Much of the traffic on the Internet uses the Transmission Control Protocol (TCP). TCP is considered to be layer four, or the transport layer, of a seven-layer protocol stack as defined by the ISO-OSI (International Standards Organization-Open Systems Interconnection) framework. Layer seven is referred to as the application layer of the protocol stack. TCP is specified in RFC 793, available at http://www.faqs.org/rfcs/rfc793.html. RFC 879, available at http://www.faqs.org/rfcs/rfc879.html, discusses the maximum segment size, an optional feature within TCP that allows a data receiver to specify the maximum size TCP segment that can be accepted on a connection.
The TCP protocol includes a handshake to establish a connection between a client and a server. The server receives an initial packet, called a synchronization (SYN) packet from the client. The server responds by sending the client a SYN-ACK packet. The client then responds by sending the server an acknowledgment (ACK) packet. In response to receiving the SYN-ACK packet, the server may devote resources to the potential connection. If the server doesn't receive an ACK packet from the client, the devoted resources may not be utilized, and might be unavailable to other connections. If one or more clients send numerous SYN packets to a server, the server's resources may be exhausted, and it is at least temporarily unavailable for additional connections from clients. The process of sending numerous SYN packets to a server without completing the connections is known as SYN flooding.
FIG. 3 illustrates a basic TCP handshake between a TCP client 303 and a TCP server 306. The TCP client initiates a handshake by sending a SYN packet 308 to the TCP server 306. The TCP server can be a server such as servers 112-116 of FIG. 1, a server array controller such as server array controller 110 of FIG. 1, or another network device. The SYN packet includes a client initial sequence number (CISN). The CISN is typically a random or pseudo-random number generated by the TCP client.
In response to receiving the SYN packet, the TCP server 306 sends a SYN-ACK packet 310 to the TCP client 303. The SYN-ACK packet includes a server initial sequence number (SISN) and the sequence number of the next packet expected from the client. This number is typically the CISN number plus one. The SISN number is typically a random or pseudo-random number. The TCP server also typically uses some memory to record the CISN and the SISN, and may reserve memory for the expected TCP connection.
In response to receiving the SYN-ACK packet 310 from the TCP server 306, the TCP client 303 sends to the TCP server an ACK packet 312. The ACK packet 312 includes the sequence number of the next packet expected from the TCP server. This number is typically the SISN number plus one.
When a SYN flood occurs, the TCP server 306 receives numerous SYN packets, and does not receive corresponding ACK packets. This results in a substantial amount of memory that is allocated by the TCP server, and may result in a decreased ability or an inability to establish additional TCP connections or to perform other functions of the TCP server.
TCP cookies were developed as a defense to TCP flooding. In the TCP cookie technique, in response to receiving a SYN packet, a TCP server generates an SISN that is a function of the CISN received in the SYN packet, the TCP client's IP address, and a secret value. When the TCP server receives a corresponding ACK packet 312 from the TCP client 303, it is able to determine the validity of the ACK packet by calculating a function based on values in the ACK packet 312, and comparing the result with the incoming acknowledgment number. If the values match, the TCP server knows that a valid TCP handshake has been performed, and can allocate resources at that time, instead of allocating the resources in response to the SYN packet 308. A discussion of SYN cookies can be found in a paper by Dan Bernstein, available at http://cr.yp.to/syncookies.html.
Therefore, it is with respect to these considerations and others that the present invention has been made.