`
`
`
`
`
`
`
`
`a2, United States Patent
`US 6,904,529 B1
`(10) Patent No.:
`
`
`
`
`
`
`Jun. 7, 2005
`(45) Date of Patent:
`Swander
`
`US006904529B1
`
`
`
`
`
`
`
`
`
`(54) METHOD AND SYSTEM FOR PROTECTING
`
`
`
`
`A SECURITY PARAMETER NEGOTIATION
`
`
`
`SERVER AGAINST DENIAL-OF-SERVICE
`ATTACKS
`
`
`(75)
`
`
`
`
`
`
`Inventor: Brian D. Swander, Kirkland, WA (US)
`
`
`
`
`
`(73) Assignee: Microsoft Corporation, Redmond, WA
`
`(US)
`
`
`(*) Notice:
`
`
`
`
`
`
`
`
`
`Subject to any disclaimer, the term ofthis
`
`
`
`
`patent is extended or adjusted under 35
`
`
`
`US.C. 154(b) by 0 days.
`
`(22)
`
`
`
`
`
`(21) Appl. No.: 09/561,046
`
`
`
`
`
`Filed:
`Apr. 28, 2000
`
`
`
`
`
`
`(SL) Unt. C7 eee eeceeseeneeneeneereeneeseeseeees GO06F 11/30
`
`
`
`
`
`
`
`(52) U.S. Ch. cece 713/201; 713/151; 713/200
`
`
`
`
`
`
`(58) Field of Search oo... cece 713/200, 201,
`
`713/151
`
`
`
`(56)
`
`
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`
`7/1999 Venkatraman .............. 709/224
`5,923,849 A *
`
`
`
`
`
`
`9/1999 Denker vo. 713/201
`5,958,053 A *
`
`
`
`
`
`
`
`6,330,562 B1 * 12/2001 Boden et al.
`.......0.0.0.. 707/10
`OTHER PUBLICATIONS
`
`
`
`
`
`
`
`“Analysis of a Denial of Service Attack on TCP”, Proceed-
`
`
`
`
`
`
`
`ings of the 1997 IEEE Symposium on Security and Privacy,
`
`
`
`1997, pp. 208-223.*
`
`
`
`
`
`
`
`
`“TCP/IP Security
`Computer Communications 22(10):
`
`
`
`
`
`
`
`
`Threats and Attack Methods”, Jun. 25, 1999, 885-97.
`
`
`
`
`
`“Chient Puzzles: A Cryptographic Countermeasure Against
`
`
`
`
`
`
`
`Connection Depletion Attacks”, Proceedings of the 1999
`
`
`
`
`
`
`Network and Distributed System Security Symposium, pp.
`151-65.
`
`
`
`
`
`
`“Analysis of a Denial of Service Attack on TCP”, Proceed-
`
`
`
`
`
`
`
`ings of the 1997 IEEE Symposium on Security and Privacy,
`
`
`
`1997, pp. 208-223.
`
`
`
`* cited by examiner
`
`
`
`
`Primary Examiner—Justin T. Darrow
`
`
`
`
`
`
`(74) Attorney, Agent, or Firm—Leydig, Voit & Mayer, Ltd.
`
`
`
`
`
`
`
`
`
`
`ABSTRACT
`(57)
`
`
`
`
`
`
`
`
`A method and system protects a security parameter nego-
`
`
`
`
`
`
`
`
`tiation server that stores states for connection requests
`
`
`
`
`
`pending negotiations from malicious denial-of-service
`
`
`
`
`
`
`
`
`
`attacks that attempt to flood the server with false requests.
`
`
`
`
`
`The degradation of performanceofthe server is dynamically
`
`
`
`
`
`
`detected, such as by monitoring the running intervals of a
`
`
`
`
`
`
`
`reaper that removes unneeded states. When performance
`
`
`
`
`
`
`degradation of the system is detected, relevant performance
`
`
`
`
`
`
`variables such as negotiation delay, extra retransmission
`
`
`
`
`
`
`
`
`delay and packet drop percentage are dynamically adjusted
`
`
`
`
`
`
`
`
`to reduce the workload on the negotiation server. Limiting
`
`
`
`
`
`
`
`
`the numberof states with incomplete negotiation status for
`each client and the total number of such states further
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`enhancesthe effectiveness of the protection against denial-
`of-service attacks.
`
`
`
`
`
`
`16 Claims, 3 Drawing Sheets
`
`
`
`
`
`
`
`
`
`
`
`Determine reaper
`
`run interval
`
`
`
`Adjust perf.
`
`
`
`variables to reduce
`
`
`
`
`system workload
`
`
`148
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Adjust perf.
`
`
`
`
`variablesto return
`
`
`to original values
`
`
`
`
`
`
`
` 54
`
`
`
`
`
`
`
`
`
`Deny further
`
`
`request from client
`
`
`
`156
`
`
`Deny further new
`
`
`requests
`
`
`
`
`
`
`Yes
`
`
`
`50
`
`
`
`
`
`Neg.-pending
`SAs > = 6?
`
`
`No
`
`
`
`1
`
`
`
`Yes
`
`
`
`Total
`
`pending SAs > =
`
`
`threshold?
`
`
`158,
`
`New request
`
`
`
`
`drop rate = 0?
`
`
`
`
`
`
`160
`decrease new
`
`
`
`
`
`request drop rate
`
`
`
`
`
`
`End
`
`
`
`
`
`Splunk Inc.—Exhibit 1027 Page 1
`
`Splunk Inc. Exhibit 1027 Page 1
`
`

