Thwarting connection-based denial of service attacks

US 7,398,317 B2
Filed: 09/05/2001
Issued: 07/08/2008
Est. Priority Date: 09/07/2000
Status: Active Grant

First Claim

Patent Images

1. A method executed on a device for defending a server against SYN flood attacks, the method comprises:

during a connection setup initiated by sending a SYN packet from a client to a server;

forwarding a received SYN ACK packet from the server to the client;

maintaining a half-open connection for a variable timeout period and if an ACK packet does not arrive from the client to the server,sending a RST by the device to the server to cause the server to close the half-open connection.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.

119 Citations

View as Search Results

28 Claims

1. A method executed on a device for defending a server against SYN flood attacks, the method comprises:
- during a connection setup initiated by sending a SYN packet from a client to a server;
  
  forwarding a received SYN ACK packet from the server to the client;
  
  maintaining a half-open connection for a variable timeout period and if an ACK packet does not arrive from the client to the server,sending a RST by the device to the server to cause the server to close the half-open connection.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the device is a gateway device that is disposed inline between the server and a network that the client sends SYN packet requests on, and if the ACK packet does arrive from the client to the server,establish an open connection by the server.
  - 3. The method of claim 2 wherein if the ACK packet does arrive from the client to the server, the gateway forwards the ACK to the server to maintain the connection, with forwarding the ACK packet by the gateway further comprises:
    - forwarding subsequent packets for the open connection to the server.
  - 4. The method of claim 2 wherein if the gateway is inline with the network, maintaining further comprises:
    - tracking the number of non-ACK'"'"'ed connections requested from the server; and
      
      determining when the number of non-ACK'"'"'ed connections reaches a threshold; and
      
      pausing the gateway from forwarding any new SYN messages until the gateway sends resets to the server to reset at least some of the non-ACK'"'"'ed connections.
  - 5. The method of claim 1 wherein forwarding the ACK packet comprises:
    - forwarding subsequent packets for the connection.
  - 6. The method of claim 1 wherein the variable time out period is inversely proportional to number of connections for which expected ACK packets from the client have not been received.
  - 7. The method of claim 1 wherein the device is a gateway device that is disposed near the server.
  - 8. The method of claim 1 wherein forwarding a received SYN ACK packet further comprises immediately sending an ACK packet to the server.

9. A method executed on a gateway for defending a server against SYN flood attacks, the method comprises:
- during a connection setup initiated by sending a SYN packet from a client to a server;
  
  tracking ratios of SYNs to SYN ACKs;
  
  comparing the ratios to threshold values; and
  
  sending an alarm to a control center when the ratio exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9 wherein the gateway is disposed to sample network traffic flow between the server and a network.
  - 11. The method of claim 9, wherein the threshold is a first threshold, the method further comprising:
    - tracking ratios of SYN ACK packets to ACK packets;
      
      comparing the ratio to a second threshold value; and
      
      sending an alarm to a control center when the ratio of SYN ACK packets to ACK packets exceeds the second threshold to indicate to the control center that the server is under a SYN flood attack.

12. A gateway device disposed between a data center and a network for thwarting denial of service attacks on the data center, the gateway device comprises:
- a computing device comprising;
  
  a monitoring process that monitors network connection setups initiated by sending SYN packets from a client to the data center, the monitoring process including aSYN ACK forward process to forward received SYN ACK packets from a server to the client;
  
  a process to determine a variable time out period;
  
  a process to maintain a half open connection open for the variable timeout period;
  
  a reset process to send a reset packet to the server to cause the server to close the half-open connection when an ACK packet does not arrive from the client to the server during the timeout period; and
  
  a packet forwarding process to forward the ACK packet when the ACK packet is received from the client by the server, and to establish an open connection.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The gateway of claim 12 wherein the variable time out period is inversely proportional to number of connections for which a first ACK packet from client has not been received.
  - 14. The gateway of claim 12 wherein the gateway is disposed inline between the server and a network that the client sends SYN packet requests on.
  - 15. The gateway of claim 14 wherein the packet forward process to forward the ACK packet forwards subsequent packets for the connection and thereafter stops monitoring the connection.
  - 16. The gateway of claim 14 wherein if the gateway is inline with the network, the gateway tracks the number of non-ACK'"'"'ed connections requested from the server and when the number of non-ACK'"'"'ed connections reaches a threshold, inhibits the gateway from forwarding any new SYN messages until the gateway sends resets to the server to reset at least some of the non-ACK'"'"'ed connections.
  - 17. The gateway of claim 12 wherein the forward process further comprises a process to immediately send an ACK packet to the server.

