System and method for an adaptive TCP SYN cookie with time validation

System and method for an adaptive TCP SYN cookie with time validation
RE47296

Provided is a method and system for tcp syn cookie validation. The method includes receiving a session syn packet by a tcp session setup module of a host server, generating a transition cookie including a time value representing the actual time, sending a session syn/ack packet, including the transition cookie, in response to the received session syn packet, receiving a session ack packet, and determining whether a candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received.

PTO Wrapper PDF
Dossier Espace Google

Patent RE47296
Priority Feb 21 2006
Filed Jan 09 2014
Issued Mar 12 2019
Expiry Feb 21 2026 TERM.DISCL.
Inventors Chen, Lee
Assg.orig A10 Networ…
Assg.curr A10 Networ…
Entity Large
Referenced by 1
References 546
Maint.: all paid

CROSS-REFERENCE TO RELATED APPLICATIONS">
BACKGROUND OF THE IN…
SUMMARY OF THE INVEN…
BRIEF DESCRIPTION OF…
DETAILED DESCRIPTION

0. 19. A system for tcp syn cookie validation at a host server, the system comprising:

at least one processor and a memory storing:

a session syn packet receiver, wherein the session syn packet receiver is executed by the at least one processor to receive a session syn packet;

a transition cookie generator, wherein the transition cookie generator is executed by the at least one processor to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time;

a session syn/ack packet sender, wherein the session syn/ack packet sender is executed by the at least one processor to send the transition cookie in response to the received session syn packet;

a session ack packet receiver, wherein when the session ack packet receiver is executed by the at least one processor to receive a session ack packet, the session ack packet including a candidate transition cookie; and

a transition cookie validator, wherein the transition cookie validator is executed by the at least one processor to determine whether the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received; and wherein:

the transition cookie generator is executed by the at least one processor to generate the transition cookie by (i) generating an encrypted data element of the generator by applying a cryptographic method on the transition cookie secret key and a transition cookie data element, (ii) performing an unsigned binary addition on the encrypted data element of the generator and a sequence number of a tcp header in the received session syn packet, and (iii) storing the result in the transition cookie.

0. 26. A system for tcp syn cookie validation at a host server, the system comprising:

at least one processor and a memory storing:

a session syn packet receiver, wherein the session syn packet receiver is executed by the at least one processor to receive a session syn packet;

a session syn/ack packet sender, wherein the session syn/ack packet sender is executed by the at least one processor to send the transition cookie in response to the received session syn packet;

a session ack packet receiver, wherein the session ack packet receiver is executed by the at least one processor to receive a session ack packet, the session ack packet including a candidate transition cookie; and

a candidate sequence number such that a sequence number of a tcp header in the received session ack packet equals the sum of the candidate sequence number and a value of 1,

a candidate encrypted data element such that the result of performing an unsigned binary addition of the candidate encrypted data element and a candidate sequence number equals the candidate transition cookie, and

a candidate transition cookie data element by (i) applying a cryptographic method on a candidate transition cookie secret key and the candidate encrypted data element.

0. 11. A system for tcp syn cookie validation at a host server, the system comprising:

at least one processor and a memory storing:

a session syn packet receiver, wherein when the session syn packet receiver is executed by the at least one processor, the session syn packet receiver causing the at least one processor to receive a session syn packet;

a transition cookie generator, the transition cookie generator being executed by the at least one processor to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time;

a session syn/ack packet sender, the session syn/ack packet sender being executed by the at least one processor to send the transition cookie in response to the received session syn packet;

a session ack packet receiver, the session ack packet receiver being executed by the at least one processor to receive a session ack packet, the session ack packet including a candidate transition cookie; and

a transition cookie validator, the transition cookie validator being executed by the at least one processor to determine whether the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received; and

wherein:

the transition cookie generator is executed by the at least one processor to generate the transition cookie secret key based on data obtained from the received session syn packet;

the transition cookie validator is executed by the at least one processor to generate a candidate transition cookie secret key based on data obtained from the received session ack packet;

the transition cookie generator is executed by the at least one processor to concatenate the obtained data from the session syn packet to generate a first data item of the generator;

the transition cookie validator is executed by the at least one processor to concatenate the obtained data from the session ack packet to generate a first data item of the validator;

the transition cookie generator is executed by the at least one processor to use a secret key offset to select one or more bits of data from the first data item of the generator in order to generate a second data item of the generator, and

the transition cookie validator is executed by the at least one processor to use a candidate secret key offset to select one or more bits of data from the first data item of the validator in order to generate a second data item of the validator.

0. 1. A system for tcp syn cookie validation at a host server comprising:

a session syn packet receiver for receiving a session syn packet;

a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie secret key based on data obtained from the received session syn packet, the data obtained from the syn packet including at least one of a source IP address of an IP header, a destination port, a source port, and a sequence number of a tcp header in the received session syn packet, wherein the transition cookie generator concatenates the obtained data from the session syn packet to generate a first data item of the generator and the transition cookie generator uses a first hash function to generate the transition cookie secret key from the first data item of the generator;

a session syn/ack packet sender for sending the transition cookie in response to the received session syn packet;

a session ack packet receiver for receiving a session ack packet, the session ack packet including a candidate transition cookie; and

a transition cookie validator, for determining whether the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received, wherein the transition cookie validator generates a candidate transition cookie secret key based on data obtained from the received session ack packet, the data obtained from the ack packet including at least one of a source IP address of the IP header, a destination port, and a source port, wherein the transition cookie validator concatenates the obtained data from the session ack packet to generate a first data item of the validator and the transition cookie validator uses the first or another hash function to generate the candidate transition cookie secret key from the first data item of the validator,

wherein at least one of:

the transition cookie generator uses a secret key offset to select one or more bits of data from the first data item of the generator in order to generate a second data item of the generator, and

the transition cookie validator uses a candidate secret key offset to select one or more bits of data from the first data item of the validator in order to generate a second data item of the validator.

0. 2. The system according to claim 1, in which the transition cookie validator determines that the received session ack packet is valid if the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received.

0. 3. The system according to claim 1, in which the predetermined time interval is in the range of one to six seconds.

0. 4. The system according to claim 1, in which the predetermined time interval is three seconds.

0. 5. The system according to claim 1, in which the generating of the transition cookie includes the use of random data.

0. 6. The system according to claim 1, in which the generating of the transition cookie includes the use of data obtained from the session syn packet.

0. 7. A system for tcp syn cookie validation at a host server comprising:

a session syn packet receiver for receiving a session syn packet;

a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time, wherein the transition cookie generator generates the transition cookie by (i) generating an encrypted data element of the generator by applying a cryptographic method on the transition cookie secret key and a transition cookie data element, (ii) performing an unsigned binary addition on the encrypted data element of the generator and a sequence number of a tcp header in the received session syn packet, and (iii) storing the result in the transition cookie;

a session syn/ack packet sender for sending the transition cookie in response to the received session syn packet;

a session ack packet receiver for receiving a session ack packet, the session ack packet including a candidate transition cookie; and

0. 8. The system according to claim 7, wherein the transition cookie data element comprises data based on at least one of: a selective ack, an MSS index, and a 32-bit current time of day indicated by a clock.

0. 9. A system for tcp syn cookie validation at a host server comprising:

a session syn packet receiver for receiving a session syn packet;

a transition cookie generator operating to generate a transition cookie with the use of a transition cookie secret key, the transition cookie comprising a time value representing the actual time;

a session syn/ack packet sender for sending the transition cookie in response to the received session syn packet;

a session ack packet receiver for receiving a session ack packet, the session ack packet including a candidate transition cookie; and

a candidate sequence number such that a sequence number of a tcp header in the received session ack packet equals the sum of the candidate sequence number and a value of 1,

a candidate transition cookie data element by applying a cryptographic method on a candidate transition cookie secret key and the candidate encrypted data element.

0. 10. The system according to claim 9, wherein the transition cookie validator validates the candidate transition cookie data element by adjusting the candidate transition cookie data element to generate, and determining if the adjusted candidate transition cookie data element is within a predetermined time margin of a modified current time.

0. 12. The system according to claim 11, wherein:

when the transition cookie secret key is generated based on data obtained from the received session syn packet, the obtained data includes at least one of: a source IP address of an IP header, a destination port, a source port, and a sequence number of a tcp header in the received session syn packet, and

when the candidate transition cookie secret key is generated based on data obtained from the received session ack packet, the obtained data includes at least one of:

a source IP address of the IP header, a destination port, and a source port.

0. 13. The system according to claim 11, wherein at least one of:

the transition cookie generator is executed by the at least one processor to use a first hash function to generate the transition cookie secret key from the first data item of the generator, and

when the transition cookie validator is executed by the at least one processor to use the first or another hash function to generate the candidate transition cookie secret key from the first data item of the validator.