`

`
`U.S. Patent
`
`
`
`
`Jun.7, 2005
`
`
`
`
`
`Sheet 1 of 3
`
`
`
`US 6,904,529 B1
`
`20
`
`
`
`
`
`SYSTEM MEMORY
`
`
`
`(ROM)
`
`
`
`BIOS
`
`
`
`
`
`(RAM)
`"OPERATING
`
`SYSTEM
`
`
`
`APPLICATION
`
`
`PROGRAM
`
`PERSONAL COMPUTER
`
`
`
`
`
`21
`
`
`
`48
`
`PROCESSING
`
`UNIT
`
`
`
`VIDEO
`
`ADAPTER
`
`
`
`
`
`23
`
`22
`
`
`
`
`
`24
`
`26
`
`
`
`
`
`25
`
`
`
`35
`
`
`
`-
`
`
`
`
`
`
`32
`33
`34
`
`
`
`
`OTHER
`
`
`PROGRAM
`
`
`
`
`
`
`
`
`
`
`
`MODULES HARDDISK|MAGDISK|OPTICALDISK!37} ceaia poRT
`
`
`
`
`
`DRIVE
`DRIVE
`DRIVE
`INTERFACE
`INTERFACE|INTERFACE|INTERFACE
`
`
`
`
`PROGRAM
`
`
`—as =
`DATA
`
`
`
`38|hard disk
`
`
`
`
`
`
`
`
`
`Magnetic disk Optical drive
`drive
`drive
`
`
`2a
`27
`
`
`
`
`
`
`
`
`
` Monitor
`
`
`
`47
`
`
`
`53
`
`
`
`
`NETWORK
`
`
`
`
`INTERFACE
`
`
`
`
`
`
`
`
`
`
`
`60
`
`
`
`29 =
`
`ry
`1
`
`
`
`
`
`OPERATING
`SYSTEM
`
`
`
`
`APPLICATION
`
`PROGRAMS
`
`
`
`
`
`
`
`Figure 1
`
`
`
`Keyboard
`
`|
`40
`
`
`
`
`
`Mouse
`42
`
`
`49
`
`
`
`REMOTE COMPUTER
`
`
`
`
`50
`
`
`
`36
`
`
`
`
`
`APPLICATION
`
`PROGRAMS
`
`
`Splunk Inc.
`
`Exhibit 1027
`
`Page 2
`
`Splunk Inc. Exhibit 1027 Page 2
`
`

`

`
`U.S. Patent
`
`
`
`
`Jun.7, 2005
`
`
`
`
`Sheet 2 of 3
`
`
`
`US 6,904,529 B1
`
`
`
`
`Host Computer
`
`
`
`IPSec
`Driver
`
`internal Network
`
`
`
`
`
`
`
`
`
`90
`
`
`
`86
`
`
`
` External Network
`
`
`
`
`
`
`
`82
`
`
`
`
`
`Connection
`
`Request
`
`
`FIG. 2
`
`Splunk Inc.
`
`Exhibit1027
`
`Page 3
`
`Splunk Inc. Exhibit 1027 Page 3
`
`

