Advances in communications technology have enabled for a greater variety of and more convenient communications over data networks. Traditional types of communications over data networks include web browsing, electronic mail, file transfers, and so forth. With the greater bandwidth available on data networks, real-time communications over data networks have also become increasingly popular, including electronic gaming, voice over packet data, streaming communications, and others.
A data network typically includes many components, including network terminals (referred to as clients), servers, routers, firewalls, and other network elements. The data network can include a public network (such as the Internet) and/or private networks (such as local area networks or wide area networks).
A network protocol that defines packet-based communications over data networks includes the Internet Protocol (IP). IP provides a network layer that communicates IP packets over a data network. Above the network layer is a transport layer to define interconnections between hosts. One example of a transport layer is a Transmission Control Protocol (TCP) layer. TCP is a connection-oriented, end-to-end protocol that provides for reliable inter-process communication between pairs of processes in host computers attached to communication networks.
To enable reliable network connections, TCP follows the following general principle of robustness: “Be conservative in what you do, be liberal in what you accept from others.” TCP segments (a “segment” is basically a message) contain sequence numbers that define the proper sequence of the segments. At the receiving network device, a TCP segment received over a TCP connection is accepted if the sequence number falls within a window of sequence numbers, and for data segments, if an acknowledge number falls within a window of acknowledge numbers.
The acceptable window of sequence numbers is a sliding window that changes as the sequence number increments. For a TCP connection, each of the two endpoints (network devices) maintain the next sequence number to be used and the next acknowledge number to be received, along with source IP address, source TCP port, destination IP address, destination TCP port, and TCP connection state information. In response to sending data, the sending network device will receive acknowledgments (in subsequent TCP segments from the receiving device). The sending network device keeps track of a variable SND.UNA, which is the oldest unacknowledged sequence number. An unacknowledged TCP segment is stored in a retransmission queue (for retransmission in case an acknowledgment from the receiving network device is not received). A TCP segment is fully acknowledged if the sum of its sequence number and length is less than or equal to the acknowledgment value in the incoming segment.
The window size for an acceptable sequence number can be as great as 216 (65,536). According to TCP, the maximum range of a sequence number is a number selected between 0 and 232−1(2,147,483,647). However, since a TCP segment with a sequence number that falls within a window of up to size 216 is accepted, that means that a hacker can send out 216 (65,536) segments, with each segment having a sequence number that is 216 larger than the previous segment, to hack into a network connection. One of the 216 segments will fall into a current sliding window of the TCP connection. If the TCP segment received from the hacker is either a reset segment (RST) or a synchronize (SYN) segment, then the TCP network connection would be reset. With modern high-speed communications technology, sending 216 (65,536) segments can be accomplished in a matter of seconds or minutes. Therefore, a hacker can easily hack into a TCP connection to cause the connection to be reset. If the sequence number window size (RCV.WND) is less than 216, then the likelihood of successfully attacking a TCP connection with an RST or SYN segment is 232/RCV.WND.
Another type of hacking is blind data injection. According to TCP, both the sequence number (SEG.SEQ) of a transmitted TCP data segment and an acknowledge number (SEG.ACK) of the data segment should be within respective valid windows of sequence and acknowledge numbers for the TCP segment to be taken as valid. As noted, the window (RCV.WND) of acceptable sequence numbers can be as large as 216. However, the acknowledge number (SEG.ACK) of a received TCP segment is acceptable if (SND.UNA−(232−1))≦SEG.ACK≦SND.NXT, where SND.NXT is the next sequence number to be sent by the network device. The net effect is that a hacker only has to guess two acknowledge numbers with every guessed sequence number so that the probability of successfully injection a TCP data segment into a TCP connection is one in 2*(232/RCV.WND).
Although proposals have been made for techniques to prevent the types of attacks discussed above, mechanisms conventionally have not been provided for detecting such attacks.