0. 14. The system according to claim 11, in which the transition cookie validator is executed by the at least one processor to determine that the received session ack packet is valid if the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received.

0. 15. The system according to claim 11, in which the predetermined time interval is in the range of one to six seconds.

0. 16. The system according to claim 11, in which the predetermined time interval is three seconds.

0. 17. The system according to claim 11, in which the generating of the transition cookie includes the use of random data.

0. 18. The system according to claim 11, in which the generating of the transition cookie includes the use of data obtained from the session syn packet.

0. 20. The system according to claim 19, wherein the transition cookie data element comprises data based on at least one of: a selective ack, an MSS index, and a 32-bit current time of day indicated by a clock.

0. 21. The system according to claim 19, in which the transition cookie validator is executed by the at least one processor to determine that the received session ack packet is valid if the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received.

0. 22. The system according to claim 19, in which the predetermined time interval is in the range of one to six seconds.

0. 23. The system according to claim 19, in which the predetermined time interval is three seconds.

0. 24. The system according to claim 19, in which the generating of the transition cookie includes the use of random data.

0. 25. The system according to claim 19, in which the generating of the transition cookie includes the use of data obtained from the session syn packet.

0. 27. The system according to claim 26, wherein the transition cookie validator is executed by the at least one processor to validate the candidate transition cookie data element by adjusting the candidate transition cookie data element to generate, and determining if the adjusted candidate transition cookie data element is within a predetermined time margin of a modified current time.

0. 28. The system according to claim 26, in which when the transition cookie validator is executed by the at least one processor to determine that the received session ack packet is valid if the candidate transition cookie in the received session ack packet comprises a time value representing a time within a predetermined time interval from the time the session ack packet is received.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation reissue application of U.S. Pat. No. 7,675,854 and claims benefit under 35 U.S.C. 120 as a continuation of application Ser. No. 13/413,191 filed on Mar. 6, 2012, which is an application for reissue of U.S. Pat. No. 7,675,854, originally issued on Mar. 9, 2010.

BACKGROUND OF THE INVENTION

When a TCP (Transmission Control Protocol) connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host normally then waits to receiver an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the TCP “three-way handshake.”

While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK is sent.

A TCP SYN flood attack is a well known denial of service attack that exploits the TCP three-way handshake design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue, or otherwise allocates server resources. Since the SYN ACK is destined for an incorrect or non-existent host, the last part of the “three-way handshake” is never completed and the entry remains in the connection queue until a timer expires, typically, for example, for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users. In most instances, there is no easy way to trace the originator of the attack because the IP address of the source is forged. The external manifestations of the problem may include inability to get e-mail, inability to accept connections to WWW or FTP services, or a large number of TCP connections on your host in the state SYN_RCVD.

A malicious client sending high volume of TCP SYN packets without sending the subsequent ACK packets can deplete server resources and severely impact the server's ability to serve its legitimate clients.

Newer operating systems or platforms implement various solutions to minimize the impact of TCP SYN flood attacks. The solutions include better resource management, and the use of a “SYN cookie”.

In an exemplary solution, instead of allocating server resource at the time of receiving a TCP SYN packet, the server sends back a SYN/ACK packet with a specially constructed sequence number known as a SYN cookie. When the server then receives an ACK packet in response to the SYN/ACK packet, the server recovers a SYN cookie from the ACK packet, and validates the recovered SYN cookie before further allocating server resources.

The effectiveness of a solution using a SYN cookie depends on the method with which the SYN cookie is constructed. However, existing solutions using a SYN cookie typically employ a hash function to construct the SYN cookie, which can lead to a high percentage of false validations of the SYN cookie, resulting in less than satisfactory protection again TCP SYN flood attack.

Therefore, there is a need for a better system and method for constructing and validating SYN cookies.

SUMMARY OF THE INVENTION

An aspect of the present invention provides a system for TCP SYN cookie validation. The system includes a host server including a processor and memory. The processor is configured for receiving a session SYN packet, generating a transition cookie, the transition cookie comprising a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

One aspect of the invention includes the system above in which the processor is further configured for regarding the received session ACK packet as valid if the candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

In another aspect of the invention, the predetermined time interval is in the range of one to six seconds.

In one aspect of the invention, the predetermined time interval is three seconds.

In another aspect of the invention, the step of generating the transition cookie includes the use of data obtained from the session SYN packet.

In one aspect of the invention, the data obtained from the session SYN packet comprises the source IP address of an IP header associated with the session SYN packet.

In another aspect of the invention, the data obtained from the session SYN packet comprises the sequence number of a TCP header associated with the session SYN packet.

In another aspect of the invention, the data obtained from the session SYN packet comprises a source port associated with the session SYN packet.

In another aspect of the invention, the data obtained from the session SYN packet comprises a destination port associated with the session SYN packet.

Another aspect of the present invention provides a method for TCP SYN cookie validation. The method includes receiving a session SYN packet by a TCP session setup module, generating a transition cookie by the TCP session setup module, the transition cookie comprising a time value representing the actual time, sending a session SYN/ACK packet, including the transition cookie, in response to the received session SYN packet, receiving a session ACK packet, and determining whether a candidate transition cookie in the received session ACK packet comprises a time value representing a time within a predetermined time interval from the time the session ACK packet is received.

In an aspect of the invention, the method further includes indicating the received session ACK packet comprises a valid candidate transition cookie if the time value of the candidate transition cookie is within a predetermined time interval of the time the session ACK packet is received.

In another aspect of the invention, the step of generating the transition cookie includes the use of data obtained from the session SYN packet.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram illustrating a host server including a TCP session setup module and a client server, in accordance with an embodiment of the present invention;

FIG. 2 is a schematic diagram of a TCP/IP handshake in accordance with an embodiment of the present invention;

FIG. 3a illustrates a method including steps for generating a transition cookie data element by a transition cookie generator 245, in accordance with an embodiment of the present invention;

FIG. 3b illustrates a method including steps for generating a transition cookie secret key by a transition cookie generator 245 based on data obtained from the received session SYN packet, in accordance with an embodiment of the present invention;

FIG. 3c illustrates a method including steps for generating a transition cookie based on a transition cookie data element, a transition cookie secret key, and data obtained from a received session SYN packet in accordance with an embodiment of the present invention;

FIG. 4a illustrates steps for generating a candidate encrypted data element by a transition cookie validator 275 based on data obtained from a received session ACK packet, in accordance with an embodiment of the present invention;

FIG. 4b illustrates a method including steps for generating a candidate transition cookie secret key by a transition cookie validator 275 based on data obtained from a received session ACK packet and a candidate sequence number, in accordance with an embodiment of the present invention;

FIG. 4c illustrates a method including steps for generating a candidate transition cookie data element by a transition cookie validator 275 based on a candidate encrypted data element and a candidate transition cookie secret key, in accordance with an embodiment of the present invention;

FIG. 4d illustrates a method including the steps for validating a candidate transition cookie data element, in accordance with an embodiment of the present invention; and

FIG. 5 illustrates a method including steps for generating information based on a validated candidate transition cookie data element, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION

In the following description, for purposes of explanation, specific numbers, materials and configurations are set forth in order to provide a thorough understanding of the invention. It will be apparent, however, to one having ordinary skill in the art, that the invention may be practiced without these specific details. In some instances, well-known features may be omitted or simplified so as not to obscure the present invention. Furthermore, reference in the specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase “in an embodiment” in various places in the specification are not necessarily all referring to the same embodiment.

Transmission Control Protocol (“TCP”) is one of the main protocols in TCP/IP networks. Whereas the Internet Protocol (“IP”) deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

The terms “host server” and “client server” referred to in the descriptions of various embodiments of the invention herein described are intended to generally describe a typical system arrangement in which the embodiments operate. The “host server” generally refers to any computer system interconnected to a TCP/IP network, including but not limited to the Internet, the computer system comprising at a minimum a processor, computer memory, and computer software. The computer system is configured to allow the host server to participate in TCP protocol communications over its connected TCP/IP network. Although the “host server” may be a single personal computer having its own IP address and in communication with the TCP/IP network, it may also be a multi-processor server or server bank. The “client server” is similar to the “host server”, although it is understood that the “client server” may, in fact, be a single personal computer attached to the TCP/IP network. The only difference between the client and the host server for the purposes of the present invention is that the host server receives the SYN from the client server, sends a SYN ACK to the client server, and waits for the ACK from the client server.

