Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
2000-06-23
2004-11-23
Meky, Moustafa M. (Department: 2157)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C709S203000, C709S217000, C709S219000
Reexamination Certificate
active
06823387
ABSTRACT:
TECHNICAL FIELD
This invention relates generally to systems and methods for improving a server's ability to withstand hacker attacks when connected to a computer network such as the Internet, and more particularly to systems and methods for improving a server's ability to withstand a SYN flood denial of service attack.
BACKGROUND OF THE INVENTION
Despite early skepticism, businesses have now fully embraced the Internet as a vehicle critical to the success of their continued operations. The explosion of e-commerce and the emergence of business to business (B2B) technologies and industry utilization, as well as the proliferation of personal computers (PCs) have galvanized the business mindset and the consuming public to the use of the Internet as an everyday tool for commerce. The explosion of such use has pushed the limits of Internet technology faster and further than heretofore thought possible. Unfortunately, such explosion has also brought forth an unsavory element know as hackers that threatens to bring down, or at least hobble this new e-commerce business paradigm that is otherwise beginning to flourish.
One technique that these hackers have employed against Web servers is known as a SYN flood denial of service attack. This type of attack is based on the realization by the hackers that many corporate Web sites are getting millions of hits per day, and that many servers are not able to respond crisply under these heavy loads. Even with only the volume of legitimate connect requests from actual potential customers, many servers often slow down network connections, deny service for potential customers, and even cause network failures due to the sheer volume of business which potential customers are attempting to conduct on the Web server. Such performance slow downs and denial of service problems tend to increase customer dissatisfaction, reduce sales, and diminish the possibility for repeat customers. These problems translate directly into lost sales and lost business opportunities. Unfortunately, this disruptive and non-productive environment appears to be exactly what many hackers are seeking, and have devised the SYN flood denial of service attack to foster its existence.
On Feb. 7, 8, and 9, 2000, this very type of denial of service attack was used to block access to legitimate users of many popular Websites, including Yahoo, Buy.com, eBay, CNN.com, Amazon.com, ZDNet, E*Trade, and Datek. This type of attack was also blamed for the Feb. 18, 2000, shutdown of the Federal Bureau of Investigation's (FBI) Website for several hours. Warnings of such attacks had been issued by the National Institute of Standards and Technology, Carnegie Mellon's Computer Emergency Response Team Center, and the FBI. However, despite the warnings and all the preparations and precautions taken by Internet Service Providers (ISPs) against such attacks, including rate filters, these Websites were still taken down for several hours. The failure of these Websites to protect against such a simple attack has called into question the vulnerability of Internet companies.
Spurred by the February 7-9 attacks, the President of the United States called an emergency Web security summit on February 15 with experts, government officials (including the Attorney General, the National Security Adviser, the Commerce Secretary, and others), and high-tech business leaders to address the concerns felt by the federal government and private industry about such attacks. This problem is so serious that the Attorney General of the United States of America has charged federal law enforcement officials to combine their resources to combat this type of online terrorism, enlisting the FBI and the National Infrastructure Protection Center (NIPC) in the fight. Further, the President has sent a budget request of $2 Billion to Congress for government efforts to combat computer sabotage by cyberterrorists.
To understand these SYN flooding denial of service attacks, one must first understand the way the Internet, and the servers connected to the Internet, operate. Lying at the core of the explosion of the popularity and usage of the Internet is the Web server and browser communication protocol known as hypertext transfer protocol (HTTP). HTTP is the network protocol used to deliver virtually all files and other data, known collectively as resources, on the worldwide Web. These resources include HTML files, image files, query results, etc. This network protocol typically takes place through TCP/IP sockets. As with other network protocols, HTTP utilizes a client-server model. In this model, an HTTP client (such as a consumer) opens a connection and sends a request message to an HTTP server (e.g. a corporate Web server). Once the HTTP server has received the request from the client, it returns a response message, typically containing the resource that was requested by the client. For most typical browsing transactions on the Internet, the server then closes the connection after delivering the response. As such, HTTP is a stateless protocol, i.e. not maintaining any connection information between transactions.
The actual mechanism of an HTTP transaction, such as a Web browsing connection, is shown in
FIG. 7
, which illustrates the basic request/response message flow between a client and a server. As may be seen from this simplified figure, a client
500
establishes a TCP connection to a server
502
by transmitting a connect request
504
(TCP SYN) to the server
502
. This SYN
504
is received at the TCP/IP layer
506
within the server
502
. This TCP/IP layer
506
then creates a TCP control block (TCB) to service the connection, and notifies
508
the connect request to the socket layer
510
. The socket layer
510
then indicates
512
to the TCP/IP layer
506
the acceptance of this connect request. At this point, the TCP/IP layer
506
caches route information about the connection and client, and transmits an acknowledgment (TCP SYN+Ack)
514
to the client
500
who then completes the connect request by acknowledging (TCP Ack)
516
the server's acknowledgment of its initial request. This three-way handshake establishes the TCP connection over which the client
500
then transmits the HTTP “Get file” request to the server.
In a SYN flood attack, the hacker takes advantage of the server's allocation of resources and desire to establish a connection to service a client, recognizing that a server will attempt several times to establish a connection with a client before giving up the connection attempt and freeing the resources allocated to the connection. The abuse of the TCP/IP connect attempt arises at the point where the server system
502
has sent an acknowledgment (SYN-ACK
514
) back to the client
500
, but has not yet received the ACK
516
message. This is known as a half-open connection. The server
502
typically has built in it system memory a data structure describing all pending connections. Since this data structure is of finite size, it can be made to overflow by intentionally creating too many half-open connections.
Creating half-open connections is easily accomplished by the hacker with IP spoofing. The attacking system sends SYN messages
504
to the victim server system
502
that these appear to be legitimate, but in fact reference a client system that is unable to respond to the SYN-ACK messages
514
. This means that the final ACK message
516
will never be sent to the victim server system
502
. The half-open connections data structure on the victim server system
502
will eventually fill, at which point the system
502
will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system
502
will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.
The time-out may be quite long
Leydig , Voit & Mayer, Ltd.
Meky Moustafa M.
Microsoft Corporation
LandOfFree
System and method for enhancing a server's ability to... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for enhancing a server's ability to..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for enhancing a server's ability to... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3284910