Symmetric connection detection
First Claim
1. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:
- a flow descriptor calculating unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host, wherein said flow descriptor is unique to said traffic flow;
storage means, for storing said flow descriptor based on a relationship between said Scr and Dst;
an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and
a controller for controlling operation of said descriptor calculating unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication.
2 Assignments
0 Petitions
Accused Products
Abstract
Symmetric Connection Detection (SCD) is a method of detecting when a connection has been fully established in a resource-constrained environment, and works in high-speed routers, at line speed. Many network monitoring applications are only interested in connections that become fully established, so other connection attempts, such as port scanning attempts, simply waste resources if not filtered. SCD filters out unsuccessful connection attempts using a simple combination of Bloom filters to track the state of connection establishment for every flow in the network. Unsuccessful flows can be filtered out to a very high degree of accuracy, depending on the size of the bloom filter and traffic rate. The SCD methodology can also easily be adapted to accomplish port scan detection, and to detect or filter other types of invalid TCP traffic.
101 Citations
21 Claims
-
1. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:
-
a flow descriptor calculating unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host, wherein said flow descriptor is unique to said traffic flow;
storage means, for storing said flow descriptor based on a relationship between said Scr and Dst;
an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and
a controller for controlling operation of said descriptor calculating unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for identifying establishment of a connection in a data network between a source host with a source address (Src) and a destination host with a destination address (Dst), comprising:
-
a) detecting a first connection set-up datagram transmitted from said source host to said destination host and identifying said connection set-up datagram as a connection request;
b) detecting a second connection set-up datagram transmitted from said destination host to said source host and identifying said second connection set-up datagram as a request acknowledged datagram;
c) generating a connection established indication if both said connection request datagram and said request acknowledged datagram have been identified in this order. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for identifying release of a connection in a data network between a source host with a source address (Src) and a destination host with a destination address (Dst), comprising:
-
a) detecting a first connection release datagram transmitted from said source host to said destination host and identifying said connection release datagram as a release connection request;
b) detecting a second connection release datagram transmitted from said destination host to said source host and identifying said second connection release datagram as a request acknowledged datagram;
c) issuing a connection release indication if both said connection release datagram and said request acknowledged datagram have been identified in this order.
-
Specification