FIG. 1 is a schematic diagram illustrating an embodiment of the present invention. A host server 102 may include a TCP session module 104. The TCP session setup module 104 can engage in a TCP handshake 108, such as described above, with a client server 106. In an embodiment, the TCP session setup module 104 is a software component of the host server 102. In one embodiment, the TCP session setup module 104 is implemented in an Application Specific Integrated Circuit (“ASIC”) or a Field Programmable Gate Array (“FPGA”). It is the TCP session setup module that handles the “3-way handshake” 108 between the host server 102 and the client server 106. The TCP session setup module may itself also incorporate modules for sending and receiving TCP session packets. These modules may include but are not limited to a session SYN packet receiver, a session SYN/ACK packet sender, and a session ACK packet receiver, which are all known to those of ordinary skill in the computer arts.

The TCP sessions setup module 104 may itself be embedded in one or more other host server modules (not shown). The TCP session setup module may alternatively comprise a hardware or firmware component. For example, the software which handles the TCP handshake 108 on behalf of the host server 102 may be programmed onto a externally programmable read-only memory (“EPROM”) (not shown), and the EPROM may then be integrated into the host server. In another example, the ASIC or FPGA is integrated into the host server.

FIG. 2 illustrates a TCP session setup module 104 processing TCP/IP segments (not shown), such as session SYN packet 210, session SYN/ACK packet 220, and session ACK packet 230.

A TCP/IP segment includes a TCP header and an IP header as described in IETF RFC 793 “Transmission Control Protocol” section 3.1 “Header Format”, incorporated herein by reference. A TCP header optionally includes a sack-permitted option as described in IETF RFC 2018 “TCP Selective Acknowledgement Options” section 2 “Sack-Permitted Option”, incorporated herein by reference. A session SYN packet 210 is a TCP/IP segment with the SYN control bit in the TCP Header set to “1”. A session SYN/ACK packet 220 is a TCP/IP segment with the SYN control bit and the ACK control bit in the TCP header set to “1”. A Session ACK Packet 230 is a TCP/IP segment with the ACK control bit in the TCP header set to “1”.

Referring to FIG. 2, in an embodiment, the TCP session setup module 104 receives a session SYN packet 210, obtains data from a session SYN packet 210, such as but not limited to the source IP address of the IP header, or the sequence number of the TCP header, and uses the data to generate a transition cookie 250. The transition cookie 250 is preferably a 32-bit data element. In response to the session SYN packet 210, the TCP session setup module 104 creates and sends out a session SYN/ACK packet 220 in accordance with IETF RFC 793 “Transmission Control Protocol” section 3.4 “Establishing a connection”, incorporated herein by reference. The TCP session setup module 104 preferably includes the transition cookie 250 as the sequence number of the TCP header in the session SYN/ACK packet 220.

After the TCP session setup module 104 has sent out the session SYN/ACK packet 220, it waits for receipt of a responding session ACK packet 230. In an embodiment, when a session SYN/ACK packet 230 is received, the TCP session setup module 104 generates a 32-bit candidate transition cookie 270 such that the sum of candidate transition cookie 270 and a value of “1” equal the acknowledgement number of the TCP header in the session ACK packet 230. For example, if the acknowledgement number is “41B4362A” in hexadecimal format the candidate transition cookie 270 is “41B43629” in hexadecimal format; the sum of “41B43629” and a value of “1” equals “41B4362A”. In another example, if the acknowledgement number is “00A30000” in hexadecimal format the candidate transition cookie 270 is “00A2FFFF” in hexadecimal format; the sum of “00A2FFFF” and a value of “1” equals “00A30000”. In another example, if the acknowledgement number is “00000000” in hexadecimal format the Candidate Transition Cookie 270 is “FFFFFFFF” in hexadecimal format; the sum of “FFFFFFFF” and a value of “1” equals “00000000”, with the most significant bit carried beyond the 32-bit boundary. The TCP session setup module 104 may thus validate the candidate transition cookie 270 in this manner. If the TCP session setup module 104 determines that the candidate transition cookie 270 is thus valid, the session ACK packet 230 is also valid. In this case, the TCP session setup module 104 obtains data from the validated session ACK packet 230 and sends the data and information generated during the validation of candidate transition cookie 270 to a computing module (not shown) for further processing.

In order to generate and validate transition cookies 250, 270, the TCP session setup module 104 may include a transition cookie generator 245 and a transition cookie validator 275, respectively. Alternatively, the generation and validation may be performed directly by the TCP session setup module 104. In the descriptions herein, references to the TCP and transition cookie validator 275 are understood to include any of the alternative embodiments of these components.

A transition cookie generator 245 includes the functionality of generating a transition cookie based on the data obtained from a session SYN 210 packet received by the TCP session setup module 104.

A transition cookie validator 275 includes the functionality of validating a candidate transition cookie 270 generated based on data obtained from a session ACK packet 230 received by the TCP session setup module 104.

In exemplary operation, a transition cookie generator 245 is software or firmware that generates a transition cookie 250 based on data obtained from a session SYN packet 210 received by the TCP session setup module 104. An exemplary method for generating a transition cookie 250 by a transition cookie generator 245 includes multiple steps as illustrated in FIGS. 3a-3c.

FIG. 3a illustrates exemplary steps for generating a transition cookie data element 330 by a transition cookie generator 245. A transition cookie generator 245 includes a clock 305 indicating the current time of day in microseconds in a 32-bit format.

The transition cookie data element 330 is preferably a 32-bit data element, generated by the transition cookie generator 245 based on the selective ACK 321, the MSS index 324 and the 32-bit current time of day indicated by clock 305. Selective ACK 321 is a 1-bit data element which is set to a value of “1” by transition cookie generator 245 if a TCP header in a received session SYN packet 210 includes an optional sack-permitted option, or to “0” if a TCP header in a received session SYN packet 210 does not include an optional sack-permitted option.

Maximum Segment Size (“MSS”) 322 is the maximum number of bytes that TCP will allow in an TCP/IP packet, such as session SYN packet 210, session SYN/ACK packet 220, and session ACK packet 230, and is normally represented by an integer value in a TCP packet header. If a TCP header in a received session SYN packet 210 includes a maximum segment size option, the transition cookie generator 245 sets the MSS 322 to equal the maximum segment size option data of the maximum segment size option. Otherwise, if the TCP header in a received session SYN packet 210 does not include a maximum segment size option, the transition cookie generator 245 sets the MSS 322 to a default value, for example, such as integer “536”. The MSS index 324 is a 4-bit data element set by the transition cookie generator 245 based on the MSS 322. The transition cookie generator 245 preferably includes an MSS table 307, which maps an MSS 322 to an MSS index 324. The transition cookie generator 245 maps a MSS 322 with the MSS table 307 to set the value of MSS index 324. For example, MSS 322 has an integer value of “1460”. After the mapping, MSS index 324 has a value of “4” as represented in hexadecimal format. In an alternative embodiment, means other than an MSS table 307 may be employed to determine the MSS index 324 value, such as the use of a mapping algorithm.

In generating a transition cookie data element 330, the transition cookie generator 245 sets a transition cookie data element 330 to equal the 32-bit current time of day indicated by clock 305. For example, the 32-bit current time of day may be “A68079E8” as represented in hexadecimal format, so the transition cookie data element 330 has a value of “A68079E8”.

Next, the transition cookie generator 245 replaces the least significant 4 bits (bit 0-3) of transition cookie data element 330 with the MSS index 324, and replaces bit 4 of a transition cookie data element 330 with selective ACK 321. For example, if a transition cookie data element 330 has been set to a value of “A68079E8”, selective ACK 321 has a value of “1”, and MSS index 324 has a value of “4” as represented in hexadecimal format, after the replacements, transition cookie data element 330 has a value of “A68079F4” in hexadecimal format.

FIG. 3b illustrates exemplary steps for generating a transition cookie secret key 360, such as by a transition cookie generator 245 based on data obtained from a received session SYN packet 210. The data used in generating the transition cookie secret key 360 may include at least the source IP address 312 of an IP header, a destination port 314, a source port 316 and a sequence number 318 of a TCP header in a received session SYN packet 210. In generating a transition cookie secret key 360, a transition cookie generator 245 forms a 96-bit data element, a first data item 340, by concatenating a source IP address 312, a sequence number 318, a source port 316, and a destination port 314. For example, if the source IP address 312 is 192.168.1.134, the hexadecimal representation being “C0A80186”, the sequence number 318 is “9A275B84”, the source port 316 is 4761, the hexadecimal representation being “1299”, and the destination port 314 is 240, the hexadecimal representation being “00F0”, then, after the concatenation, the first data item 340 has a hexadecimal value of “C0A801869A275B84129900F0”.

