Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-04-15
2004-04-20
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C709S206000, C709S223000, C709S224000, C707S793000
Reexamination Certificate
active
06725378
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to computer network security, and more particularly, but not exclusively, relates to protection from denial of service attacks caused by initiating, but not completing a number of spurious connections through the Internet.
Concomitant with the development of computer networks, schemes to degrade or defeat operation of such networks have been devised. In response, a host of techniques have been proposed to improve network security. U.S. Pat. No. 5,884,025 to Baehr et al.; U.S. Pat. No. 5,842,040 to Hughes et al.; U.S. Pat. No. 5,826,014 to Coley et al.; U.S. Pat. No. 5,822,434 to Caronni et al.; U.S. Pat. No. 5,604,803 to Aziz; U.S. Pat. No. 5,511,122 to Atkinson; and U.S. Pat. No. 5,481,611 to Owens et al. are cited as sources of additional background information regarding various attempts to improve network security.
One particular type of attack monopolizes available network resources in such a manner that legitimate users are denied service. This type of “denial of service attack” has been recognized in various contexts. One especially troublesome denial of service attack for Internet Protocol (IP) based networks is called “SYN flooding.” SYN flooding arises when an attacker sends many Transmission Control Protocol (TCP) connection requests, each initiated with a “SYNchronize” (also called SYN) packet, to a victim's machine. Each request causes the targeted host to instantiate data structures out of a limited pool of resources; however, because the source address for each of these SYN packets is illegitimate or “spoofed,” completion of a proper connection is impossible. Consequently, the limited resources of the targeted host are quickly used up in response to the spurious SYN packets so that no more incoming TCP connections can be established—thus denying further legitimate access. The SYN flooding attack exploits weaknesses with TCP/IP (Transmission Control Protocol/Internet Protocol) that cannot be corrected without significant protocol modifications. Moreover, this type of denial of service attack can be launched with little effort, and is difficult to trace back to its originator.
As a result, there is a need for protective techniques that reduce, if not eliminate, the impact of denial of service attacks, such as SYN flooding.
SUMMARY OF THE INVENTIONS
One form of the present invention includes a unique computer network monitoring technique. A further form of the present invention includes a unique defense for denial of service attacks.
In another form of the present invention, network messages passing to one or more hosts from an untrusted network are actively monitored. Suspect messages are identified. The behavior of each suspect message is tracked in terms of a number of conditionally coupled states to determine whether any of the suspect messages present a security threat requiring action.
In yet another form, network messages may be classified into one or more other categories besides the suspect category. By way of nonlimiting example, TCP packets may be categorized as having an unacceptable source address, suspect source address, or acceptable source address.
In an additional form, host resources allocated in response to connection initiation requests from an untrusted network are released by monitoring such requests, determining which requests are unacceptable or suspect, and selectively sending a command that changes the status of such requests from the perspective of the hosts. In one nonlimiting example, host resources dedicated to incomplete TCP connections that are quickly saturated by suspect SYN packets may be released by sending ACKnowledge packets (also called ACK packets) corresponding to the SYN packets. In another nonlimiting example, host resources may be relieved by closing spurious connections through transmission of a ReSeT packet (also called a RST packet).
In still another form, a technique of the present invention includes detecting a number of SYN packets sent from an untrusted network to a destination host to regulate spurious connection attempts. The corresponding source address of each SYN packet is classified in one of a plurality of different categories, the categories including a suspect source address category and an unacceptable source address category. TCP packet behavior is monitored for each address classified in the suspect source address category with a state machine process including at least three different conditionally coupled states, and a RST packet is sent to the destination host for any address classified in the unacceptable source address category.
Accordingly, it is one object of the present invention to provide a unique computer network monitoring technique.
It is another object of the present invention to provide a unique defense for denial of service attacks.
REFERENCES:
patent: 5481611 (1996-01-01), Owens et al.
patent: 5511122 (1996-04-01), Atkinson
patent: 5604803 (1997-02-01), Aziz
patent: 5606668 (1997-02-01), Shwed
patent: 5699513 (1997-12-01), Feigen et al.
patent: 5724425 (1998-03-01), Chang et al.
patent: 5751812 (1998-05-01), Anderson
patent: 5822434 (1998-10-01), Caronni et al.
patent: 5826014 (1998-10-01), Coley et al.
patent: 5828846 (1998-10-01), Kirby et al.
patent: 5842040 (1998-11-01), Hughes et al.
patent: 5845068 (1998-12-01), Winiger
patent: 5850449 (1998-12-01), McManis
patent: 5884025 (1999-03-01), Baehr et al.
patent: 5991881 (1999-11-01), Conklin et al.
patent: 5999932 (1999-12-01), Paul
patent: 6061798 (2000-05-01), Coley et al.
patent: 6070242 (2000-05-01), Wong et al.
patent: 6304975 (2001-10-01), Shipley
patent: 6453345 (2002-09-01), Trcka et al.
RFC 793, Transmission Control, Protocol, ilnformation Sciences Institute, University of Southern Califiornia, USA, 1981.*
Firewalls fend off invasions from the Net, Steven W. Lodin and Christoph L. Schuba; IEEE Spectrum, Feb. 1998, pp. 26-34.
Defining Strategies to Protect Against TCP SYN Denial of Service Attacks, Security Advisory, Cisco Systems, Inc., 1996.
Advisory CA-96.21; TCP SYN Flooding and IP Spoofing Attacks, CERT Advisory, Sep. 19, 1996.
SUN Microsystems Security Bulletin #00136; Oct. 9, 1996.
Check Point Firewall-1 White Paper, Check Point Software Technologies, Ltd., Version 3.0 -Jun. 1997.
Krsul Ivan V.
Kuhn Markus G.
Schuba Christoph L.
Spafford Eugene H.
Sundaram Aurobindo M.
Arani Taghi T.
Baniak Pime & Gannon
Purdue Research Foundation
Sheikh Ayaz
LandOfFree
Network protection for denial of service attacks does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Network protection for denial of service attacks, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Network protection for denial of service attacks will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3266929