Minimize SYN-flood issues with flow cache while maintaining performance

US 9,154,423 B1
Filed: 03/13/2013
Issued: 10/06/2015
Est. Priority Date: 05/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to perform actions, comprising:

employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;

employing at least one control segment (CS) component to perform actions, including;

determining if each connection flow is genuine that is evicted from at least one high-speed flow cache;

if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and

if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and

employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and

employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards minimizing the impact flood attacks may have on packet traffic management performance. A packet traffic management device (“PTMD”) may employ a data flow segment (“DFS”) and control segment (“CS”). The CS may perform high-level control functions and per-flow policy enforcement for connection flows maintained at the DFS, while the DFS may perform statistics gathering, per-packet policy enforcement (e.g., packet address translations), or the like, on connection flows maintained at the DFS. The DFS may include high-speed flow caches and other high-speed components that may be comprised of high-performance computer memory. The impact of flood attacks may be reduced by protecting the high-speed flow caches from being consumed by flow control data associated with malicious and/or in-operative non-genuine network connections. In at least one of the various embodiments, flood control filters may be adaptively activated based on the condition and quality of network traffic received at PTMD.

Citations

24 Claims

1. A method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to perform actions, comprising:
- employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;
  
  employing at least one control segment (CS) component to perform actions, including;
  
  determining if each connection flow is genuine that is evicted from at least one high-speed flow cache;
  
  if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and
  
  if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and
  
  employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and
  
  employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein determining if each connection flow is genuine that is evicted from at least one high-speed flow cache further comprises evaluating each connection flow based in part on the number of packets that have been exchanged over the connection flow.
  - 3. The method of claim 1, wherein determining if each connection flow is genuine further comprises evaluating each connection flow based at least in part on the content of at least one packet that was communicated over each connection flow.
  - 4. The method of claim 1, wherein enabling the at least one enabled flood control filter further comprises deferring the generation of flow control data for the new connection flow until a full open connection corresponding to the new connection flow is established.
  - 5. The method of claim 1, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based on at least a ratio of the amount of genuine connection flows to non-genuine connection flows detected over a period of time.
  - 6. The method of claim 1, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based at least on the amount of network traffic over the connection flow, or at least a portion of the at least one received network packet.
  - 7. The method of claim 1, further comprising:
    - dividing the new connection flow into an upload half connection flow and a download half connection flow;
      
      generating separate flow control data for each half connection flow; and
      
      storing the flow control data for each half connection flow in the high-speed flow cache based on the at least one enabled flood control filter.
  - 8. The method of claim 1, further comprising:
    - employing the DFS component to identify each idle genuine connection flow that has associated flow control data stored in the high-speed flow cache that corresponds to the DFS component;
      
      employing the DFS component to remove the flow control data associated with each identified idle genuine connection flow from the high-speed flow cache that corresponds to the DFS component; and
      
      employing the DFS component to store the removed flow control data if new network activity occurs on the idle genuine connection flow.

9. A traffic management device (TMD) that is operative to manage communication over a network, comprising:
- a transceiver that is operative to communicate over a network;
  
  a memory that is operative to store at least instructions for a plurality of components; and
  
  a processor device that is operative to execute instructions that enable actions, including;
  
  employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;
  
  employing at least one control segment (CS) component to perform actions, including;
  
  determining if each connection flow is genuine that is evicted from at last one high-speed flow cache;
  
  if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and
  
  if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and
  
  employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and
  
  employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The TMD of claim 9, wherein determining if each connection flow is genuine that is evicted from at least one high-speed flow cache further comprises evaluating each connection flow based in part on the number of packets that have been exchanged over the connection flow.
  - 11. The TMD of claim 9, wherein determining if each connection flow is genuine further comprises evaluating each connection flow based at least in part on the content of at least one packet that was communicated over each connection flow.
  - 12. The TMD of claim 9, wherein enabling the at least one enabled flood control filter further comprises deferring the generation of flow control data for the new connection flow until a full open connection corresponding to the new connection flow is established.
  - 13. The TMD of claim 9, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based on at least a ratio of the amount of genuine connection flows to non-genuine connection flows detected over a period of time.
  - 14. The TMD of claim 9, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based at least on the amount of network traffic over the connection flow, or at least a portion of the at least one received network packet.
  - 15. The TMD of claim 9, further comprising:
    - dividing the new connection flow into an upload half connection flow and a download half connection flow;
      
