This application claims benefit of priority of patent application Ser. No. 12/197,807, filed on Aug. 25, 2008, which is herein incorporated by reference.
The present invention relates generally to a computer implemented method, data processing system, and computer program product for connecting computers within a packet network. More specifically, the present invention relates to throttling to allow connections to one or more addresses of a data processing system in manner to preserve system resources and boost diversity among hosts allowed to connect to a local host.
Modern data processing systems rely on packet switched networks to transmit data in various forms. One computer may exchange packets with a second computer using the transport control protocol and/or internet protocol (TCP/IP) set of protocols. These protocols permit a computer to respond to transport control protocol (TCP) socket connection requests by either accepting and allowing a connection or, alternatively, blocking the connection. A TCP socket connection request is a received synchronization packet from the host, having a synchronous idle character (SYN) flag set to one. SYN or SYN flag is a bit of a packet used to identify that the packet is a request for connection. Because a computer has finite resources, and each accepted request occupies a portion of the finite resources, a computer may not necessarily be able to handle all connection requests made to the computer. Resources include, for example, memory, processor time, disk space, etc.
Responding to a request, a computer may fork or otherwise execute additional processes to handle accepted connection requests. Once a computer accepts sufficient connection requests so many resources may be occupied that the computer becomes unusable because of competition among the resultant processes for resources. Some conditions that may cause this issue can include disk thrashing, deadlock, among others.
Prior art systems were developed that cause a computer to limit accepted connections such that no single requester or host is permitted to occupy 50% of the maximum port connections of the computer. A second host, in such prior art systems, is permitted to occupy 25% of the maximum port connections. Successive requesters are accordingly allowed connections based on ever-diminishing thresholds or caps for each host. FIG. 1A illustrates the progression of a hypothetical 10 requesters in a system having a limit of 1000 maximum port connections for a monitored port(s). The diversity of such a system is limited to 10 hosts before the maximum established connections are reached.
The prior art systems allow connections when the following inequality is true: MAXIMUM_PORT_CONNECTIONS−CURRENT_PORT_CONNECTIONS≧CURRENT_HOST_CONNECTIONS
When an incoming TCP socket connection request arrives on a port, the computer tracks the number of connections used by a particular Internet Protocol (IP) address on a particular TCP port. The source IP address in a TCP socket connection request is the requesting host, while the targeted TCP port is the monitored port. Current port connections is a number, for example, CURRENT_PORT_CONNECTIONS, that is the dynamically maintained value of existing port connections established at the local host for a host. A host is an abstract concept of a sender for packets on a network. This abstraction permits a single computer to operate as a sender for packets that correspond to one or more hosts. A host may be a computer identification corresponding to an IP address associated with a source address field of a packet. Thus, a computer having an IP address of 192.168.0.1 can be a host. The same computer can also provide packets having alternate IP addresses, for example, 192.168.0.2. Nevertheless, a more typical configuration is that a single computer may correspond to a single host.
A maximum port connections is a maximum number of connections that a computer may support for a monitored port or grouping of monitored ports. A monitored port or group of monitored ports are ports that a limit is set applicable to a number of TCP connection requests that can be concurrently allowed. MAXIMUM_PORT_CONNECTIONS is a convenient name in the formula above for maximum port connections. A TCP connection request that is allowed at a computer is in an active open state. A system administrator can set the maximum port connections.
The current host connections, or CURRENT_HOST_CONNECTIONS as used in the formula above, is a number of connections established to a host. Accordingly, in the examples given above, the host 192.168.0.1 can have 500 connections, while the host 192.168.0.2 can have 250 connections. Accordingly, the prior art may limit, in the instance where MAXIMUM_PORT_CONNECTIONS is 1000 such that the sum of current port connections of 192.168.0.1 and 192.168.0.2 with additional hosts are limited to 1000 before the computer or local host blocks additional connections.
As can be seen in this example, the prior art computer progressively limits the allowed number of connections for hosts until host #10 may be allowed a single connection. If a denial of service attack were to be mounted against the computer, the most computers needed to occupy all the maximum port connections is 10 in this example. The declining proportions shown here is the most rapid reduction in proportion of allowed connections for successive attackers or hosts allowed by the prior art. It may be advantageous to diminish the proportion of allowed connections as a function of additional attacker/hosts as compared to a proportion allowed by the prior art.