WO2002035755A2 - Systeme et procede de traitement d'attaques par deni de service sur des serveurs - Google Patents

Systeme et procede de traitement d'attaques par deni de service sur des serveurs Download PDF

Info

Publication number
WO2002035755A2
WO2002035755A2 PCT/US2001/046080 US0146080W WO0235755A2 WO 2002035755 A2 WO2002035755 A2 WO 2002035755A2 US 0146080 W US0146080 W US 0146080W WO 0235755 A2 WO0235755 A2 WO 0235755A2
Authority
WO
WIPO (PCT)
Prior art keywords
connection
queue
server
client
connection request
Prior art date
Application number
PCT/US2001/046080
Other languages
English (en)
Other versions
WO2002035755A3 (fr
Inventor
W. Spencer Worley, Iii
John A. Vastano
Eoin B. Macdonell
Original Assignee
Akamba Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Akamba Corporation filed Critical Akamba Corporation
Priority to AU2002225869A priority Critical patent/AU2002225869A1/en
Publication of WO2002035755A2 publication Critical patent/WO2002035755A2/fr
Publication of WO2002035755A3 publication Critical patent/WO2002035755A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present invention relates generally to network servers, and more particularly to a system and method for dealing with attacks on such servers. Even more particularly, the present invention relates to a system and method for dealing with denial of service attacks on network servers.
  • Network servers e.g., Internet web servers
  • clients e.g., personal computers
  • a connection is established between the client computer and the server, and then the client and the server can exchange data (e.g., html web pages) via the connection.
  • client initiates the connection with the server.
  • DOS denial of service
  • TWHS three-way-hand-shake
  • FIG. 1 is a transmission diagram 100 showing how the TWHS routine is used to establish a connection between a client and a server.
  • the most common communication protocol used on the Internet, TCP/IP uses this type of TWHS routine to establish a connection between a client 102 and a server 104.
  • client 102 initiates the connection process by sending a connection request 106 to server 104.
  • server 104 sends a connection request 108 including an acknowledgment of the connection request 106 sent by client 102.
  • client 102 sends an acknowledgment 110 of the connection request 108 sent by server 104.
  • server 104 receives acknowledgment 110, the connection is complete.
  • a connection request is referred to as a "Syn” (synchronize sequence numbers flag).
  • An acknowledgment is referred to as an "Ack.”
  • DOS attack sometimes referred to as a Syn attack
  • FIG. 2 is a block diagram of typical server communication software, and will help illustrate how DOS attacks (e.g., Syn attacks) prevent servers from accepting connections from authorized clients.
  • Typical server software includes server applications 202, communications protocol stack 204, and connection queue 206.
  • Server applications 202 communicates with clients (not shown in FIG. 2) via connections established by communications protocol stack 204.
  • Connection queue 206 provides storage for pending connection requests ("PCRs"), and is conceptually divided into a completed connection queue of completed connection requests 208 and a an incomplete connection queue of incomplete connection requests 210.
  • PCRs pending connection requests
  • connection queue 206 need not be physically separated into a complete connection queue and an incomplete connection queue, but that the total number of PCRs, whether complete or incomplete) can not exceed some predetermined number (e.g., 1000).
  • Communications protocol stack 204 handles the TWHS routine of FIG. 1 as follows.
  • communications protocol stack 204 places the received connection request in connection queue 206 as an incomplete PCR 210, and sends a connection request and acknowledgment to the client.
  • the incomplete PCR then remains in connection queue 206 until an acknowledgment is received from the client.
  • communication protocol stack 204 converts the incomplete PCR 210 into a complete PCR 208.
  • Completed PCRs typically remain in connection queue 206 only a very short time until they are accepted by server applications 202 and removed from the connection queue 206. If connection queue 206 is full, communication protocol stack 204 must ignore subsequent client connection requests.
  • connection queue 206 is filled with mcomplete PCRs 210, and can no longer accept connection requests from authorized clients.
