USRE49053EExpiredUtility

System and method for an adaptive TCP SYN cookie with time validation

60
Assignee: A10 NETWORKS INCPriority: Feb 21, 2006Filed: Dec 28, 2018Granted: Apr 26, 2022
Est. expiryFeb 21, 2026(expired)· nominal 20-yr term from priority
H04L 47/43H04L 63/1458H04L 47/10
60
PatentIndex Score
0
Cited by
33
References
31
Claims

Abstract

Provided is a method and system for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A system for TCP SYN cookie validation at a host server comprising:
 a session SYN packet receiver for receiving a session SYN packet;   a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie secret key based on data obtained from the received session SYN packet, the data obtained from the SYN packet including at least one of a source IP address of an IP header, a destination port, a source port, and a sequence number of a TCP header in the received session SYN packet, wherein the transition cookie generator concatenates the obtained data from the session SYN packet to generate a first data item of the generator and the transition cookie generator uses a first hash function to generate the transition cookie secret key from the first data item of the generator;   a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;   a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and   a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the transition cookie validator generates a candidate transition cookie secret key based on data obtained from the received session ACK packet, the data obtained from the ACK packet including at least one of a source IP address of the IP header, a destination port, and a source port, wherein the transition cookie validator concatenates the obtained data from the session ACK packet to generate a first data item of the validator and the transition cookie validator uses the first or another hash function to generate the candidate transition cookie secret key from the first data item of the validator,   wherein at least one of:   the transition cookie generator uses a secret key offset to select one or more bits of data from the first data item of the generator in order to generate a second data item of the generator, and   the transition cookie validator uses a candidate secret key offset to select one or more bits of data from the first data item of the validator in order to generate a second data item of the validator.   
     
     
       2. The system according to  claim 1 , in which the transition cookie validator determines that the received session ACK packet is valid if the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received. 
     
     
       3. The system according to  claim 1 , in which the predetermined time interval is in the range of one to six seconds. 
     
     
       4. The system according to  claim 1 , in which the predetermined time interval is three seconds. 
     
     
       5. The system according to  claim 1 , in which the generating of the transition cookie includes the use of random data. 
     
     
       6. The system according to  claim 1 , in which the generating of the transition cookie includes the use of data obtained from the session SYN packet. 
     
     
       7. A system for TCP SYN cookie validation at a host server comprising:
 a session SYN packet receiver for receiving a session SYN packet;   a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie by (i) generating an encrypted data element of the generator by applying a cryptographic method on the transition cookie secret key and a transition cookie data element, (ii) performing an unsigned binary addition on the encrypted data element of the generator and a sequence number of a TCP header in the received session SYN packet, and (iii) storing the result in the transition cookie;   a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;   a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and   a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.   
     
     
       8. The system according to  claim 7 , wherein the transition cookie data element comprises data based on at least one of: a selective ACK, an MSS index, and a 32-bit current time of day indicated by a clock. 
     
     
       9. A system for TCP SYN cookie validation at a host server comprising:
 a session SYN packet receiver for receiving a session SYN packet;   a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time;   a session SYN/ACK packet sender for sending the transition cookie in response to the received session SYN packet;   a session ACK packet receiver for receiving a session ACK packet, the session ACK packet including a candidate transition cookie; and   a transition cookie validator, for determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the transition cookie validator generates:   a candidate sequence number such that a sequence number of a TCP header in the received session ACK packet equals the sum of the candidate sequence number and a value of 1,   a candidate encrypted data element such that the result of performing an unsigned binary addition of the candidate encrypted data element and a candidate sequence number equals the candidate transition cookie, and   a candidate transition cookie data element by applying a cryptographic method on a candidate transition cookie secret key and the candidate encrypted data element.   
     
     
       10. The system according to  claim 9 , wherein the transition cookie validator validates the candidate transition cookie data element by adjusting the candidate transition cookie data element to generate, and determining if the adjusted candidate transition cookie data element is within a predetermined time margin of a modified current time. 
     
     
       11. A system for TCP SYN cookie validation at a host server, the system comprising:
 a session SYN packet receiver hardware configured to receive a session SYN packet;   a transition cookie generator hardware configured to generate a transition cookie using a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator hardware generates the transition cookie secret key based on data obtained from the received session SYN packet, wherein the transition cookie generator hardware generates the transition cookie secret key by:
 (i) generating an encrypted data element of the transition cookie generator hardware by applying a cryptographic method on the transition cookie secret key and a transition cookie data element; 
 (ii) performing an unsigned binary addition on the encrypted data element of the transition cookie generator hardware and a sequence number of a TCP header in the session SYN packet to obtain a result; and 
 (iii) storing the result in the transition cookie; 
   a session SYN/ACK packet sender hardware configured to send the transition cookie in response to the received session SYN packet;   a session ACK packet receiver hardware configured to receive a session ACK packet including a candidate transition cookie; and   a transition cookie validator hardware configured to determine whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the transition cookie validator hardware generates a candidate transition cookie secret key based on data obtained from the received session ACK packet.   
     
     
       12. The system of claim 11, wherein the data obtained from the session SYN packet includes at least one of a source IP address, a destination port, a source port, and a sequence number of a TCP header. 
     
