operating system of the target, the timestamp policy indicating whether the processor is to filter out or forward the segments to the target based on the operating system of the target by comparing the timestamp of the segments to the baseline timestamp, the segments in the TCP connection further being filtered out and forwarded to the target differently by the different time stamp policies based on the kind of operating system, the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
the segments in the TCP connection further being filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps,wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received. - View Dependent Claims (2, 3, 4)
-
-
5. A computer system for detecting or preventing intrusion, comprising:
-
(A) a unit configured to facilitate determining a kind of operating system associated with a target, in response to an indication of the target in segments in a transmission control protocol (TCP) connection; and (B) a segment filtering unit configured to facilitate determining which timestamp policy of plural different timestamp policies corresponds to the kind of operating system associated with the target of the segments in the TCP connection, the different time stamp policies respectively corresponding to different kinds of operating systems, the timestamp policy indicating whether the segments are to be filtered out or retained for the target based on the kind of operating system of the target by comparing the timestamp of the segments to a baseline timestamp, the baseline timestamp being based on a three way handshake in the TCP connection, and forwarding the segments in the TCP connection to the target if retained, the segments in the TCP connection further being filtered out and forwarded differently by the different time stamp policies based on the kind of operating system, wherein the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps,wherein, if the timestamp in the three way handshake is zero, the timestamp in the first TCP segment expected after the handshake becomes the baseline timestamp if properly received. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory computer-readable medium comprising instructions for execution by a processor, the instructions including a computer-implemented method performed in an intrusion detection/prevention system, for analyzing segments in a transmission control protocol (TCP) connection in a communication network, the TCP connection including a plurality of TCP segments beginning with a three way handshake, wherein a TCP segment includes a field for a timestamp and a field for a sequence number, the instructions for implementing:
-
(A) monitoring, in a processor disposed between an origination and the destination of the TCP connection, a plurality of segments in a TCP connection; (B) identifying a kind of operating system associated with the target receiving the segments in the TCP connection, and determining which timestamp policy of plural different timestamp policies corresponds to the kind of operating system of the target, the different time stamp policies respectively corresponding to different operating systems; (C) filtering the segments in the TCP connection as indicated in a timestamp policy corresponding to the kind of operating system target, the timestamp policy indicating whether the processor is to filter out or forward the segments to the target based on the kind of operating system of the target by comparing the timestamp of the segments to the baseline timestamp and by evaluating sequence numbers identified in the segments to determine whether the timestamp is valid for the target relative to the timestamps of prior segments in the sequence according to the sequence numbers, the segments in the TCP connection further being filtered out and forwarded differently by different time stamp policies based on the kind of operating system; and (D) setting the baseline timestamp to the timestamp in the first TCP segment expected after the handshake if properly received, if the timestamp in the three way handshake is zero, wherein the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to zero timestamp values on the three-way handshake; and
the segments in the TCP connection are filtered out and forwarded differently to the target by the different time stamp policies for the different operating systems according to whether the segments have no TCP timestamp option and associated values even when both hosts have negotiated the use of timestamps. - View Dependent Claims (10, 11, 12)
-
Specification