Next, since the transition cookie secret key 360 is a 128-bit data element, the transition cookie generator 245 may use a hash function to generate the transition cookie secret key 360 from the first data item 340. Further, the transition cookie generator 245 may use a secret key offset 301, which may be a 6-bit integer value, to select a 6-bit non-negative integer from first data item 340 starting at the bit indicated by secret key offset 301. For example, if the secret key offset 301 has a value of “12” and the first data item 340 has a hexadecimal value of “C0A801869A275B84129900F0”, the transition cookie generator 245 selects a 6-bit non-negative integer from the first data item 340 starting at bit 12 (bit 12-17). The selected non-negative integer is of this example is thus “16”. The transition cookie generator 245 then uses the selected non-negative integer to select 64 bits of data from the first data item 340, starting at the bit indicated by the selected non-negative integer, to generate the second data item 350, which has 64 bits.

For example, if the selected non-negative integer is “8” and the first data item 340 has a hexadecimal value of “C0A801869A275B84129900F0”, the transition cookie generator 245 selects 64 bits (bit 8-71) of the first data item 340 to generate a second data item 350, having a hexadecimal value of “869A275B84129900”. In another example, if the selected non-negative integer is “52”, and the transition cookie generator 245 selects 64 bits (bit 52-95 and bit 0-19) of the first data item 340 in a wrap-around fashion, bits 52-95 have a hexadecimal value of “C0A801869A2”, and bit 0-19 have a hexadecimal value of “900F0”, so the generated second data item 350 has a hexadecimal value of “900F0C0A801869A2”. The transition cookie generator 245 then generates a transition cookie secret key 360 by storing the second data item 350 in the least significant 64 bits (bit 0-63) of the transition cookie secret key 360 and setting the most significant 64 bits (bit 64-127) to “0”. For example, if the second data item 350 has a hexadecimal value of “869A275B84129900”, the transition cookie secret key 360 has a hexadecimal value of “0000000000000000869A275B84129900”.

FIG. 3c illustrates exemplary steps for generating a transition cookie 250 based on a transition cookie data element 330, a transition cookie secret key 360, and data obtained from a received session SYN packet 210, including a sequence number 318 of a TCP header in a received session SYN packet 210. To generate a transition cookie 250, a transition cookie generator 245 applies a cryptographic method 308 on the transition cookie secret key 360 and the transition cookie data element 330, such as an RC5 algorithm described in IETF RFC 2040 “The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms” section 1 “Overview”, and sections 2-8 with detailed explanations, incorporated herein by reference. The RC5 algorithm takes a 32-bit plaintext input and a 128-bit encryption key to generate a 32-bit ciphertext output. The transition cookie generator 245 uses the transition cookie data element 330 as the plaintext input to the RC5 algorithm, and the transition cookie secret key 360 as the encryption key input to the RC5 algorithm. The transition cookie generator 245 stores the resulting 32-bit ciphertext output of the RC5 algorithm in the encrypted data element 370.

Next, the transition cookie generator 245 performs an unsigned binary addition on an encrypted data element 370 and the sequence number 318, and stores the result in the transition cookie 250. For example, if the encrypted data element 370 has a value of “0025BC83” in hexadecimal format, and the sequence number 318 has a value of “0743BD55” in hexadecimal format, the result of the addition is hexadecimal “076979D8”. After the addition, the transition cookie 250 has a value of “076979D8” in hexadecimal. In another example, if the encrypted data element 370 has a value of “BE43D096” in hexadecimal format, and the sequence number 318 has a value of “9A275B84” in hexadecimal format, the result of the addition, and the value of transition cookie 250 is hexadecimal “1586B2C1A”, with the most significant bit carried beyond the 32-bit boundary.

In another embodiment, a transition cookie generator 245 may use different steps to generate a transition cookie secret key 360. For example, a secret key offset 301 may be an integer of a different bit length, such as a 4-bit integer value, a 3-bit integer value, or a 5-bit integer value. Also, a transition cookie generator 245 may use a secret key offset 301 to select a non-negative integer value of a different bit length from a first data item 340. For example, a transition cookie generator 245 may select a 4-bit non-negative integer value, a 7-bit non-negative integer value, or a 5-bit non-negative value from a first data item 340.

In other embodiments, a transition cookie generator 245 may store a second data item 350 in the least significant 64 bits (bit 0-63) of a transition cookie secret key 360 or store second data item 350 in the most significant 64 bits (bit 64-127) of a transition cookie secret key 360.

A transition cookie generator 245 may also perform an exclusive-or operation on the most significant 48 bits (bit 0-47) of a first data item 340 and the least significant 48 bits (bit 48-95) of a first data element 340 to form a 48-bit temporary data element (not shown). Similarly, in another embodiment, a transition cookie generator 245 may perform an exclusive-or operation on the 48 even bits (bit 0, 2, 4, . . . 90, 92, 94) and the 48 odd bits (bit 1, 3, 5, . . . 93, 95, 97) to form a 48 bit temporary data element. In yet another embodiment, a transition cookie generator 245 may store a 48-bit temporary data element in the least significant 48 bits (bit 0-47) and the most significant 48 bits (bit 80-127) of a transition cookie secret key 360, and set bit 48-79 to “0”, or store a 48-bit temporary data element in the least significant 48 bits (bit 0-47) of a transition cookie secret key 360, and set the most significant 80 bits (bit 48-127) of a transition cookie secret key 360 to “0”.

In other embodiments of the invention, a transition cookie generator 245 may use an encryption algorithm to generate a transition cookie secret key 360 from the first data item 340.

In another embodiment, a transition cookie generator 245 includes a secret key and an encryption algorithm, and uses a first data element 340 as a plaintext input, and a secret key as an encryption key input to the encryption algorithm to generate a 128-bit ciphertext output. Next, a transition cookie generator 245 generates a transition cookie secret key 360 as a 128-bit ciphertext output. Alternatively, the ciphertext output may be a 96-bit data element, and a transition cookie generator 245 stores a 96-bit ciphertext output in the least significant 96 bits (bit 0-95) of a transition cookie secret key 360, and sets the most significant 32 bits (bit 96-127) to “0”. In another alternative, a transition cookie generator 245 stores the least significant 32 bits (bit 0-31) of a 96-bit ciphertext output in the most significant 32 bits (bit 96-127) of a transition cookie secret key 360.

As seen in FIG. 2, a transition cookie validator 275 validates a candidate transition cookie 270 generated from a session ACK packet 230 received by the TCP session setup module 104. An exemplary method for validating a candidate transition cookie 270 by a transition cookie validator 275 may include multiple steps as illustrated in FIGS. 4a-4d.

FIG. 4a illustrates exemplary steps for generating a candidate encrypted data element 470 by a transition cookie validator 275 based on data obtained from a received session ACK packet 230. The candidate encrypted data element 470 may be a 32-bit data element generated based on the sequence number 418 of the TCP header in the received session ACK packet 230, and the candidate transition cookie 270 generated from the received session ACK packet 230 as illustrated in FIG. 2.

The candidate sequence number 428 may be a 32-bit data element generated by a transition cookie validator 275 such that the sum of candidate sequence number 428 and a value of “1” equals the sequence number 418.

The candidate encrypted data element 470 is generated by the transition cookie validator 275 such that the result of performing an unsigned binary addition of the candidate encrypted data element 470 and the candidate sequence number 428 equals the candidate transition cookie 270.

FIG. 4b illustrates exemplary steps for generating a candidate transition cookie secret key 460 by the transition cookie validator 275 based on data obtained from the received session ACK packet 230 and a candidate sequence number 428. The data used for generating the candidate transition cookie secret key 460 may include at least a source IP address 412 of the IP header in a received session ACK packet 230, a destination port 414 and a source port 416 of the TCP header in a received session ACK packet 230. In the process, a 96-bit first data item 440 is formed by a transition cookie validator 275 by concatenating a source IP address 412, a candidate sequence number 428, a source port 416, and a destination port 414. For example, if the source IP address 412 is 192.168.1.134, having a hexadecimal representation of “C0A80186”, the candidate sequence number 428 is hexadecimal “9A275B84”, the source port 416 is 4761, having a hexadecimal representation of “1299”, and the destination port 414 is 240, having a hexadecimal representation of “00F0”, after the concatenation, the first data item 440 has a hexadecimal value of “C0A801869A275B84129900F0”.

Next, the 128-bit candidate transition cookie secret key 460 is generated from a first data item 440 by a transition cookie validator 275 using a hash function. In an embodiment, a transition cookie validator 275 uses a 6-bit secret key offset 401 to select a 6-bit non-negative integer from a first data item 440 starting at a bit indicated by secret key offset 401. For example, if the secret key offset 401 has a value of “12” and the first data item 440 is “C0A801869A275B84129900F0”, the transition cookie validator 275 selects a 6-bit non-negative integer from the first data item 440 starting at bit 12 (bits 12-17), selecting the non-negative integer “16”. The transition cookie validator 275 then generates a 64-bit second data item 350 by using the selected non-negative integer to select 64 bits of data from the first data item 440, starting at the bit indicated by the selected non-negative integer.

