The present invention relates in general to networked computing environment protection, and, in particular, to a system and method for transacting a validated application session in a networked computing environment.
Computer networks form a central component of corporate information technology infrastructures. There are two types of networks. A local area network or xe2x80x9cintranetworkxe2x80x9d is a network operating within a single identifiable location, such as on one floor of a building. Individual computers and shared resources are interconnected over a single media segment. A wide area network or xe2x80x9cinternetworkxe2x80x9d is a network consisting of interconnected intranetworks and geographically distributed computational resources which, when taken as a whole, comprise a unified set of loosely associated computers. The Internet, for example, is a public internetwork interconnecting clients worldwide.
Structurally, most internetworks and intranetworks are based on a layered network model employing a stack of standardized protocol layers. The Transmission Control Protocol/Internet Protocol (TCP/IP) suite, such as described in W. R. Stevens, xe2x80x9cTCP/IP Illustrated,xe2x80x9d Vol. 1, Ch. 1 et seq., Addison-Wesley (1994), the disclosure of which is incorporated herein by reference, is a widely adopted network model. Computers and network resources using the TCP/IP suite implement hierarchical protocol stacks that include link, network, transport and, for client and servers, application protocol layers.
The application protocol layers enable host end devices to provide client services, such as communications, file transfer, electronic mail, content retrieval, and resource sharing. Application protocol layers are either connection-oriented or connectionless. A connection is a negotiated link interconnecting a host and client used to transaction a communication session during which packets are exchanged between the host and client application protocol layers.
Connections are created by the transport protocol layers. For instance, the Transmission Control Protocol (TCP) provides a connection-oriented, reliable, byte stream service that can be used by application layer protocols to transact sessions. Communication sessions require the stepwise initiation and termination of a dedicated connection. TCP sessions must be initiated through a negotiated three-way handshaking sequence and preferably terminated with a four-segment sequence that gracefully closes the connection.
TCP-based networks are particularly susceptible to a type of attack known as a denial of service (xe2x80x9cDoSxe2x80x9d) attack. Ordinarily, a TCP server will reserve state, such as memory buffers, upon receiving a service request from a client in the expectation of having to process transient data packets during a communications session. However, a state consumption attack attempts to force a victim server to allocate state for unproductive uses during the three-way handshaking sequence. In a DoS attack, an attacker will cause a high volume of bogus service requests to be sent to a victim server which will continue to allocate state until all available state is expended. Thus, no state will be left for valid requesters and service will be denied. In addition, DoS attacks are difficult to detect because the bogus service requests are indistinguishable from normal network traffic.
One form of DoS attack employs xe2x80x9cspoofedxe2x80x9d packet source addresses. A spoofed packet is a data packet sent by a third party containing a source address other than the source address of that third party. The fraudulent source address could be the address of another system or might be a random source address that is valid yet not presently in use. Unfortunately, TCP does not provide means for ensuring that packet source addresses are not fraudulent. Attackers take advantage of this security hole by sending service request packets with fraudulent source addresses to disguise their identity. Consequently, tracing the source of spoofed DoS attacks is often meaningless and the attackers are virtually untraceable.
In the prior art, host-based and intermediary-based protections have been employed to counter spoofed DoS attacks. One type of host-based protection uses improved connection-state management. Connection-state storage is either allocated on demand or allocated in a reduced amount for incomplete connections, for instance, by delaying storage of elements not relevant until the connection is established. This approach creates new vulnerabilities, as an attack could compromise facilities other than connection management and does not eliminate the vulnerability.
Another type of host-based protection shortens connection-termination timeouts. In general, or during a detected DoS attack, a server can reclaim state for incomplete connections sooner than the protocol specification allows. This approach increases a capacity to handle incomplete connections, but reduces robustness in the case of legitimate messages delayed in the network.
A third type of host-based protection implements stateless connection negotiation whereby the server avoids maintaining state until client legitimacy has been established. State information is securely encoded in messages sent to the client in a form that is recoverable from client messages. This approach prevents state consumption attacks by attackers that fail to respond to messages from the server. However, the encoding is sometimes expensive for the host to compute and this approach requires the host operating system to be modified.
Intermediary-based protections are employed by devices located between protected servers and potential attackers. These devices include firewalls, proxies, routers, switches and load balancers. In one approach, the intermediary estimates the amount of host state dedicated to incomplete connections and forcefully terminates suspect connections by injecting connection-reset commands. The intermediary enforces shorter timeouts, preferably upon detecting an attack. This approach offers modest server protection without changes to the server operating system, but leaves the intermediary vulnerable to state-consumption attacks. The approach also fails to address choosing which connections to terminate without affecting legitimate traffic.
Another intermediary-based protection performs stateful connection-binding interception in which the intermediary performs connection negotiation on behalf of the server. Once the client has completed the connection negotiation, the intermediary initiates a second connection to the server on behalf of the client and patches the two connections together by translating messages sent between client and server. This approach shields the server from spurious connection attempts, but leaves the intermediary vulnerable to state consumption attacks.
Finally, both hosts and intermediaries can filter packets by comparing the source addresses of incoming packets to lists of individual addresses for xe2x80x9cbadxe2x80x9d hosts. However, these addresses must be periodically updated and reloaded. Loading this information once a DoS attack is underway is too late to be of practical use. More importantly, though, most, if not all, of the packets used to produce a DoS attack will appear valid, as there is no a priori method to sort spoofed packets from non-spoofed packets.
Therefore, there is a need for a solution to protecting negotiated application protocol layer sessions against DoS attacks, such as in a TCP-based computing environment. There is a further need for a dynamic approach to packet validity checking which can detect spoofed, fictitious, and inactive addresses without requiring state allocation or compromising connection robustness.
The present invention provides a system and method for validating a session request and transacting a communication session for a validated connection. An intermediary receives a session request from a requesting client. A SYN cookie is generated and a session is opened only if the SYN cookie is properly acknowledged by the requesting client. A connection is initiated with a responding server and the session is transacted by translating sequence numbers by an offset reflecting the client versus the server sequence numbers. The session is terminated upon the request of either the client or server.
An embodiment of the present invention is a system and method for transacting a validated application session in a networked computing environment. A hierarchical protocol stack having a plurality of interfaced protocol layers is defined. A connection-based session protocol layer is included. A session is opened with a requesting client responsive to a request packet containing a source address of uncertain trustworthiness. A client connection with the requesting client is negotiated. A stateless validation of the source address contained in the request packet is performed using encoded information obtained from the request packet headers. A server connection is negotiated with a responding server upon successful validation of the requesting client. The session is facilitated by translating packets independently exchanged over the client connection and the server connection. The session is closed through a controlled termination of each of the client connection and the server connection.
Still other embodiments of the present invention will become readily apparent to those skilled in the art from the following detailed description, wherein is described embodiments of the invention by way of illustrating the best mode contemplated for carrying out the invention. As will be realized, the invention is capable of other and different embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and the scope of the present invention. Accordingly, the drawings and detailed description are to be regarded as illustrative in nature and not as restrictive.