System and method for an adaptive TCP SYN cookie with time validation

US RE44,701 E1
Filed: 03/06/2012
Issued: 01/14/2014
Est. Priority Date: 02/21/2006
Status: Active Grant

First Claim

Patent Images

1. A system for TCP SYN cookie validation at a host server comprising:

a session SYN packet receiver for receiving a session SYN packet;

a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie secret key based on data obtained from the received session SYN packet, the data obtained from the SYN packet including at least one of a source IP address of an IP header, a destination port, a source port, and a sequence number of a TCP header in the received session SYN packet, wherein the transition cookie generator concatenates the obtained data from the session SYN packet to generate a first data item of the generator and the transition cookie generator uses a first hash function to generate the transition cookie secret key from the first data item of the generator;

a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;

a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and

a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the transition cookie validator generates a candidate transition cookie secret key based on data obtained from the received session ACK packet, the data obtained from the ACK packet including at least one of a source IP address of the IP header, a destination port, and a source port, wherein the transition cookie validator concatenates the obtained data from the session ACK packet to generate a first data item of the validator and the transition cookie validator uses the first or another hash function to generate the candidate transition cookie secret key from the first data item of the validator,wherein at least one of;

the transition cookie generator uses a secret key offset to select one or more bits of data from the first data item of the generator in order to generate a second data item of the generator, andthe transition cookie validator uses a candidate secret key offset to select one or more bits of data from the first data item of the validator in order to generate a second data item of the validator.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

41 Citations

View as Search Results

31 Claims

1. A system for TCP SYN cookie validation at a host server comprising:
- a session SYN packet receiver for receiving a session SYN packet;
  
  a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie secret key based on data obtained from the received session SYN packet, the data obtained from the SYN packet including at least one of a source IP address of an IP header, a destination port, a source port, and a sequence number of a TCP header in the received session SYN packet, wherein the transition cookie generator concatenates the obtained data from the session SYN packet to generate a first data item of the generator and the transition cookie generator uses a first hash function to generate the transition cookie secret key from the first data item of the generator;
  
  a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;
  
  a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and
  
  a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the transition cookie validator generates a candidate transition cookie secret key based on data obtained from the received session ACK packet, the data obtained from the ACK packet including at least one of a source IP address of the IP header, a destination port, and a source port, wherein the transition cookie validator concatenates the obtained data from the session ACK packet to generate a first data item of the validator and the transition cookie validator uses the first or another hash function to generate the candidate transition cookie secret key from the first data item of the validator,wherein at least one of;
  
  the transition cookie generator uses a secret key offset to select one or more bits of data from the first data item of the generator in order to generate a second data item of the generator, andthe transition cookie validator uses a candidate secret key offset to select one or more bits of data from the first data item of the validator in order to generate a second data item of the validator.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, in which the transition cookie validator determines that the received session ACK packet is valid if the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
  - 3. The system according to claim 1, in which the predetermined time interval is in the range of one to six seconds.
  - 4. The system according to claim 1, in which the predetermined time interval is three seconds.
  - 5. The system according to claim 1, in which the generating of the transition cookie includes the use of random data.
  - 6. The system according to claim 1, in which the generating of the transition cookie includes the use of data obtained from the session SYN packet.

7. A system for TCP SYN cookie validation at a host server comprising:
- a session SYN packet receiver for receiving a session SYN packet;
  
  a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie by (i) generating an encrypted data element of the generator by applying a cryptographic method on the transition cookie secret key and a transition cookie data element, (ii) performing an unsigned binary addition on the encrypted data element of the generator and a sequence number of a TCP header in the received session SYN packet, and (iii) storing the result in the transition cookie;
  
  a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;
  
  a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and
  
  a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.
- View Dependent Claims (8)
- - 8. The system according to claim 7, wherein the transition cookie data element comprises data based on at least one of:
    - a selective ACK, an MSS index, and a 32-bit current time of day indicated by a clock.