      generating separate flow control data for each half connection flow; and
      
      storing the flow control data for each half connection flow in the high-speed flow cache based on the at least one enabled flood control filter.
  - 16. The TMD of claim 9, further comprising:
    - employing the DFS component to identify each idle genuine connection flow that has associated flow control data stored in the high-speed flow cache that corresponds to the DFS component;
      
      employing the DFS component to remove the flow control data associated with each identified idle genuine connection flow from the high-speed flow cache that corresponds to the DFS component; and
      
      employing the DFS component to store the removed flow control data if new network activity occurs on the idle genuine connection flow.

17. A processor readable non-transitive storage media that includes instructions for a method for managing communication over a network with a traffic management device that includes a plurality of components and is operative to execute the instructions to perform actions, comprising:
- employing at least one data flow segment (DFS) component to determine if at least one received network packet is associated with a new connection flow, wherein each DFS component corresponds to a high speed flow cache;
  
  employing at least one control segment (CS) component to perform actions, including;
  
  determining if each connection flow is genuine that is evicted from at last one high-speed flow cache;
  
  if an amount of non-genuine connection flows exceeds a threshold, enabling at least one flood control filter; and
  
  if a new connection flow is determined to be genuine, generating flow control data that corresponds to the new connection flow; and
  
  employing the at least one DFS component to store the flow control data for each genuine connection flow in at least one high speed flow cache; and
  
  employing the at least one DFS component to forward received network packets for each genuine connection flow based on its corresponding flow control data stored in at least one high-speed flow cache.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The media of claim 17, wherein determining if each connection flow is genuine that is evicted from at least one high-speed flow cache further comprises evaluating each connection flow based in part on the number of packets that have been exchanged over the connection flow.
  - 19. The media of claim 17, wherein determining if each connection flow is genuine further comprises evaluating each connection flow based at least in part on the content of at least one packet that was communicated over each connection flow.
  - 20. The media of claim 17, wherein enabling the at least one enabled flood control filter further comprises deferring the generation of flow control data for the new connection flow until a full open connection corresponding to the new connection flow is established.
  - 21. The media of claim 17, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based on at least a ratio of the amount of genuine connection flows to non-genuine connection flows detected over a period of time.
  - 22. The media of claim 17, wherein enabling the flood control filter further comprises determining if the flow control data associated with the new connection flow is stored in the high-speed flow cache based at least on the amount of network traffic over the connection flow, or at least a portion of the at least one received network packet.
  - 23. The media of claim 17, further comprising:
    - dividing the new connection flow into an upload half connection flow and a download half connection flow;
      
      generating separate flow control data for each half connection flow; and
      
      storing the flow control data for each half connection flow in the high-speed flow cache based on the at least one enabled flood control filter.
  - 24. The media of claim 17, further comprising:
    - employing the DFS component to identify each idle genuine connection flow that has associated flow control data stored in the high-speed flow cache that corresponds to the DFS component;
      
      employing the DFS component to remove the flow control data associated with each identified idle genuine connection flow from the high-speed flow cache that corresponds to the DFS component; and
      
      employing the DFS component to store the removed flow control data if new network activity occurs on the idle genuine connection flow.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Szabo, Paul Imre, Michels, Timothy Scott, Cai, Hao, Thornewell, Peter Michael
Primary Examiner(s)
Huq, Obaidul

Application Number

US13/802,169
Time in Patent Office

937 Days
Field of Search

370/229, 370/235, 370/237, 370/241, 370/248, 370/351, 370/428
US Class Current

1/1
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/2441   relying on flow classificat...

H04L 63/1458   Denial of Service

H04W 28/02   Traffic management, e.g. fl...

H04W 28/10   Flow control between commun...

Minimize SYN-flood issues with flow cache while maintaining performance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Minimize SYN-flood issues with flow cache while maintaining performance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links