In some conventional networking systems, a network host may become overwhelmed when handling the processing of setting up and/or tearing down network connections. This is may be particularly true as the number of connections handled by the host increases. This may also be the case when a loaded server is busy with an application processing and has limited free cycles available for servicing new connection set up requests. For example, when a server is flooded with a large number of service requests, such as during a denial of service (DoS) attack, the ability of the server to handle requests on behalf of existing connections and/or to handle new requests on behalf of newly added traffic is diminished and some portion of legitimate requests for new connection set up and/or requests for servicing existing connections may be prevented from being processed. In this regard, the server may need to implement acceptance measures to identify legitimate connection set up and/or servicing requests in order to allocate connection resources to those connection requests that meet the acceptance requirements.
In networking systems that handle transport control protocol/Internet protocol (TCP/IP) connections, for example, the host may utilize a hardware device, such as a network interface card (NIC), to increase the available resources that may be utilized to perform the networking operations and to improve the server performance on the network and application's response time as well as to improve the utilization of the CPU, memory and other server resources. This approach may allow the host to manage a larger number of connections with remote clients by dynamically distributing the networking resources available in the host and the NIC and/or to free up more cycles for application processing. However, while NIC resources may be utilized for moving data on the networking connections, a communication stack may be used to manage the connection setup. For example, the communication stack may maintain a connection state comprising information regarding the connection setup. In this regard, the communication stack may manage the setup of several connection layers associated with a network connection, such as those utilized by the International Standard Organization's Open System Interconnect (ISO/OSI) model. For example, the communication stack may manage layer 2 or the data link layer information, layer 3 or the network layer information, and/or layer 4 or transport layer information, for example.
A connection setup may be initiated when a remote peer or client on a TCP/IP network, which may be referred to as the active side, for example, sends a connection request, such as a TCP synchronization (SYN) segment, to the server, which may be referred to as the passive side, for example. The server's NIC on the passive side may receive the TCP SYN segment and may transfer the TCP SYN segment to the communication stack to process the request. When the request is accepted, the communication stack may generate a SYN with a TCP acknowledge (SYN ACK) segment that may be transferred to the NIC, which may forward it to the remote peer, that is, to the active side. The exemplary handshake for connection set up herein described may be completed when the remote peer or client sends a TCP ACK segment back to the passive side. After receiving the TCP ACK segment from the client, the communication stack may complete the network connection setup process. The connection state associated with that client's network connection, which may comprise the transport, network and data link layer state or parts of it, for example, may reside with the communication stack and may be managed and/or maintained by the communication stack.
After receiving the first SYN segment from a remote peer, the passive side may generally allocate some resources in order to store the parameters of the connection to be established. The allocated resources may be required to allow the passive side to execute the TCP connection setup state machine when the passive side later accepts the TCP ACK completing the connection request. A DoS may be created by consuming a large portions of available resources for storing the pending connection set up request on the host without ever completing the connection handshake.
A similar procedure may be followed to complete a network connection setup when the host issues a connection request to a remote peer and the remote peer responds by accepting the request. In this instance, the communication stack also maintains and/or manages the connection state associated with the client's network connection. While the destination may be known and denial of service concerns may not be as relevant, the acceptance of the connection and/or the execution of the protocol stack connection set up state machine may consume resources of the initiator.
Further limitations and disadvantages of conventional and traditional approaches will become apparent to one of skill in the art, through comparison of such systems with some aspects of the present invention as set forth in the remainder of the present application with reference to the drawings.