Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing
Reexamination Certificate
2000-03-14
2004-06-15
Najjar, Saleh (Department: 2157)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
C709S225000, C709S226000, C709S229000, C709S235000
Reexamination Certificate
active
06751668
ABSTRACT:
TECHNICAL FIELD
The present invention relates to denial of service attacks and, in particular, to a method of handling denial of service attacks without entirely blocking all new session connection requests.
BACKGROUND
Denial-of-Service (DoS) are well-known. In a typical DoS attack, the attacker employs Internet Protocol (IP) source address spoofing to directly or indirectly launch an immense volume of bogus traffic to a target system. For example, the attacker may use randomly changing or phony source addresses to flood bogus sessions with TCP SYN, UDP or ICMP packets to a specific target. This bogus traffic may be initiated from a single host, from a group of hosts in a specific network, or from any number of hosts on the Internet. The overwhelming number of bogus session requests potentially bogs down the resources of the target system and thus lead to DoS.
In response to a DoS attack, a typical firewall starts dropping all new session requests as soon as the rate of the incoming session requests exceeds a predetermined threshold. Until the blocking time for new session requests is expired, or the rate of new session requests falls off, the firewall denies any new session request. This mechanism is, in general, of use to protect the systems under attack. However, because all session requests are denied service, even legitimate requests are denied service.
Another approach that has been used to fight DoS attacks is known as Random Early Drop (RED). To implement RED, as a new session request is received, an unanswered session request is dropped. This approach is described, for example, in Linux Magazine, August 1999 (see http://www.linux-mag.com/1999-08/bestdefense
—
02.html). Thus, using RED, at least some legitimate session requests theoretically get through to the target system. However, there is high overhead involved with receiving the onslaught of bogus session requests and dealing with each received session request (by dropping a pending session request in response to it).
SUMMARY
The present invention is a method and apparatus for responding to denial of service attacks. Rather than a firewall or other device either denying all new session requests or denying no new session requests (and, albeit, dropping then-pending session requests), new session requests are selectively passed to the device.
REFERENCES:
patent: 5371852 (1994-12-01), Attanasio et al.
patent: 5473599 (1995-12-01), Li et al.
patent: 5642515 (1997-06-01), Jones et al.
patent: 5892917 (1999-04-01), Myerson
patent: 6078943 (2000-06-01), Yu
patent: 6098122 (2000-08-01), Emmes et al.
patent: 6341304 (2002-01-01), Engbersen et al.
patent: 6425057 (2002-07-01), Cherkasova et al.
patent: 6430619 (2002-08-01), Sitaraman et al.
patent: 6526448 (2003-02-01), Blewett
patent: 6529955 (2003-03-01), Sitaraman et al.
patent: 6662230 (2003-12-01), Eichstaedt et al.
Cherkasova, Ludmila and Phaal Peter. “Session Based Admission Control: a Mechanism for Improving Performance of Commercial Web Sites.” 1999. IEEE. Seventh International Workshop on Quality of Service. pp. 226-235.*
U.S. patent application Ser. No. 09/465,123, Lin, filed Dec. 16, 1999.
Abadi, M., et al, “Secure Web Tunneling,” http://pa.bell-labs.com/~abadi/Papers/tunnel/206.html, pp. 1-13 (Dec. 16, 2000).
“Intel ISP Program Case Studies: UUNET Canada Leads the Industry in Move to Virtual Private Networks,” http://www.intel.com/isp/casestudies/uunet.htm, pp. 1-4 (2000).
“Tunnel Switching: 3Com Technology Boosts VPN Security and Flexibility,” http://www.3com.com/technology/tech_net/white_papers/503049.html, pp. 10 (1999).
“Virtual Multi-megabit Access Path: Affordable and Available Internet and IP Access at Speeds Greater than T1,” http://www.tiaranetworks.com/vmapwp.html, pp. 1-9 (1999).
“Web Workshop—Virtual Private Networking: An Overview,” http://msdn.Microsoft.com/workshop/server/feature/vpnovw.asp, pp. 1-16 (May 29, 1998).
Ferguson, Paul and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,” http://andrew2.Andrew.cmu.edu/rfc/rfc2267.html, pp. 1-16 (Jan. 1998).
“The NetBoost Policy Engine: Comprehensive Platform Enables Today's Leading Policy Enforcement Applications to Operate at Full Wire Speed,” NetBoost Corporation, pp. 1-9 (1998).
“The NetBoost Policy Appliance: Device Enables Concurrent Operation of Multiple Policy Enforcement Applications to Operate at Full Wire Speed,” NetBoost Corporation (1998).
“NetBoost PE—1000: Network Application Engine,” NetBoost Corporation (1998).
NetBoost SKD: Software Development Kit, Net Boost Corporation (1998)..
“A New Breed: The Net Boost Platform for Policy Enforcement Applications,” NetBoost Corporation, pp. 1-11 (1998).
Russell, Paul, “Keeping the TCP/IP Stream Flowing,” Linux Magazine, http://www.linux-mag.com/1999-08/bestdefemse02.html, pp. 1-8 (Aug. 1999).
Lin Yee-Jang James
Soung Chung-Wen
Arnall Golden & Gregory LLP
Najjar Saleh
Watchguard Technologies, Inc.
LandOfFree
Denial-of-service attack blocking with selective passing and... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Denial-of-service attack blocking with selective passing and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Denial-of-service attack blocking with selective passing and... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3365801