For example, if the selected non-negative integer is “8” and the first data item 440 has a hexadecimal value of “C0A801869A275B84129900F0”, the transition cookie validator 275 selects 64 bits (bit 8-71) of the first data item 440 to generate a second data item 450 having a hexadecimal value of “869A275B84129900”. In another example, if the first data item 440 has a hexadecimal value of “C0A801869A275B84129900F0”, and the selected non-negative integer is “52”, the transition cookie validator 275 selects 64 bits (bit 52-95 and bit 0-19) in a wrap-around fashion. Bits 52-95 have a hexadecimal value of “C0A801869A2”, and bits 0-19 have a hexadecimal value of “900F0”, so the generated second data item 450 has a hexadecimal value of “900F0C0A801869A2”.

Next, the transition cookie validator 275 generates a candidate transition cookie secret key 460 by storing the second data item 450 in the least significant 64 bits (bit 0-63) of the candidate transition cookie secret key 460 and setting the most significant 64 bits (bit 64-127) to “0”. For example, if the second data item 450 has a hexadecinmal value of “869A275B84129900”, the candidate transition cookie secret key 460 has a hexadecimal value of “0000000000000000869A275B84129900”.

FIG. 4C illustrates exemplary steps for generating a candidate transition cookie data element 430 by a transition cookie validator 275 based on a candidate encrypted data element 470 and a candidate transition cookie secret key 460.

In an embodiment, a transition cookie validator 275 applies a cryptographic method 408 on a candidate transition cookie secret key 460 and a candidate encrypted data element 470. An exemplary cryptographic method 408 is an RC5 algorithm described in IETF RFC 2040 “The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms” section 1 “Overview”, and sections 2-8 with detailed explanations, incorporated herein by reference. The RC5 algorithm takes a 32-bit ciphertext input and a 128-bit decryption key to generate a 32-bit plaintext output. A transition cookie validator 275 uses a candidate encrypted data element 470 as a ciphertext input to the RC5 algorithm, and a candidate transition cookie secret key 460 as a decryption key input to the RC5 algorithm, to generate a 32-bit candidate transition cookie data element 430 as the plaintext output of the RC5 decryption algorithm.

FIG. 4d illustrates exemplary steps by a transition cookie validator 275 of validating a candidate transition cookie data element 430. In an embodiment, a transition cookie validator 275 includes a clock 305. The clock 305 indicates the current time of day, preferably in microseconds in a 32-bit format. The modified current time 409 is a 32-bit data element set by a transition cookie validator 275 sets to the current time indicated by clock 305. A transition cookie validator 275 then sets the least significant 5 bits (bit 0-4) of the modified current time 409 to “0”. For example, if the modified current time 409 has a value of “89AE03F6” in hexadecimal format, after setting the least significant 5 bits to “0”, the modified current time 409 has a hexadecimal value of “89AE03E0”.

Next, a transition cookie validator 275 sets a 32-bit adjusted candidate transition cookie data element 431 to equal the candidate transition cookie data element 430, and then sets the least significant 5 bits (bit 0-4) of the adjusted candidate transition cookie data element 431 to “0”. For example, if the adjusted candidate transition cookie data element 431 has a hexadecimal value of “89DB468F”, after setting the least significant 5 bits to “0”, the adjusted candidate transition cookie data element 431 has a hexadecimal value of “89DB4680”.

The transition cookie validator 275 may then determine if the candidate transition cookie data element 430 is valid by determining if the adjusted candidate transition cookie data element 431 is within a time margin of 3 seconds of the modified current time 409. In an embodiment, in order to determine if the adjusted candidate transition cookie data element 431 is within a time margin of 3 seconds of the modified current time 409, the transition cookie stores the modified current time 409 in the least significant 32 bits (bit 0-31) of a first 33-bit time data element, sets the most significant bit (bit 32) to “0”, and adds 6 seconds to the first 33-bit time data element. Adding 6 seconds is to add 6,000,000 micro seconds as represented by “5B8D80” in hexadecimal format. For example, if before the addition, the first 33-bit time data element has a hexadecimal value of “0FFFFFAE2”, After the addition of “5B8D80”, the first 33-bit time data element has a hexadecimal value of “1005B8862”. The transition cookie validator 275 stores the adjusted candidate transition cookie data element 431 in the least significant 32 bits (bit 0-31) of a second 33-bit time data element, sets the most significant bit (bit 32) to “0”, and adds 3 seconds to the second 33-bit time data element. Adding 3 seconds is to add 3,000,000 micro seconds as represented by hexadecimal “2DC6C0”. The transition cookie validator 275 stores the modified current time 409 in the least significant 32 bits (bit 0-31) of a third 33-bit time data element, and sets the most significant bit (bit 32) to “0”. If the second 33-bit time data element is smaller than the first 33-bit time data element and the second 33-bit time data element is larger than the third 33-bit time data element, the transition cookie validator 275 determines that the adjusted candidate transition cookie data element 431 is within 3 seconds of the modified current time 409, and thus that the candidate transition cookie data element 430 is valid.

FIG. 5 illustrates exemplary steps of generating information based on a validated candidate transition cookie data element 430. In an embodiment, candidate MSS 522 is an integer. A transition cookie validator 275 includes a reversed MSS table 507, which includes information that maps a 4-bit data element to a candidate MSS 522. A transition cookie validator 275 extracts the least significant 4-bit (bit 0-3) data from candidate transition cookie data element 430, maps the extracted 4-bit data to a reversed MSS table 507, and stores the result in a candidate MSS 522. A transition cookie validator 275 may then generate a maximum segment size option as described in IETF RFC 793 “Transmission Control Protocol” section 3.1 “Header Format”, incorporated herein by reference, and sets a maximum segment size option data of the maximum segment size option to equal a candidate MSS 522. A transition cookie validator 275 may further examine bit 4 of a candidate transition cookie data element 430. If bit 4 of candidate transition cookie data element 430 has a value of “1”, a transition cookie validator 275 may generate a sack-permitted option as described in IETF RFC 2018 “TCP Selective Acknowledgement Options” section 2, incorporated herein by reference. A TCP session setup module 104 may then send a sack-permitted option, a maximum segment size option, and data obtained from a received session ACK packet 230 to a computing module (not shown) for further processing.

There are many different encryption algorithms that use encryption keys of different bit lengths, such as, for example, 56-bit, 64-bit, 96-bit, 128-bit. These may generate ciphertext outputs of different bit lengths, for example, 96-bit, 64-bit, 128-bit, or 32-bit. Persons of ordinary skill in the cipher arts will be able to apply different methods, for example a hash function, to generate the transition cookie secret key 360 from the ciphertext output.

A transition cookie validator 275 may also use different steps to generate a candidate transition cookie secret key 460. The steps used by a transition cookie validator 275 to generate a candidate transition cookie secret key 460 are similar to the steps used by a transition cookie generator 245 to generate a transition cookie secret key 360.

Alternative embodiments of the invention may employ a different algorithm for the cryptographic methods 308, 408. In one example, the different algorithm is an RC2 algorithm described in IETF RFC 2268 “A Description of the RC2(r) Encryption Algorithm” section 1 “Introduction” and section 2-4 with detailed explanation, incorporated herein by reference. In another example, the different algorithm is a Blowfish algorithm. In one other example, the different algorithm is a Data Encryption Standards (“DES”) algorithm based on Federal Information Processing Standards Publication “Data Encryption Standard (DES) FIPS PUB 46-3”, which is incorporated herein by reference in its entirety. Other algorithms are also usable.

Also, a transition cookie validator 275 may use different time margins of modified current time 409 to determine if the candidate transition cookie data element is valid. Different time margins include but are not limited to 1 second, 4 seconds, 6 seconds, 2 seconds, or 11 seconds.

In an embodiment, the method of generating a transition cookie includes MD5 signature option information in the TCP options field. When this method is used, the method of validating a candidate transition cookie 270 correspondingly includes the MD5 signature option information in the TCP options field.

In another embodiment, transition cookie generator 245 may include a plurality of transition cookie generation methods for generating transition cookie 250. For example, the secret key offset 301 may have a different value, such as an integer value of different bit length, such as 4-bit, or 8-bit. In other examples, the selected non-negative integer from first data item 340 may be of different bit length, such as 8-bit, or 10-bit, the cryptographic method 308 may be a different algorithm than RC5, or the generating of transition cookie data element 330 may include MD5 signature option information in the TCP options field of session SYN packet 210. A transition cookie generation method may include steps different from the steps in the exemplary method illustrated in FIGS. 3a-3c.