  • Known communication protocol stacks have a time-out feature, whereby incomplete PCRs are automatically deleted if not acknowledged within a predetermined time interval (e.g., 75 seconds), but the time-out feature is inadequate to prevent the connection queue from being filled by a Syn attack. For example, a connection queue with a 1000 PCR capacity and a 75 second time-out can be filled by sending 13.33 syns per second.
  • the time-out period cannot be shortened too dramatically, because enough time must be allowed for authorized clients to complete the TWHS procedure. Additionally, dealing with the flood of connection requests is a burden on the server processing unit, and takes valuable processing cycles away from other server applications. What is needed, therefore, is a communications module that facilitates authorized client connections in the face of a DOS attack. What is also needed is a communications module that can recognize a DOS attack and invoke security measures to deal with the attack. What is also needed is a system and method that takes the burden of dealing with a DOS attack off of the server's processing unit.
  • the present invention overcomes the problems associated with the prior art by providing a communication module with connection queue clearing capabilities.
  • the invention facilitates deleting pending connection requests from the connection queue during a denial-of-service attack, thereby providing a window of opportunity for authorized clients to establish a connection with the server.
  • One method of the present invention includes receiving a client connection request, determining whether a connection queue is full, clearing at least a portion of the connection queue if it is full, and placing the received client connection request in the connection queue.
  • one or more incomplete connection request(s) are removed from the connection queue.
  • one or more of the oldest connection request(s) are removed from the connection queue.
  • a security routine is invoked when the it is determined that the connection queue is full.
  • the security routine is operative to clear redundant requests from the connection queue.
  • the security routine is operative to maintain security lists (e.g., authorized clients, known attackers, etc.), and to allow or remove redundant client connections based on those lists.
  • the present invention may be embodied in varied networking components, including but not limited to, primary servers, proxy servers, adapter cards, etc..
  • a queue-clearing communication module and a proxy server are embedded in an adapter card for an Internet web server.
  • FIG. 1 is a transmission diagram of a TWHS routine for establishing a connection between a client and a server;
  • FIG. 2 is a block diagram showing typical server communication software
  • FIG. 3 is a block diagram of a server including an adapter card with a queue-clearing communications protocol stack according to the present invention
  • FIG. 4 is a block diagram showing one particular embodiment of the queue clearing protocol stack of FIG. 3 in greater detail.
  • FIG. 5 is a flow chart summarizing one particular method of facilitating client connections with a server according to the present invention.
  • FIG. 3 is a block diagram showing a system 300 coupled to an internetwork 302 via a physical network media 304.
  • system 300 is an Internet web server
  • internetwork 302 is the Internet, but those skilled in the art will recognize that the present invention may be implemented in any type of network server.
  • System 300 includes a file server (e.g., an HTTP web server) 306 and an adapter card 308.
  • File server 306 provides data to and receives data from clients 309 on internetwork 302, via adapter card 308.
  • Adapter card 308 establishes and maintains network connections between clients 309 and adapter card 308, and establishes bus connections between server 306 and adapter card 308.
  • adapter card 308 receives communications from clients 309 on behalf of server 306, forwards the communications to server 306, receives responses from server 306 on behalf of clients 309, and forwards the responses to clients 309.
  • Server 306 includes non- volatile memory 310, working memory 312, server mass data storage 314, a processing unit 316, and one or more user input output (I/O) devices 318, all intercommunicating via a server bus 320 (e.g., PCI bus).
  • Non-volatile memory 310 e.g., read-only memory and/or one or more hard-disk drives
  • Working memory 312 e.g., random access memory