9. A system for TCP SYN cookie validation at a host server comprising:
- a session SYN packet receiver for receiving a session SYN packet;
  
  a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time;
  
  a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;
  
  a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and
  
  a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the transition cookie validator generates;
  
  a candidate sequence number such that a sequence number of a TCP header in the received session ACK packet equals the sum of the candidate sequence number and a value of 1,a candidate encrypted data element such that the result of performing an unsigned binary addition of the candidate encrypted data element and a candidate sequence number equals the candidate transition cookie, anda candidate transition cookie data element by applying a cryptographic method on a candidate transition cookie secret key and the candidate encrypted data element.
- View Dependent Claims (10)
- - 10. The system according to claim 9, wherein the transition cookie validator validates the candidate transition cookie data element by adjusting the candidate transition cookie data element to generate, and determining if the adjusted candidate transition cookie data element is within a predetermined time margin of a modified current time.

11. A method for validating a TCP cookie at a host, the method comprising:
- receiving a first session packet;
  
  acquiring a transition cookie secret key based on data obtained from the received first session packet;
  
  generating a transition cookie using the transition cookie secret key;
  
  sending a second session packet including the transition cookie;
  
  receiving a third session packet including a candidate transition cookie;
  
  acquiring a candidate transition cookie secret key based on data obtained from the received third session packet; and
  
  validating the candidate transition cookie using the candidate transition cookie secret key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the data obtained from the received first session packet includes:
    - at least one of a source IP address, a destination port, a source port, or a sequence number of a TCP header.
  - 13. The method of claim 11, wherein acquiring the transition cookie secret key further comprises:
    - concatenating the data obtained from the received first session packet;
      
      forming a first secret key transition data item based on the concatenation; and
      
      generating the transition cookie secret key from the first secret key transition data item.
  - 14. The method of claim 13, wherein generating the transition cookie secret key from the first secret key transition data item comprises using a hash function.
  - 15. The method of claim 13, wherein acquiring the transition cookie secret key further comprises:
    - selecting one or more bits of data from the first secret key transition data item using a secret key offset;
      
      forming a second secret key transition data item based on the selected one or more bits; and
      
      generating the transition cookie secret key from the first secret key transition data item and the second secret key transition data item.
  - 16. The method of claim 11, wherein the data obtained from the received third session packet includes at least one of a source IP address, a destination port, or a source port.
  - 17. The method of claim 11, wherein acquiring the candidate transition cookie secret key further comprises:
    - concatenating data obtained from the received third session packet;
      
      forming a first secret key candidate data item based on the concatenation; and
      
      generating the candidate transition cookie secret key from the first secret key candidate data item of the validation.
  - 18. The method of claim 17, wherein acquiring the candidate transition cookie secret key further comprises:
    - using a hash function to generate the candidate transition cookie secret key from the first secret key candidate data item.
  - 19. The method of claim 17, further comprising:
    - determining that the received third session packet is valid if the candidate transition cookie in the received third session packet comprises a time value representing a time within a predetermined time interval from the time the third session packet is received.

20. A method for validating a TCP cookie at a host, the method comprising:
- receiving a first session packet;
  
  generating a transition cookie by applying a cryptographic method on a transition cookie secret key and a transition cookie data element;
  
  sending a second session packet including the transition cookie in response to the received first session packet;
  
  receiving a third session packet including a candidate transition cookie; and
  
  validating the candidate transition cookie by determining whether the candidate transition cookie comprises a time value representing a time within a predetermined time interval from a time that the third session packet is received.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein generating the transition cookie further comprises:
    - generating an encrypted data element based on the application of the cryptographic method;
      
      performing an unsigned binary addition on the encrypted data element and a sequence number of a TCP header in the received first session packet; and
      
      storing a result of the unsigned binary addition in the transition cookie.
  - 22. The method of claim 20, comprising acquiring the transition cookie data element based on at least one of a one-bit data item, an MSS index, or a 32-bit current time of day indicated by a clock.

23. A method for validating a TCP cookie at a host, the method comprising:
- receiving a first session packet;
  
  generating a transition cookie using a transition cookie secret key;
  
  sending a second session packet including the transition cookie in response to the received first session packet;
  
  receiving a third session packet including a candidate transition cookie; and
  
  validating the candidate transition cookie by applying a cryptographic method on a candidate transition cookie secret key.
- View Dependent Claims (24, 25)
- - 24. The method of claim 23, wherein validating the candidate transition cookie further comprises:
    - generating a candidate sequence number such that a sequence number of a TCP header in the received third session packet equals the sum of the candidate sequence number and a value of 1;
      
      generating a candidate encrypted data element such that a result of performing an unsigned binary addition of the candidate encrypted data element and the candidate sequence number equals the candidate transition cookie; and
      
      generating a candidate transition cookie data element by applying the cryptographic method on the candidate transition cookie secret key and the candidate encrypted data element.
  - 25. The method of claim 24, further comprising:
    - adjusting the candidate transition cookie data element; and
      
      validating the candidate transition cookie data element by determining if the adjusted candidate transition cookie data element is within a predetermined time margin of a modified current time.