In an embodiment, the transition cookie generator 245 may selects method to generate transition cookie 250 based on random data.

The random data may include time. In one embodiment, transition cookie generator 245 selects a method based on the time of day. Alternatively, the transition cookie generator 245 may select a method after a time period, such as 10 seconds, 30 seconds, 2 minutes or 3 hours.

In another embodiment, the random data may include a source IP address in session SYN packet 210, or a destination IP address in session SYN packet 210.

The random data may include the network interface at which a TCP session setup module 104 receives a session SYN packet 210, or a Virtual Local Area Network (VLAN) information associated with a session SYN packet 210.

In one embodiment, transition cookie validator 275 includes a plurality of transition cookie validation methods for validating candidate transition cookie 270. A transition cookie validation method may include steps different from the steps in the exemplary method illustrated in FIGS. 4a-4d. A transition cookie validator 275 may select a method to validate candidate transition cookie 270 based on random data.

In these embodiments it is understood to be preferred that the transition cookie validator 275 selects a complementary method to the method selected by transition cookie generator 245.

Although the invention herein has been described with reference to particular embodiments, it is to be understood that these embodiments are merely illustrative of the principles and applications of the present invention. It is therefore to be understood that numerous modifications may be made to the illustrative embodiments and that other arrangements may be devised without departing from the spirit and scope of the present invention as defined by the appended claims.

INVENTORS:

Chen, Lee, Szeto, Ronald Wai Lun, Hwang, Shih-Tsung

THIS PATENT IS REFERENCED BY THESE PATENTS:

Patent	Priority	Assignee	Title
RE49053,	Feb 21 2006	A10 Networks, Inc.	System and method for an adaptive TCP SYN cookie with time validation

THIS PATENT REFERENCES THESE PATENTS:

