Symmetric connection detection

US 20070248084A1
Filed: 04/20/2006
Published: 10/25/2007
Est. Priority Date: 04/20/2006
Status: Active Grant

First Claim

Patent Images

1. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:

a flow descriptor calculating unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host, wherein said flow descriptor is unique to said traffic flow;

storage means, for storing said flow descriptor based on a relationship between said Scr and Dst;

an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and

a controller for controlling operation of said descriptor calculating unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Symmetric Connection Detection (SCD) is a method of detecting when a connection has been fully established in a resource-constrained environment, and works in high-speed routers, at line speed. Many network monitoring applications are only interested in connections that become fully established, so other connection attempts, such as port scanning attempts, simply waste resources if not filtered. SCD filters out unsuccessful connection attempts using a simple combination of Bloom filters to track the state of connection establishment for every flow in the network. Unsuccessful flows can be filtered out to a very high degree of accuracy, depending on the size of the bloom filter and traffic rate. The SCD methodology can also easily be adapted to accomplish port scan detection, and to detect or filter other types of invalid TCP traffic.

101 Citations

View as Search Results

21 Claims

1. A system for identifying establishment of a connection between a source host with a source address (Src) and a destination host with a destination address (Dst) in a data network, comprising:
- a flow descriptor calculating unit for calculating a flow descriptor unique to said connection based on connection set-up datagrams exchanged between said source host and said destination host, wherein said flow descriptor is unique to said traffic flow;
  
  storage means, for storing said flow descriptor based on a relationship between said Scr and Dst;
  
  an access interface to said storage means for providing a flow present indication if said flow descriptor is found in said storage means; and
  
  a controller for controlling operation of said descriptor calculating unit and said access interface and determining that said connection has been established based on said relationship and on said flow present indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein said flow descriptor calculating unit comprises:
    - a detection unit for detecting a connection set-up datagram for said connection; and
      
      a flow descriptor calculating unit for calculating said flow descriptor from address data extracted from said connection set-up datagram.
  - 3. The system of claim 1, wherein said controller informs said access interface if the source address Scr in said set-up datagram is greater that the destination address Dst.
  - 4. The system of claim 1, wherein said storage means comprises a first container for storing flow descriptors obtained from connection set-up datagrams with a Scr>
    - Dst, and a second container for storing flow descriptors obtained from connection set-up datagrams with a Scr<
      
      Dst
  - 5. The system of claim 4, wherein said access interface comprises a flow storing mechanism for storing a flow descriptor in said first container if said flow descriptor is not already stored in said second container.
  - 6. The system of claim 4, wherein said access interface comprises:
    - a search mechanism for performing a look-up in said second container for a flow descriptor obtained from connection set-up datagrams with a Scr>
      
      Dst, and performing a look-up in said first container for a flow descriptor obtained from connection set-up datagrams with a Scr<
      
      Dst.
  - 7. The system of claim 4, further comprising a flow removal mechanism for removing all flow descriptors from said storage means after a preset amount of time.
  - 8. The system of claim 1, further comprising flow monitoring means for monitoring said connection once said control unit acknowledges that said connection has been established.
  - 9. The system of claim 1, wherein said flow descriptor calculating unit calculates said flow descriptor from connection release datagrams, for enabling said control unit to establish that a respective connection has been released.
  - 10. The system of claim 4, wherein said containers are Bloom filters, and each element of said Bloom filter is a small count counter.

11. A method for identifying establishment of a connection in a data network between a source host with a source address (Src) and a destination host with a destination address (Dst), comprising:
- a) detecting a first connection set-up datagram transmitted from said source host to said destination host and identifying said connection set-up datagram as a connection request;
  
  b) detecting a second connection set-up datagram transmitted from said destination host to said source host and identifying said second connection set-up datagram as a request acknowledged datagram;
  
  c) generating a connection established indication if both said connection request datagram and said request acknowledged datagram have been identified in this order.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, further comprising triggering traffic flow monitoring activities of interest for the respective connection in response to said connection established indication.
  - 13. The method of claim 11, wherein step a) comprises:
    - providing a first container for tracking connections with Scr>
      
      Dst and a second container for tracking connections with Scr<
      
      Dst;
      
      determining if a source address Scr₁in said first connection set-up datagram is greater than the destination address Dst₁;
      
      calculating a flow descriptor unique to said connection from said first connection set-up datagram; and
      
      storing said first flow descriptor in said first container if Scr₁>
      
      Dst₁and storing said first flow descriptor in said second container if Scr₁<
      
      Dst₁.
  - 14. The method of claim 13, wherein step b) comprises:
    - determining if a source address Scr₂in said second connection set-up datagram is greater than the destination address Dst₂;
      
      calculating a flow descriptor from said second connection set-up datagram;
      
      whenever Scr₂>
      
      Dst₂, searching if said flow descriptor is already stored in said second container; and
      
      providing a flow present indication if said flow descriptor is already stored in said second container, confirming that said source host and destination host have exchanged said connection request and request acknowledge datagrams, wherein said flow present indication enables generation in step c) of said connection established indication.
  - 15. The method of claim 14, further comprising storing said flow descriptor calculated from said second connection set-up datagram in said first container.
  - 16. The method of claim 14, further comprising removing said flow descriptor calculated from said first connection set-up datagram from said second container.
  - 17. The method of claim 13, wherein step b) comprises:
    - determining if a source address Scr₂in said second connection set-up datagram is greater than the destination address Dst₂;
      
      calculating a flow descriptor from said second connection set-up datagram;
      
      whenever Scr₂<
      
      Dst₂, searching if said flow descriptor is already stored in said first container; and
      
      providing a flow present indication if said flow descriptor is already stored in said first container, confirming that said source host and destination host exchanged said connection request and request acknowledge datagrams, wherein said flow present indication enables generation in step c) of said connection established indication.
  - 18. The method of claim 17, further comprising storing said flow descriptor calculated from said second connection set-up datagram in said second container.
  - 19. The method of claim 17, further comprising removing said flow descriptor calculated from said first connection set-up datagram from said first container.
  - 20. The method of claim 13, further comprising removing all said flow descriptors from said first and second containers at predetermined intervals of time.

21. A method for identifying release of a connection in a data network between a source host with a source address (Src) and a destination host with a destination address (Dst), comprising:
- a) detecting a first connection release datagram transmitted from said source host to said destination host and identifying said connection release datagram as a release connection request;
  
  b) detecting a second connection release datagram transmitted from said destination host to said source host and identifying said second connection release datagram as a request acknowledged datagram;
  
  c) issuing a connection release indication if both said connection release datagram and said request acknowledged datagram have been identified in this order.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
Whitehead, Bradley

Granted Patent

US 7,623,466 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 63/1466   Active attacks involving in...

H04L 67/14   Session management for real...

H04L 67/306   User profiles

Symmetric connection detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

101 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Symmetric connection detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links