18. A gateway device disposed between a data center and a network for thwarting denial of service attacks on the data center, the gateway device comprising:
- a computing device comprising a monitoring process that monitors network connection setups initiated by sending SYN packets from a client to the data center, the monitoring process comprising a process to;
  
  determine ratios of SYN packets to SYN ACK packets;
  
  compare the determined ratio to a threshold value; and
  
  send an alarm to a control center when at least one of the ratio exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack.
- View Dependent Claims (19, 20)
- - 19. The device of claim 18 wherein the gateway is disposed inline to sample network traffic flow between the server and a network.
  - 20. The gateway device of claim 18 wherein the threshold is a first threshold, and the monitoring process further comprising a process to:
    - determine ratios of SYN ACK packets to ACK packets;
      
      compare the determined ratio to a second threshold value; and
      
      send an alarm to a control center when the ratio of SYN ACK packets to ACK packets exceeds the second threshold value to indicate to the control center that the server is under a SYN flood attack.

21. A computer program product residing on a computer readable medium for defending a server against SYN flood attacks, the computer program product executed on a device, the computer program product comprising instructions to cause the device to:
- forward, in response to a SYN packet received from a client to by the server, a SYN ACK packet from the server to the client;
  
  maintain a half-open connection open for a variable timeout period; and
  
  close the half-open connection by sending a RST to the server if an ACK packet does not arrive from the client to the server;
  
  orforward a received ACK to the server if the ACK packet does arrive from the client to the server.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The computer program product of claim 21 wherein the device is a gateway device that is disposed inline between the server and a network that the client sends SYN packet requests on.
  - 23. The computer program product of claim 22 wherein instructions to forward the ACK packet by the gateway further comprise instructions to:
    - forward subsequent packets for the connection and stop monitoring the connection.
  - 24. The computer program product of claim 22 wherein instructions to forward the ACK packet by the gateway further comprise instructions to:
    - forward subsequent packets for the connection.
  - 25. The computer program product of claim 21 wherein the variable time out period is inversely proportional to number of connections for which expected ACK packets from the client have not been received.
  - 26. The computer program product of claim 21 wherein instructions to forward a received SYN ACK packet further comprises instructions to immediately send an ACK packet to the server.

27. A computer program product residing on a computer readable medium for defending a server against SYN flood attacks, the computer program product executed on a device, the computer program product comprising instructions to cause the device to:
- during a connection setup initiated by sending a SYN packet from a client to a server;
  
  determine ratios of SYNs to SYN ACKs;
  
  compare the determined ratios to threshold values; and
  
  send an alarm message to a control center when at least one of the ratios exceeds a threshold value to indicate to the control center that the server is under a SYN flood attack.
- View Dependent Claims (28)
- - 28. The computer program product of claim 27 wherein the threshold is a first threshold, and the computer program product further comprises instructions to:
    - determine ratios of SYN ACK packets to ACK packets;
      
      compare the determined ratio to a second threshold value; and
      
      send an alarm to a control center when the ratio of SYN ACK packets to ACK packets exceeds the second threshold value to indicate to the control center that the server is under a SYN flood attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Chen, Benjie, Poletto, Massimiliano Antonio
Primary Examiner(s)
Barot; Bharat

Application Number

US09/946,787
Publication Number

US 20020103916A1
Time in Patent Office

2,498 Days
Field of Search

709202-203, 709225-229, 709237-239, 709223-224, 370/328, 370/338, 370400-401, 713/153, 713/188, 726 22- 25
US Class Current

709/229
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 43/00   Arrangements for monitoring...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Thwarting connection-based denial of service attacks

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Thwarting connection-based denial of service attacks

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links