Patent	Priority	Assignee	Title
5218602,	Apr 04 1991	ALCATEL USA, INC	Interprocessor switching network
5774660,	Aug 05 1996	RESONATE INC	World-wide-web server with delayed resource-binding for resource-based load balancing on a distributed resource multi-node network
5862339,	Jul 09 1996	Microsoft Technology Licensing, LLC	Client connects to an internet access provider using algorithm downloaded from a central server based upon client's desired criteria after disconnected from the server
5875185,	Oct 10 1995	A10 Networks, Inc	Seamless handoff for a wireless lan/wired lan internetworking
5935207,	Jun 03 1996	Rovi Technologies Corporation	Method and apparatus for providing remote site administrators with user hits on mirrored web sites
5958053,	Jan 30 1997	AT&T Corp	Communications protocol with improved security
5995981,	Jun 16 1997	Telefonaktiebolaget L M Ericsson	Initialization of replicated data objects
6003069,	Dec 16 1997	Lexmark International, Inc.; Lexmark International, Inc	Client/server printer driver system
6047268,	Nov 04 1997	HANGER SOLUTIONS, LLC	Method and apparatus for billing for transactions conducted over the internet
6075783,	Mar 06 1997	Verizon Patent and Licensing Inc	Internet phone to PSTN cellular/PCS system
6131163,	Feb 17 1998	Cisco Technology, Inc	Network gateway mechanism having a protocol stack proxy
6219706,	Oct 16 1998	Cisco Technology, Inc.	Access control for networks
6259705,	Sep 22 1997	Fujitsu Limited	Network service server load balancing device, network service server load balancing method and computer-readable storage medium recorded with network service server load balancing program
6321338,
6374300,	Jul 15 1999	F5 Networks, Inc.; F5 Networks, Inc	Method and system for storing load balancing information with an HTTP cookie
6456617,	Aug 12 1997	KDDI Corporation	Routing control communication system between circuit switched network and internet
6459682,	Apr 07 1998	International Business Machines Corporation	Architecture for supporting service level agreements in an IP network
6483600,	Feb 26 1999	UTSTARCOM, INC	System and method for communicating real-time facsimiles over data networks
6535516,	Dec 10 1998	A10 Networks, Inc	Shared memory based network switch and the network constructed with the same
6578066,	Sep 17 1999	RADWARE LTD	Distributed load-balancing internet servers
6587866,	Jan 10 2000	Oracle America, Inc	Method for distributing packets to server nodes using network client affinity and packet distribution table
6600738,	Oct 02 1999	Ericsson, Inc.	Routing in an IP network based on codec availability and subscriber preference
6658114,	May 31 1999	A10 Networks, Inc	Key management method
6748414,	Nov 15 1999	International Business Machines Corporation	Method and apparatus for the load balancing of non-identical servers in a network environment
6772205,	Mar 12 1999	RPX CLEARINGHOUSE LLC	Executing applications on a target network device using a proxy network device
6772334,	Aug 31 2000	JPMORGAN CHASE BANK, N A ; MORGAN STANLEY SENIOR FUNDING, INC	System and method for preventing a spoofed denial of service attack in a networked computing environment
6779017,	Apr 29 1999	International Business Machines Corporation	Method and system for dispatching client sessions within a cluster of servers connected to the world wide web
6779033,	Dec 28 2000	McAfee, Inc	System and method for transacting a validated application session in a networked computing environment
6804224,	Feb 29 2000	Hewlett Packard Enterprise Development LP	System and method for providing telephone service having private branch exchange features in a voice-over-data network telephony system
6952728,	Dec 01 1999	RPX CLEARINGHOUSE LLC	Providing desired service policies to subscribers accessing internet
7010605,	Aug 29 2000	Microsoft Technology Licensing, LLC	Method and apparatus for encoding and storing session data
7013482,	Jul 07 2000	802 SYSTEMS INC	Methods for packet filtering including packet invalidation if packet validity determination not timely made
7058718,	Jan 15 2002	TREND MICRO INCORPORATED	Blended SYN cookies
7069438,	Aug 19 2002	SOWL ASSOCIATES, INC	Establishing authenticated network connections
7076555,	Jan 23 2002	JPMORGAN CHASE BANK, N A , AS SUCCESSOR AGENT	System and method for transparent takeover of TCP connections between servers
7143087,	Feb 03 2003		System and method for creating a distributed network architecture
7167927,	Feb 26 2002	ALACRITECH, INC	TCP/IP offload device with fast-path TCP ACK generating and transmitting mechanism
7181524,	Jun 13 2003	ARCTERA US LLC	Method and apparatus for balancing a load among a plurality of servers in a computer system
7218722,	Dec 18 2000	NETGEAR, Inc; NETGEAR HOLDINGS LIMITED, A LIMITED LIABILITY COMPANY	System and method for providing call management services in a virtual private network using voice or video over internet protocol
7228359,	Feb 12 2002	Cisco Technology, Inc.	Methods and apparatus for providing domain name service based on a client identifier
7234161,	Dec 31 2002	Nvidia Corporation	Method and apparatus for deflecting flooding attacks
7236457,	Oct 04 2002	Intel Corporation	Load balancing in a network
7254133,	Jul 15 2002	TAHOE RESEARCH, LTD	Prevention of denial of service attacks
7269850,	Dec 31 2002	Intel Corporation	Systems and methods for detecting and tracing denial of service attacks
7277963,	Jun 26 2002	SANDVINE CORPORATION; PNI CANADA ACQUIRECO CORP	TCP proxy providing application layer modifications
7301899,	Jan 31 2001	Mavenir LTD	Prevention of bandwidth congestion in a denial of service or other internet-based attack
7308499,	Apr 30 2003	AVAYA LLC	Dynamic load balancing for enterprise IP traffic
7310686,	Oct 27 2002	BUSHNELL HAWTHORNE LLC	Apparatus and method for transparent selection of an Internet server based on geographic location of a user
7328267,	Jan 18 2002	Cisco Technology, Inc.	TCP proxy connection management in a gigabit environment
7334232,	Nov 05 1998	Oracle International Corporation	Clustered enterprise Java™ in a secure distributed processing system
7337241,	Sep 27 2002	ALACRITECH, INC	Fast-path apparatus for receiving data corresponding to a TCP connection
7343399,	Jun 25 2001	RPX CLEARINGHOUSE LLC	Apparatus and method for managing internet resource requests
7349970,	Mar 29 2001	GOOGLE LLC	Workload management of stateful program entities
7370353,	Nov 05 2001	Cisco Technology, Inc	System and method for managing dynamic network sessions
7373500,	Apr 15 2003	Oracle America, Inc	Secure network processing
7391725,	May 18 2004	Microsoft Technology Licensing, LLC	System and method for defeating SYN attacks
7398317,	Sep 07 2000	RIVERBED TECHNOLOGY LLC	Thwarting connection-based denial of service attacks
7423977,	Aug 23 2004	AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE LIMITED	Smoothing algorithm for round trip time (RTT) measurements
7430755,	Sep 03 2002	FS Networks, Inc.	Method and system for providing persistence in a secure network access
7463648,	Aug 23 1999	Oracle America, Inc	Approach for allocating resources to an apparatus based on optional resource requirements
7467202,	Sep 10 2003	FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP	High-performance network content analysis platform
7472190,	Oct 17 2003	KYNDRYL, INC	Method, system and program product for preserving a user state in an application
7492766,	Feb 22 2006	Juniper Networks, Inc.	Dynamic building of VLAN interfaces based on subscriber information strings
7506360,	Oct 01 2002	SYSXNET LIMITED	Tracking communication for determining device states
7509369,	Jul 11 2001	CloudBlue LLC	Balancing shared servers in virtual environments
7512980,	Nov 30 2001	Cisco Technology, Inc	Packet sampling flow-based detection of network intrusions
7533409,	Mar 22 2001	Oracle Systems Corporation	Methods and systems for firewalling virtual private networks
7552323,	Nov 18 2002	LIQUIDWARE LABS, INC	System, apparatuses, methods, and computer-readable media using identification data in packet communications
7584262,	Feb 11 2002	Extreme Networks	Method of and system for allocating resources to resource requests based on application of persistence policies
7584301,	May 06 2004	AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE LIMITED	Host-level policies for global server load balancing
7590736,	Jun 30 2003	Microsoft Technology Licensing, LLC	Flexible network load balancing
7610622,	Feb 06 2006	Cisco Technology, Inc.	Supporting options in a communication session using a TCP cookie
7613193,	Feb 04 2005	Nokia Corporation	Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
7613822,	Jun 30 2003	Microsoft Technology Licensing, LLC	Network load balancing with session information
7673072,	Oct 14 1997	ALACRITECH, INC	Fast-path apparatus for transmitting data corresponding to a TCP connection
7675854,	Feb 21 2006	A10 Networks, Inc.	System and method for an adaptive TCP SYN cookie with time validation
7703102,	Aug 23 1999	Oracle America, Inc	Approach for allocating resources to an apparatus based on preemptable resource requirements
7707295,	May 03 2002	AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE LIMITED	Connection rate limiting
7711790,	Aug 24 2000	AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE LIMITED	Securing an accessible computer system
7733866,	Apr 15 2004	Qualcomm Incorporated	Packet concatenation in wireless networks
7747748,	Nov 17 1998	MUSICQUBED INNOVATIONS, LLC	Method for connection acceptance control and rapid determination of optimal multi-media content delivery over networks
7765328,	Jul 06 2001	Juniper Networks, Inc.	Content service aggregation system
7792113,	Oct 21 2002	Cisco Technology, Inc.	Method and system for policy-based forwarding
7808994,	Feb 22 2006	Juniper Networks, Inc	Forwarding traffic to VLAN interfaces built based on subscriber information strings
7826487,	May 09 2005	F5 Network, Inc; F5 Networks, Inc	Coalescing acknowledgement responses to improve network communications
7881215,	Mar 18 2004	AVAYA LLC	Stateful and stateless data processing
7948952,	Jun 28 2004	WSOU Investments, LLC	Controlling services in a packet data network
7965727,	Sep 14 2006	Fujitsu Limited	Broadcast distributing system and broadcast distributing method
7970934,	Jul 31 2006	GOOGLE LLC	Detecting events of interest
7979694,	Mar 03 2003	Cisco Technology, Inc	Using TCP to authenticate IP source addresses
7983258,	Nov 09 2005	Juniper Networks, Inc.	Dynamic virtual local area network (VLAN) interface configuration
7990847,	Apr 15 2005	Cisco Technology, Inc.	Method and system for managing servers in a server cluster
7991859,	Dec 28 2009	Amazon Technologies, Inc.	Using virtual networking devices to connect managed computer networks
7992201,	Jul 26 2007	A10 Networks, Inc	Dynamic network tunnel endpoint selection
8019870,	Aug 23 1999	Oracle America, Inc	Approach for allocating resources to an apparatus based on alternative resource requirements
8032634,	Aug 23 1999	Oracle America, Inc	Approach for allocating resources to an apparatus based on resource requirements
8081640,	Oct 24 2007	Alaxala Networks Corporation	Network system, network management server, and access filter reconfiguration method
8090866,	Jan 18 2002	Cisco Technology, Inc.	TCP proxy connection management in a gigabit environment
8099492,	Jul 25 2002	Intellectual Ventures Holding 40 LLC	Method and system for background replication of data objects
8116312,	Feb 08 2006	Xilinx, Inc	Method and apparatus for multicast packet reception
8122116,	Oct 31 2008	Hitachi, Ltd.	Storage management method and management server
8151019,	Apr 22 2008	Lockheed Martin Corporation	Adaptive network traffic shaper
8179809,	Aug 23 1999	Oracle America, Inc	Approach for allocating resources to an apparatus based on suspendable resource requirements
8185651,	Jan 10 2002	Network General Technology	Multi-segment network application monitoring and correlation architecture
8191106,	Jun 07 2007	WSOU Investments, LLC	System and method of network access security policy management for multimodal device
8224971,	Dec 28 2009	Amazon Technologies, Inc.	Using virtual networking devices and routing information to initiate external actions
8261339,	Jul 26 2007	A10 Networks, Inc	Dynamic network tunnel endpoint selection
8266235,	Jan 11 2011	A10 Networks, Inc.	Virtual application delivery chassis system
8296434,	May 28 2009	Amazon Technologies, Inc.	Providing dynamically scaling computing load balancing
8312507,	Oct 17 2006	A10 Networks, Inc.; A10 Networks, Inc	System and method to apply network traffic policy to an application session
8379515,	Feb 01 2007	F5 Networks, Inc.	TCP throughput control by imposing temporal delay
8499093,	May 14 2010	Extreme Networks, Inc	Methods, systems, and computer readable media for stateless load balancing of network traffic flows
8539075,	Apr 21 2006	International Business Machines Corporation	On-demand global server load balancing system and method of use
8554929,	May 03 2002	AVAGO TECHNOLOGIES INTERNATIONAL SALES PTE LIMITED	Connection rate limiting for server load balancing and transparent cache switching
8559437,	Apr 15 2004	Qualcomm Incorporated	Packet concatenation in wireless networks
8560693,	Feb 11 2002	Extreme Networks, Inc.	Method of and system for allocating resources to resource requests based on application of persistence policies
8584199,	Oct 17 2006	A10 Networks, Inc.	System and method to apply a packet routing policy to an application session
8595791,	Oct 17 2006	A10 Networks, Inc.	System and method to apply network traffic policy to an application session
8675488,	Sep 07 2010	Juniper Networks, Inc.	Subscriber-based network traffic management
8681610,	Feb 01 2007	F5 Networks, Inc.	TCP throughput control by imposing temporal delay
8750164,	Jul 06 2010	VMware LLC	Hierarchical managed switch architecture
8782221,	Jul 05 2012	A10 Networks, Inc.	Method to allocate buffer for TCP proxy session based on dynamic network conditions
8813180,	Oct 17 2006	A10 Networks, Inc	Applying network traffic policy to an application session
8826372,	Oct 17 2006	A10 Networks, Inc	Applying a packet routing policy to an application session
8879427,	Jul 07 2000	802 SYSTEMS INC	Methods for updating the configuration of a programmable packet filtering device including a determination as to whether a packet is to be junked
8885463,	Oct 17 2011	Juniper Networks, Inc.	Path computation element communication protocol (PCEP) extensions for stateful label switched path management
8897154,	Oct 24 2011	A10 Networks, Inc.	Combining stateless and stateful server load balancing
8965957,	Dec 15 2010	SAP SE	Service delivery framework
8977749,	Jul 05 2012	A10 Networks, Inc.	Allocating buffer for TCP proxy session based on dynamic network conditions
8990262,	Jun 17 2004	International Business Machines Corporation	managing data center using web services
9094364,	Dec 23 2011	A10 Networks, Inc	Methods to manage services over a service gateway
9106561,	Dec 15 2012	A10 Networks, Inc.	Configuration of a virtual service network
9137301,	Jun 30 2009	Amazon Technologies, Inc.	Client based opportunistic routing
9154577,	Jun 06 2011	A10 Networks, Inc.	Sychronization of configuration file of virtual application distribution chassis
9154584,	Jul 05 2012	A10 Networks, Inc.	Allocating buffer for TCP proxy session based on dynamic network conditions
9215275,	Sep 30 2010	A10 Networks, Inc.	System and method to balance servers based on server load status
9219751,	Oct 17 2006	A10 Networks, Inc	System and method to apply forwarding policy to an application session
9253152,	Oct 17 2006	A10 Networks, Inc.	Applying a packet routing policy to an application session
9270705,	Oct 17 2006	A10 Networks, Inc.	Applying security policy to an application session
9270774,	Oct 24 2011	A10 Networks, Inc.	Combining stateless and stateful server load balancing
9338225,	Dec 06 2012	A10 Networks, Inc.	Forwarding policies on a virtual service network
9350744,	Oct 17 2006	A10 Networks, Inc.	Applying forwarding policy to an application session
9356910,	Oct 17 2006	A10 Networks, Inc.	Applying a packet routing policy to an application session
9386088,	Nov 29 2011	A10 Networks, Inc.	Accelerating service processing using fast path TCP
9531846,	Jan 23 2013	A10 Networks, Inc.	Reducing buffer usage for TCP proxy session based on delayed acknowledgement
20010042200,
20010049741,
20020026515,
20020032777,
20020032799,
20020078164,
20020091844,
20020103916,
20020133491,
20020138618,
20020141386,
20020143991,
20020178259,
20020188678,
20020191575,
20020194335,
20020194350,
20030009591,
20030014544,
20030023711,
20030023873,
20030035409,
20030035420,
20030061506,
20030091028,
20030131245,
20030135625,
20030195962,
20040010545,
20040062246,
20040073703,
20040078419,
20040078480,
20040103315,
20040111516,
20040128312,
20040139057,
20040139108,
20040141005,
20040143599,
20040187032,
20040199616,
20040199646,
20040202182,
20040210623,
20040210663,
20040213158,
20040250059,
20040268358,
20050005207,
20050009520,
20050021848,
20050027862,
20050036501,
20050036511,
20050039033,
20050044270,
20050074013,
20050080890,
20050102400,
20050125276,
20050163073,
20050198335,
20050213586,
20050240989,
20050249225,
20050259586,
20050281190,
20060023721,
20060036610,
20060036733,
20060041745,
20060064478,
20060069774,
20060069804,
20060077926,
20060092950,
20060098645,
20060112170,
20060164978,
20060168319,
20060187901,
20060190997,
20060209789,
20060230129,
20060233100,
20060251057,
20060277303,
20060280121,
20070019543,
20070022479,
20070076653,
20070086382,
20070094396,
20070118881,
20070124502,
20070156919,
20070165622,
20070180119,
20070185998,
20070195792,
20070230337,
20070242738,
20070243879,
20070245090,
20070248009,
20070259673,
20070283429,
20070286077,
20070288247,
20070294209,
20080016161,
20080031263,
20080076432,
20080101396,
20080109452,
20080109870,
20080120129,
20080134332,
20080162679,
20080225722,
20080228781,
20080250099,
20080253390,
20080263209,
20080271130,
20080282254,
20080291911,
20080298303,
20090024722,
20090031415,
20090049198,
20090070470,
20090077651,
20090092124,
20090106830,
20090138606,
20090138945,
20090141634,
20090164614,
20090172093,
20090213858,
20090222583,
20090227228,
20090228547,
20090262741,
20090271472,
20090285196,
20090313379,
20100008229,
20100023621,
20100036952,
20100042869,
20100054139,
20100061319,
20100064008,
20100082787,
20100083076,
20100094985,
20100095018,
20100098417,
20100106833,
20100106854,
20100128606,
20100162378,
20100205310,
20100210265,
20100217793,
20100217819,
20100223630,
20100228819,
20100235507,
20100235522,
20100235880,
20100238828,
20100265824,
20100268814,
20100293296,
20100312740,
20100318631,
20100322252,
20100330971,
20100333101,
20110007652,
20110019550,
20110023071,
20110029599,
20110032941,
20110040826,
20110047294,
20110060831,
20110083174,
20110093522,
20110099403,
20110099623,
20110110294,
20110145324,
20110149879,
20110153834,
20110178985,
20110185073,
20110191773,
20110196971,
20110276695,
20110276982,
20110289496,
20110292939,
20110302256,
20110307541,
20120008495,
20120023231,
20120026897,
20120030341,
20120066371,
20120084419,
20120084460,
20120106355,
20120117382,
20120117571,
20120144014,
20120144015,
20120151353,
20120170548,
20120173759,
20120179770,
20120191839,
20120215910,
20120239792,
20120240185,
20120290727,
20120297046,
20120311116,
20130046876,
20130058335,
20130074177,
20130083725,
20130100958,
20130124713,
20130135996,
20130136139,
20130148500,
20130166762,
20130173795,
20130176854,
20130191486,
20130198385,
20130250765,
20130258846,
20130282791,
20140012972,
20140089500,
20140164617,
20140169168,
20140207845,
20140258465,
20140258536,
20140269728,
20140286313,
20140298091,
20140330982,
20140334485,
20140359052,
20150026794,
20150039671,
20150156223,
20150215436,
20150237173,
20150244566,
20150281087,
20150281104,
20150296058,
20150312092,
20150312268,
20150333988,
20150350048,
20150350379,
20160014052,
20160014126,
20160036778,
20160042014,
20160043901,
20160044095,
20160050233,
20160088074,
20160105395,
20160105446,
20160119382,
20160156708,
20160173579,
20170048107,
20170048356,
CN101004740,
CN101094225,
CN101163336,
CN101169785,
CN101189598,
CN101193089,
CN101247349,
CN101261644,
CN101442425,
CN101495993,
CN101682532,
CN101878663,
CN102123156,
CN102143075,
CN102546590,
CN102571742,
CN102577252,
CN102918801,
CN103533018,
CN103944954,
CN104040990,
CN104067569,
CN104106241,
CN104137491,
CN104796396,
CN1372662,
CN1449618,
CN1473300,
CN1529460,
CN1575582,
CN1714545,
CN1725702,
CN1910869,
EP2296313,
EP1209876,
EP1770915,
EP1885096,
EP2577910,
EP2622795,
EP2647174,
EP2760170,
EP2772026,
EP2901308,
HK1182560,
HK1183569,
HK1183996,
HK1189438,
HK1198565,
HK1198848,
HK1199153,
HK1199779,
HK1200617,
IN392015,
INHE2014,
JP11338836,
JP1999096128,
JP2000276432,
JP2000307634,
JP2001051859,
JP2001298449,
JP2002091936,
JP2003141068,
JP2003186776,
JP2005141441,
JP2006332825,
JP2008040718,
JP2009500731,
JP2013528330,
JP2014143686,
JP2014504484,
JP2015507380,
JP5855663,
JP5906263,
JP5913609,
JP9097233,
KR100830413,
KR101576585,
KR1020120117461,
RE44701,	Feb 21 2006	A10 Networks, Inc.	System and method for an adaptive TCP SYN cookie with time validation
TW269763,
TW425821,
TW444478,
WO2001013228,
WO2001014990,
WO2001045349,
WO2003103237,
WO2004084085,
WO2006098033,
WO2008053954,
WO2008078593,
WO2011049770,
WO2011079381,
WO2011149796,
WO2012050747,
WO2012075237,
WO2012083264,
WO2012097015,
WO2013070391,
WO2013081952,
WO2013096019,
WO2013112492,
WO2014031046,
WO2014052099,
WO2014088741,
WO2014093829,
WO2014138483,
WO2014144837,
WO2014179753,
WO2015153020,
WO2015164026,

