1. Field of the Invention
The present invention relates in general to the field of network communications, and more particularly to a system and method for securing network communications from blind attacks with checksum comparisons.
2. Description of the Related Art
The Transport Control Protocol (TCP) is a stream delivery service that allows segments of data to be sent between computing nodes over a network with the Internet Protocol (IP). TCP re-assembles segments at a receiving node by requesting re-transmission of lost packets from the sending node and re-arranging out-of-order data. TCP provides accurate delivery of a segment although some delays may occur during performance of re-transmission and ordered re-assembly function. Other types of protocols are available for use instead of TCP. Real-Time Transport Protocol (RTP) is typically used for time-sensitive data delivery, such as voice and video packet streaming. User Datagram Protocol (UDP) is typically used for request response interactions.
A host computing node (server) and client computing node establish a TCP connection with a three-way handshake. The client initiates the connection with a SYN sent to the server setting a segment's sequence number to a random value and including a checksum, hereinafter referred to as {c1}. The server responds with a SYN-ACK that includes an acknowledgement which increments the sequence number, with a random number for the server's sequence and a checksum, hereinafter referred to as {c2}. The client completes the handshake with an ACK that increments the sequence and acknowledgment numbers and includes a third checksum, hereinafter referred to as {c3}. The checksums of each handshake (i.e., syn, syn-ack and ack) are used verify the validity of the data at the node that receives the associated portion of the handshake. After a TCP connection is established, data is transferred and then the connection is closed.
During data transfers of an established TCP connection, hackers using malicious code sometimes attempt “blind” attacks with packet-spoofing techniques that cause data corruption and/or connection resets. Blind attacks rely on an attackers ability to guess or know the “five-tuple” of a TCP instance, i.e., the protocol, source address, source port, destination address and destination port. Of the five-tuple, the host IP address, well-known port and client IP address are generally accurately guessed; however, the ephemeral port of the client, the initial sequence, acknowledgement and timestamp fields of the TCP client are typically more difficult to guess and in addition are generally randomized Randomization of a source port number may be performed with an algorithm, however, source port randomization tends to fragment available ephemeral port range and increase the risk of connection-id collisions that lead to connection failures. Generally, port randomization tends to impact connection performance and makes debugging and sniffing for network investigation more difficult. Simplified port randomization techniques, such as with incremented port-ids, tend to fail in a hostile environment. Randomization of initial sequence, acknowledgement sequence and timestamp information tends to increase connection overhead, resulting in greater complexity and reduced performance.