  • server 306 includes executable code (e.g., an operating system) which is loaded into working memory 312 during start-up.
  • working memory 312 includes server applications 321 and a communication protocol stack 322.
  • Server applications 321 include network software applications (e.g., FTP, HTTP, etc.) which allow server 306 to function as a network server.
  • Communications protocol stack 322 is a standard protocol stack (e.g., TCP/IP) which facilitates communication with other machines over an internetwork. Standard protocol stacks are well known in the art. See, for example, W. Richard Stevens, TCP/IP Illustrated, Vol. 1 (Addison- Wesley, 1994), which is incorporated herein by reference.
  • Server mass data storage 314 provides data storage (e.g., one or more hard disk drives) for data (e.g., HTML pages, graphics files, etc.), which the server provides to clients 309 attached to internetwork 302.
  • Processing unit 316 executes the instructions in working memory 312 to cause server 306 to carry out its primary function (e.g., providing data to and receiving data from clients).
  • I/O devices 318 typically include a keyboard, a monitor, and/or such other devices which facilitate user/administrator interaction with server 306.
  • a network server such as an Internet web server.
  • Adapter card 308 includes non-volatile memory 323, working memory 324, a processing unit 326, a bus protocol bridge 328, and a network controller 329, all intercommunicating via an adapter bus 330.
  • Non-volatile memory 323 provides storage for data and code (e.g., boot code) which is retained even when adapter 308 is powered down.
  • Processing unit 326 imparts functionality to adapter card 308 by executing the code present in working memory 324.
  • Bus protocol bridge 328 provides an interface between adapter bus 330 and server bus 320
  • network controller 329 provides an interface between adapter bus 330 and network media 304.
  • Working memory 324 provides operational memory for adapter 308, and includes a proxy application 332, a connection queue 333, and a queue-clearing communication module 334.
  • Proxy 332 and communication module 334 are loaded from non-volatile memory 323 into working memory 324 at start-up, and connection queue is 333 is generated by communication module 334 during operation.
  • proxy 332 and protocol stack 334 can be loaded from one or more alternative sources, including but not limited to non-volatile memory 310 or server mass data storage 314 of server 306.
  • protocol stack 322 is a standard (e.g., TCP/IP) protocol stack
  • communication module 334 is a standard protocol stack that has been modified according to the present invention to have queue clearing capabilities.
  • Using a modified version of a standard communication protocol stack in adapter 308 facilitates the use of the standard communication software (e.g., protocol stack 322) already present in the vast majority of network servers.
  • the standard communication software e.g., protocol stack 322
  • the present invention may be practiced with custom communication software (e.g., direct communication between server applications 321 and either communications module 334 or proxy 332) in both server 306 and adapter 308.
  • this element may be omitted by providing proxy 332 with direct access to the resources (e.g., server mass data storage 314) of server 306.
  • resources e.g., server mass data storage 314.
  • queue-clearing communication module 334 and connection queue 333 can be employed directly in working memory 312 of server 306, without a proxy application or protocol stack in adapter card 308.
  • proxy 332, connection queue 333 and queue clearing communication module 334 can be embodied in a proxy server separate from server 306 that communicates with server 306 via a network connection. This list of examples is provided to illustrate the great flexibility of the present invention, and is no way intended to be or considered to be a complete list of possible embodiments of the present invention.
  • Bus connection 336 is a typical bus expansion slot, for example a PCI slot.
  • ISA slot for example a USB port
  • serial port for example a serial port
  • Bus connection 336 facilitates high speed, large packet size, relatively error free (as compared to network connections) communication between proxy 332 and server applications 321, greatly reducing the connection management burden on processing unit 316 of server 306.