     
       13. The system of claim 11, wherein the transition cookie secret key is generated by:
 concatenating the data obtained from the session SYN packet;   forming a first secret key transition data item based on the concatenation; and   generating the transition cookie secret key from the first secret key transition data item.   
     
     
       14. The system of claim 13, wherein generating the transition cookie secret key from the first secret key transition data item comprises using a hash function. 
     
     
       15. The system of claim 13, wherein the transition cookie secret key is further generated by:
 selecting one or more bits of data from the first secret key transition data item using a secret key offset;   forming a second secret key transition data item based on the selected one or more bits; and   generating the transition cookie secret key from the first secret key transition data item and the second secret key transition data item.   
     
     
       16. The system of claim 11, wherein the data obtained from the session ACK packet includes at least one of a source IP address, a destination port, and a source port. 
     
     
       17. The system of claim 11, wherein the candidate transition cookie secret key is generated by:
 concatenating data obtained from the session ACK packet;   forming a secret key candidate data item based on the concatenation; and   generating the candidate transition cookie secret key from the secret key candidate data item of the validation.   
     
     
       18. The system of claim 17, wherein the candidate transition cookie secret key is further generated by using a hash function to generate the candidate transition cookie secret key from the first secret key candidate data item. 
     
     
       19. The system of claim 11, further comprising determining that the received session ACK packet is valid if the candidate transition cookie in the session ACK packet comprises the time value representing a time within a predetermined time interval from the time the session ACK packet is received. 
     
     
       20. The system of claim 19, wherein the predetermined time interval is between one and eleven seconds. 
     
     
       21. The system of claim 11, wherein the candidate transition cookie secret key is generated based on data obtained from the session ACK packet and a candidate sequence number. 
     
     
       22. A host for validating a TCP SYN cookie, comprising:
 a memory device storing instructions; and   a processor that, when executing the instructions, configures the host to:
 receive a session SYN packet; 
 generate a transition cookie using a transition cookie secret key, the transition cookie comprising a time value representing the actual time, the transition cookie secret key being generated based on data obtained from the session SYN packet, the transition cookie secret key being generated by:
 (i) generating an encrypted data element by applying a cryptographic method on the transition cookie secret key and a transition cookie data element; 
 (ii) performing an unsigned binary addition on the encrypted data element and a sequence number of a TCP header in the session SYN packet to obtain a result; and 
 (iii) storing the result in the transition cookie; 
 
 send the transition cookie in response to the received session SYN packet; 
 receive a session ACK packet including a candidate transition cookie; and 
 determine whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein the processor generates a candidate transition cookie secret key based on data obtained from the received session ACK packet. 
   
     
     
       23. The host of claim 22, wherein the data obtained from the session SYN packet includes at least one of a source IP address, a destination port, a source port, and a sequence number of a TCP header. 
     
     
       24. The host of claim 22, wherein the transition cookie secret key is generated by:
 concatenating the data obtained from the session SYN packet;   forming a first secret key transition data item based on the concatenation; and   generating the transition cookie secret key from the first secret key transition data item.   
     
     
       25. The host of claim 24, wherein the transition cookie secret key is further generated by:
 selecting one or more bits of data from the first secret key transition data item using a secret key offset;   forming a second secret key transition data item based on the selected one or more bits; and   generating the transition cookie secret key from the first secret key transition data item and the second secret key transition data item.   
     
     
       26. The host of claim 22, wherein the data obtained from the session ACK packet includes at least one of a source IP address, a destination port, and a source port. 
     
     
       27. The host of claim 22, wherein the candidate transition cookie secret key is generated by:
 concatenating data obtained from the session ACK packet;   forming a secret key candidate data item based on the concatenation; and   generating the candidate transition cookie secret key from the secret key candidate data item of the validation.   
     
     
       28. The host of claim 22, wherein the processor further configures the host to determine that the session ACK packet is valid if the candidate transition cookie in the session ACK packet comprises the time value representing a time within a predetermined time interval from the time the session ACK packet is received. 
     
     
       29. The host of claim 28, wherein the predetermined time interval is between one and eleven seconds. 
     
     
       30. The host of claim 22, wherein the candidate transition cookie secret key is generated based on data obtained from the session ACK packet and a candidate sequence number. 
     
     
       31. A non-transitory computer-readable medium storing instructions that, when executed, cause a computing device to perform a method for validating a TCP SYN cookie, the method comprising:
 receiving a session SYN packet;   generating a transition cookie using a transition cookie secret key, the transition cookie comprising a time value representing the actual time, the transition cookie secret key being generated based on data obtained from the session SYN packet, the transition cookie secret key being generated by:
 (i) generating an encrypted data element by applying a cryptographic method on the transition cookie secret key and a transition cookie data element; 
 (ii) performing an unsigned binary addition on the encrypted data element and a sequence number of a TCP header in the session SYN packet to obtain a result; and 
 (iii) storing the result in the transition cookie; 
   sending the transition cookie in response to the received session SYN packet;   receiving a session ACK packet including a candidate transition cookie; and   determining whether the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received, wherein a candidate transition cookie secret key is generated based on data obtained from the received session ACK packet.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.