26. A host for validating a TCP cookie, comprising:
- a memory device storing instructions; and
  
  a processor that, when executing the instructions, configures the host to;
  
  receive a first session packet;
  
  acquire a transition cookie secret key based on data obtained from the received first session packet;
  
  generate a transition cookie using the transition cookie secret key;
  
  send a second session packet including the transition cookie;
  
  receive a third session packet including a candidate transition cookie;
  
  acquire a candidate transition cookie secret key based on data obtained from the received third session packet; and
  
  validate the candidate transition cookie using the candidate transition cookie secret key.

27. A host for validating a TCP cookie, comprising:
- a memory storing instructions; and
  
  a processor, that when executing the instructions, configures the host to;
  
  receive a first session packet;
  
  generate a transition cookie by applying a cryptographic method on a transition cookie secret key and a transition cookie data element;
  
  send a second session packet including the transition cookie;
  
  receive a third session packet including a candidate transition cookie; and
  
  validate the candidate transition cookie by determining whether the candidate transition cookie comprises a time value representing a time within a predetermined time interval from the time the third session packet is received.

28. A host for validating a TCP cookie, the host comprising:
- a memory storing instructions; and
  
  a processor that, when executing the instructions, configures the host to;
  
  receive a first session packet;
  
  generate a transition cookie using a transition cookie secret key;
  
  send a second session packet including the transition cookie;
  
  receive a third session packet including a candidate transition cookie; and
  
  validate the candidate transition cookie by applying a cryptographic method on a candidate transition cookie secret key.

29. A non-transitory computer-readable medium storing instructions that, when executed, cause a computing device to perform a method for validating a TCP cookie, the method comprising:
- receiving a first session packet;
  
  acquiring a transition cookie secret key based on data obtained from the received first session packet;
  
  generating a transition cookie using the transition cookie secret key;
  
  sending a second session packet including the transition cookie;
  
  receiving a third session packet including a candidate transition cookie;
  
  acquiring a candidate transition cookie secret key based on data obtained from the received third session packet;
  
  validating the candidate transition cookie using the candidate transition cookie secret key.

30. A non-transitory computer-readable medium storing instructions that, when executed, cause a computing device to perform a method for validating a TCP cookie, the method comprising:
- receiving a first session packet;
  
  generating a transition cookie by applying a cryptographic method on a transition cookie secret key and a transition cookie data element;
  
  sending a second session packet including the transition cookie in response to the received first session packet;
  
  receiving a third session packet including a candidate transition cookie; and
  
  validating the candidate transition cookie by determining whether the candidate transition cookie comprises a time value representing a time within a predetermined time interval from the time the third session packet is received.

31. A non-transitory computer-readable medium storing instructions that, when executed, cause a computing device to perform a method for validating a TCP cookie, the method comprising:
- receiving a first session packet;
  
  generating a transition cookie using a transition cookie secret key;
  
  sending a second session packet including the transition cookie in response to the received first session packet;
  
  receiving a third session packet including a candidate transition cookie; and
  
  validating the candidate transition cookie by applying a cryptographic method on a candidate transition cookie secret key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
A10 Networks Incorporated
Original Assignee
A10 Networks Incorporated
Inventors
Chen, Lee, Szeto, Ronald Wai Lun, Hwang, Shih-Tsung
Primary Examiner(s)
Ngo, Ricky
Assistant Examiner(s)
NGUYEN, PHUONGCHAU BA

Application Number

US13/413,191
Time in Patent Office

679 Days
Field of Search

370/395.52, 370/230, 370/252, 370/395.32, 370/395.2, 370/428, 370/485, 375225-229, 709227-228, 726/3, 726/6, 726/22
US Class Current

370/230.1
CPC Class Codes

H04L 47/10 Flow control; Congestion co...

H04L 63/1458 Denial of Service

System and method for an adaptive TCP SYN cookie with time validation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for an adaptive TCP SYN cookie with time validation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links