  • processing unit 326 of adapter card 308 handles the burden of dealing with DOS attacks, freeing processing unit 316 to carry out the primary functions of server 306.
  • proxy 332 (running on processing unit 326) communicates with clients 309 over slow, error prone network connections, and then communicates with server applications 321 on behalf of clients 309 over high speed bus connection 336.
  • queue-clearing communication module 334 runs on processing unit 326 and establishes connections with clients 309 even when under a DOS attack, as will be described below with reference to FIG. 4.
  • FIG. 4 is a block diagram of working memory 324 showing connection queue 333 and queue-clearing communication module 334 in greater detail.
  • connection queue 333 and queue-clearing communication module 334 in greater detail.
  • FIG. 4 will recognize that while the various software modules of communication module 334 are shown as interconnected functional blocks, the software modules are actually blocks of executable code stored in working memory 324 that can communicate with one another when executed by processing unit 326 (FIG. 3).
  • connection queue 333 includes both incomplete connection requests 426 and complete connection requests 428, but need not necessarily be a particular physical portion of working memory 324. More likely, connection queue 333 is a list generated by communication module 334 with a predetermined maximum number of pending connection requests (PCRs). The list includes both complete PCRs and incomplete PCRs, and can be conceptually divided into a completed connection queue and an incomplete connection queue, but the total number of PCRs cannot exceed the predetermined capacity of connection queue 333.
  • PCRs pending connection requests
  • queue-clearing communication module 334 is a modified TCP/IP stack including a sockets layer 410, a modified TCP layer 412, an IP layer 414, and a device layer including a network driver 416 and a server bus driver 418.
  • the functionality of each of the individual layers of protocol stack 334, except for modified TCP layer 412, is well known in the art, and will not, therefore, be discussed in detail herein.
  • Modified TCP layer 412 includes a transmission control (TC) module 420, a clear queue module 422, and a security module 424.
  • TC module 420 is functionally similar to a conventional TCP layer except that TC module 420 has the ability to call one or both of clear queue module 422 and security module 424 when a client connection request is received and connection queue 333 is full.
  • Clear queue module 422 when called by TC module 420, clears at least a portion of connection queue 333 by removing at least one PCR from connection queue 333, and sending a reset signal to the client 309 (FIG. 3) associated with the deleted PCR.
  • clear queue module 422 deletes the oldest, incomplete PCR from connection queue 333.
  • alternate queue-clearing schemes may be employed, including but not limited to deleting multiple PCRs from connection queue 333 or deleting PCRs based on some criteria (e.g., source IP address, etc.) other than time in connection queue 333.
  • Security module 424 is a general purpose security module that is called by TC module 420 when TC module 420 determines that connection queue 333 is full. Alternatively, security module 424 periodically scans connection queue 333 and is self-executing responsive to connection queue 333 being full. In either case, once activated security module 424 filters incoming client connection requests based on some criteria (e.g., source IP). For example, all incoming connection requests from a particular source (i.e., an attacker) are ignored.
  • some criteria e.g., source IP
  • Queue-clearing communications module 412 establishes connections between proxy 332 and clients 309 as follows.
  • TC module 420 receives a connection request from a client 309
  • TC module 420 places the connection request in connection queue 333 as an incomplete PCR 426 and transmits a Syn/Ack to the associated client 309.
  • the incomplete PCR 426 is converted to a complete PCR 428, which is then accepted by proxy 332 and removed from the connection queue 333.
  • connection queue 333 is full (already has maximum number of entries) when a client connection request is received, then TC module 420 calls clear queue module 422 to clear at least a portion of connection queue 333 to make room for the incoming client connection request. Then, TC module 420 places the incoming client connection request in connection queue 333.