ASSIGNMENT RECORDS Assignment records on the USPTO

////

Executed on	Assignor	Assignee	Conveyance	Frame	Reel	Doc
Feb 17 2006	CHEN, LEE	A10 Networks, Inc	ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS	038101	0358	pdf
Feb 17 2006	SZETO, RONALD WAI LUN	A10 Networks, Inc	ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS	038101	0358	pdf
Feb 17 2006	HWANG, SHIH-TSUNG	A10 Networks, Inc	ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS	038101	0358	pdf
Jan 09 2014		A10 Networks, Inc.	(assignment on the face of the patent)

MAINTENANCE FEES AND DATES: Maintenance records on the USPTO

Date	Maintenance Fee Events
Aug 25 2021	M1553: Payment of Maintenance Fee, 12th Year, Large Entity.

Date	Maintenance Schedule
Mar 12 2022	4 years fee payment window open
Sep 12 2022	6 months grace period start (w surcharge)
Mar 12 2023	patent expiry (for year 4)
Mar 12 2025	2 years to revive unintentionally abandoned end. (for year 4)
Mar 12 2026	8 years fee payment window open
Sep 12 2026	6 months grace period start (w surcharge)
Mar 12 2027	patent expiry (for year 8)
Mar 12 2029	2 years to revive unintentionally abandoned end. (for year 8)
Mar 12 2030	12 years fee payment window open
Sep 12 2030	6 months grace period start (w surcharge)
Mar 12 2031	patent expiry (for year 12)
Mar 12 2033	2 years to revive unintentionally abandoned end. (for year 12)