`

`
`U.S. Patent
`
`
`
`
`Jun.7, 2005
`
`
`
`
`Sheet 3 of 3
`
`
`
`US 6,904,529 B1
`
`
`Reaper thread
`
`
`
`
`
`
`Server thread
`
`
`
`
`
`;
`
`
`Determine reaper
`
`
`
`
`
`140
`
`
`
`142
`
`
`
`
`
`
`
`[
`
`
`
`144
`_7
`
`
`
`
`
`
`Adjustperf.
`Yes
`
`
`
`
`
`
`Interval > 60S?
`variables to reduce
`
`
`
`
`
`system workload
`
`
`148
`
`
`
`-N
`
`o
`
`
`
`
`
`Adjust perf.
`
`
`variables to return
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`152
`
`
`
` Deny further
`
`
`
`
`
`requestfrom client
`
`156
`
`
`
`
`Deny further new
`
`requests
`
`
`
`
`to original values
`
`
`Neg.-pending
`
`
`SAs > = 6?
`
`No
`
`
`
`
`
`
`
`pending SAs > =
`
`threshold?
`
`
`
`Yes New request
`
`
`
`
`drop rate = 0?
`
`
`
`
`decrease new
`
`
`
`
`requestdrop rate
`
`
`
`
`Yes
`
`
`
`
`
`
`
`Yes
`
`
`
`
`
`
`
`
`158
`
`
`
`FIG. 3
`
`
`160
`
`
`
`End
`
`
`
`A50
`
`
`
`
`
`154
`
`No
`
`
`
`
`
`
`
`Splunk Inc.
`
`Exhibit1027
`
`Page 4
`
`Splunk Inc. Exhibit 1027 Page 4
`
`