  • a denial of service occurs when the time-out period multiplied by the connection request arrival rate is greater than the capacity of the connection queue. For a connection queue capacity of 1,000 PCRs and a time-out period of 75 seconds, an attacker would only need to generate 13.33 connection requests per second to cause a denial of service.
  • queue clearing communication module 334 continues to accept incoming connection requests, clears at least one PCR from the connection queue, and then places the incoming connection request in the connection queue.
  • the result is that all incoming connection requests are cycled through the connection queue, giving authorized clients a window of opportunity (i.e., the time their PCR is in connection queue 422) to complete the TWHS and completed the PCR.
  • the round-trip-time (RTT) for a connection is the sum of the time required for the server's connection request to reach the client and the client's acknowledgment to reach the server.
  • connection request arrival rate would need to be sufficiently high to reduce the time an incomplete PCR 426 spends in connection queue 333 below the RTT of a connection.
  • the time that an incomplete PCR remains in the connection queue is equal to the capacity of connection queue 333 divided by the connection request arrival rate.
  • an attacker would need to generate 4,000 connection requests per second to cause a denial of service. This rate is 300 times greater that the rate (13.33 connection requests per second) required for a denial of service on the conventional protocol stack of the previous example. In other words, this example embodiment of the present invention provides 300 times the protection afforded by the prior art systems.
  • FIG. 5 is a flow chart summarizing one particular method 500 of facilitating connections between a client and a server according to the present invention, and will be described with reference to the example embodiment shown in FIGs. 3-4.
  • the method of the present invention is not, however, intended to be in any way limited to the particular embodiment shown in FIGs. 3-4. In fact, it is anticipated that the method of the present invention will be useful in a wide variety of systems, including but not limited to stand-alone servers, proxy servers, adapter cards, etc..
  • TC module 420 receives a connection request (Syn) from a client 309, and in a second step 504 determines whether connection queue 333 is full (e.g., maximum number of PCRs). If connection queue 333 is not full, then in a third step 506, TC module 420 places the connection request in connection queue 333 as an incomplete PCR 426 and sends a request/acknowledgment (Syn/Ack) to client 309. Next, in a fourth step 508, TC module 420 determines whether client 309 has acknowledged the incomplete PCR 426.
  • connection queue 333 e.g., maximum number of PCRs
  • TC module 420 determines whether the incomplete PCR 426 has timed out (i.e., been in connection queue 333 longer than a predetermined time limit). If the incomplete PCR has timed out, then in a sixth step 512 TC module 420 sends a reset signal to client 309, and in a seventh step 514 deletes incomplete PCR 426 from connection queue 333.
  • TC module 420 determines that connection queue 333 is full, then method 500 proceeds to a eighth step 516 wherein TC module 420 deletes the oldest, incomplete PCR from connection queue 333.
  • TC module 420 calls security module 424 to implement a security routine (e.g., source IP address filtering of subsequent incoming connection requests). Then method 500 returns to third step 506.
  • a security routine e.g., source IP address filtering of subsequent incoming connection requests.
  • step 508 If, in fourth step 508, TC module 420 determines that acknowledgment of the incomplete PCR has been received from client 309, then method 500 proceeds to a tenth step
  • TC module 420 converts incomplete PCR 426 into a complete PCR 428.
  • TC module 420 determines whether completed connection PCR has been accepted by proxy 332. If not, eleventh step 522 is periodically repeated, until complete PCR 428 is accepted by proxy 332. Then method 500 proceeds to seventh step 514.
  • the queue-clearing communication module described herein need not be implemented in a TCP/IP protocol stack, but may be implemented in any communication software that establishes and or manages connections between clients and a server.
  • the present invention may be embodied in different networking components, including but not limited to a primary server, a proxy server, an adapter card, etc..

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé destiné à faciliter les connexions client (309) avec un serveur (306). Ce procédé consiste à recevoir une demande de connexion client (502), à déterminer si une file d'attente de connexion est pleine (504), à libérer une partie au moins de la file d'attente de connexion si celle-ci est pleine (516), puis à placer la demande de connexion client reçue (506). Une routine de sécurité peut éventuellement être appelée (518) lorsqu'il est déterminé que la file d'attente de connexion (333) est pleine. Dans un mode de réalisation particulier, les procédés de la présente invention sont mis en oeuvre au moyen d'un module de communication de libération de queue (422) pour un serveur mandataire (332) intégré dans une carte adaptateur (308) destinée à un serveur Web.
PCT/US2001/046080 2000-10-23 2001-10-23 Systeme et procede de traitement d'attaques par deni de service sur des serveurs WO2002035755A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002225869A AU2002225869A1 (en) 2000-10-23 2001-10-23 System and method for handling denial of service server attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US69573400A 2000-10-23 2000-10-23
US09/695,734 2000-10-23

Publications (2)

Publication Number Publication Date
WO2002035755A2 true WO2002035755A2 (fr) 2002-05-02
WO2002035755A3 WO2002035755A3 (fr) 2002-07-18

Family

ID=24794261

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/046080 WO2002035755A2 (fr) 2000-10-23 2001-10-23 Systeme et procede de traitement d'attaques par deni de service sur des serveurs

Country Status (3)

Country Link
AU (1) AU2002225869A1 (fr)
TW (1) TW588242B (fr)
WO (1) WO2002035755A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499843C (zh) * 2007-01-25 2009-06-10 苏州广达友讯技术有限公司 一种wap网络中ptt音频流的处理方法
US7882556B2 (en) 2002-11-19 2011-02-01 Electronics And Telecommunications Research Institute Method and apparatus for protecting legitimate traffic from DoS and DDoS attacks

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6301668B1 (en) * 1998-12-29 2001-10-09 Cisco Technology, Inc. Method and system for adaptive network security using network vulnerability assessment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
GARBER: 'Denial of service attacks rip internet' IEEE COMPUTER April 2000, pages 12 - 17, XP00948670 *
GENG ET AL.: 'Defeating distributed denial of service attacks' IEEE IT PRO August 2000, pages 36 - 41, XP002909247 *
LIEDTKE ET AL.: 'Preventing denial -of- service attacks on a U-kernel for WebOSes' IEEE 1997, pages 73 - 79, XP010226848 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7882556B2 (en) 2002-11-19 2011-02-01 Electronics And Telecommunications Research Institute Method and apparatus for protecting legitimate traffic from DoS and DDoS attacks
CN100499843C (zh) * 2007-01-25 2009-06-10 苏州广达友讯技术有限公司 一种wap网络中ptt音频流的处理方法

Also Published As

Publication number Publication date
AU2002225869A1 (en) 2002-05-06
TW588242B (en) 2004-05-21
WO2002035755A3 (fr) 2002-07-18

Similar Documents

Publication Publication Date Title
US6851062B2 (en) System and method for managing denial of service attacks
US6816910B1 (en) Method and apparatus for limiting network connection resources
US6823387B1 (en) System and method for enhancing a server's ability to withstand a “SYN flood” denial of service attack
KR101312905B1 (ko) 네트워크 증폭 공격 완화 방법
US20060018485A1 (en) Secure communication protocol
US20020112061A1 (en) Web-site admissions control with denial-of-service trap for incomplete HTTP requests
JPH11353258A (ja) ファイアウォ―ルセキュリティ方法および装置
WO2001001259A1 (fr) Acces autonome et securise a des serveurs a distance
WO2013032775A1 (fr) Procédé et système de protection pour atténuation d'attaques http lentes au moyen de surveillance de débit et de temps
GB2394382A (en) Monitoring the propagation of viruses through an Information Technology network
US8429742B2 (en) Detection of a denial of service attack on an internet server
US7774847B2 (en) Tracking computer infections
US7979526B2 (en) Connection management system and method for a transport offload engine
US9143524B2 (en) Propagation of malicious code through an information technology network
US20030110377A1 (en) Method of and apparatus for data transmission
US20050182929A1 (en) Efficient hash table protection for data transport protocols
US6904529B1 (en) Method and system for protecting a security parameter negotiation server against denial-of-service attacks
US20060053487A1 (en) Front-end protocol for server protection
US7009938B2 (en) Reduction of server overload
WO2002035755A2 (fr) Systeme et procede de traitement d'attaques par deni de service sur des serveurs
US20060107322A1 (en) Outgoing connection attempt limiting to slow down spreading of viruses
JP2001265678A (ja) コネクションレス・プロトコルを使用したフラッド攻撃防止方法
US20070083914A1 (en) Propagation of malicious code through an information technology network
US20060282508A1 (en) System and method of responding to a flood attack on a data processing system
JP2002149602A (ja) 不正アクセスを防御するためのネットワーク接続装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase in:

Ref country code: JP