`

`
`
`US 6,904,529 B1
`
`
`2
`
`
`
`
`
`
`
`
`
`
`the server to the extent that it is no longer able to serve
`
`
`legitimate users.
`
`
`
`
`1
`
`
`
`
`
`METHOD AND SYSTEM FOR PROTECTING
`
`
`
`
`A SECURITY PARAMETER NEGOTIATION
`
`
`
`SERVER AGAINST DENIAL-OF-SERVICE
`ATTACKS
`
`
`TECHNICAL FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`This invention relates generally to network
`
`
`
`
`
`
`communications, and moreparticularly to security threats to
`communication servers in a network environment.
`
`
`
`
`
`
`
`10
`
`SUMMARYOF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`In view of the foregoing, the present invention provides a
`
`
`
`
`
`
`
`
`method and system for protecting a network security server
`
`
`
`
`
`
`
`
`for negotiating network security parameters, such as an
`
`
`
`
`
`
`
`
`Internet Key Exchange (“IKE”) server of the IPSec suite,
`from denial-of-service attacks that flood the server with false
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`connection requests. The vulnerability of the security server
`to such attacks comes from the need for the server to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`maintain state data for on-going negotiations in response to
`
`
`
`
`
`
`
`
`requests from unknown clients.
`In accordance with the
`
`
`
`
`
`
`
`
`invention, the resilience of the negotiation server to such
`
`
`
`
`
`attacks is significantly enhanced by dynamically detecting
`
`
`
`
`
`
`
`
`
`the degradation of the performance of the system, and
`
`
`
`
`
`
`dynamically adjusting relevant performance variables, such
`
`
`
`
`
`
`
`
`as negotiation delay, retransmission delay, and packet drop
`
`
`
`
`
`
`
`
`
`percentage, etc.,
`to reduce the states maintained by the
`
`
`
`
`
`
`negotiation server when performance degradation is
`
`
`
`
`
`
`
`
`detected. A useful indicator of the system health may be the
`
`
`
`
`
`
`
`interval between consecutive runs of a reaper for removing
`
`
`
`
`
`
`
`
`
`
`states that are no longer useful. To further enhance the
`
`
`
`
`
`
`effectiveness of the protection against denial-of-service
`
`
`
`
`
`
`
`attacks, the maximum numberofstates pending negotiation
`
`
`
`
`
`
`
`responses for outstanding new negotiation requests from a
`
`
`
`
`
`
`
`
`
`client may be limited, and the total numberofstored states
`
`
`
`
`
`
`pending negotiation responses may also be limited.
`
`
`
`
`
`
`
`Additional features and advantages of the invention will
`
`
`
`
`
`
`
`
`be made apparent from the following detailed description of
`
`
`
`
`
`
`illustrative embodiments, which proceeds with reference to
`
`
`
`the accompanying figures.
`
`BACKGROUND OF THE INVENTION
`
`
`
`The Internet has entered the new millenium as the most
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`important computer network of the world. Everyday, mil-
`
`
`
`
`
`
`
`
`lions of people use the Internet to communicate with each
`
`
`
`
`
`
`
`
`other and to gather or share information. Moreover, elec-
`
`
`
`
`
`
`tronic commerce (“E-commerce”) using the World-Wide
`
`
`
`
`
`
`
`
`Web (WWW)of the Internet as its backbone is rapidly
`
`
`
`
`
`
`replacing and changing the conventional brick-and-mortar
`stores.
`
`
`
`
`
`
`
`
`The security of communications through the Internet,
`
`
`
`
`
`
`
`
`however, has always been a major concern. This problem is
`
`
`
`
`
`
`related to the underlying network communication protocol
`
`
`
`
`
`
`
`
`of the Internet, the Internet Protocol (“IP”), which is respon-
`
`
`
`
`
`
`
`
`
`sible for delivering packets across the Internet
`to their
`
`
`
`
`
`
`
`destinations. The Internet Protocol was not designed to
`
`
`
`
`
`
`
`provide security features at its level of network communi-
`
`
`
`
`
`
`
`
`cation operation. Moreover, the flexibility of IP allows for
`
`
`
`
`
`
`
`
`somecreative uses of the protocol that defeattraffic auditing,
`
`
`
`
`
`
`
`
`access control, and many other security measures. IP-based
`
`
`
`
`
`
`
`
`network data is therefore wide open to tampering and
`
`
`
`
`
`
`eavesdropping. As a result, it substantial risks are involved
`
`
`
`
`
`
`
`in sending sensitive information across the Internet.
`
`
`
`
`
`
`
`
`To address the lack of security measures of the Internet
`
`
`
`
`
`
`
`Protocol, a set of extensions called Internet Protocol Secu-
`
`
`
`
`
`
`
`
`rity (“IPSec”) Suite has been developed to add security
`
`
`
`
`
`
`
`
`
`services at the IP level. The IPSec Suite includes protocols
`
`
`
`
`
`
`
`for an authentication header (AH), encapsulating security
`
`
`
`
`
`
`
`
`protocol (ESP), and a key management and exchangepro-
`
`
`
`
`
`
`
`tocol (IKE). A significant advantage of the IPSec Suite is
`
`
`
`
`
`
`
`it provides a universal way to secure all IP-based
`that
`
`
`
`
`
`
`
`network communications for all applications and users in a
`
`
`
`
`
`
`
`transparent way. Moreover, as the IPSec Suite is designed to
`
`
`
`
`
`
`
`
`
`work with existing and future IP standards, regular IP
`
`
`
`
`
`
`
`
`networks can still be used to carry communication data
`
`
`
`
`
`
`
`
`
`between the sender and recipient. The IPSec Suite is also
`
`
`
`
`
`
`
`
`scalable and can therefore be used in networks ranging from
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 3 is a flow diagram showing a process embodying a
`local-area networks (LANS) to global networks such as the
`
`
`
`
`
`
`
`
`Internet.
`
`method of the invention for protecting the negotiation server
`
`
`
`
`
`
`
`
`
`
`against denial-of-service attacks.
`Even though the IPSec standard provides a comprehen-
`
`
`
`
`
`
`
`sive and robust way to secure network communications
`DETAILED DESCRIPTION OF THE
`
`
`
`
`
`
`
`
`against
`tampering and eavesdropping,
`the components
`INVENTION
`
`
`
`
`
`
`
`
`implementing the IPSec Suite themselves may be subjected
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Turning to the drawings, wherein like reference numerals
`to various security threats in the network environment. For
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`refer to like elements, the invention is illustrated as being
`instance, the IPSec layer includes a component called an
`
`
`
`
`
`
`
`
`
`
`
`“Internet Key Exchange” (“IKE”) server, which is respon-
`implemented in a suitable computing environment.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Although not required, the invention will be described in the
`sible for negotiating with another
`IKE for security
`
`
`
`
`
`
`
`
`
`
`general context of computer-executable instructions, such as
`parameters, collectively called a “Security Association”
`
`
`
`
`
`
`
`
`
`
`
`
`
`(“SA”), of security operations for securing a given network
`program modules, being executed by a personal computer.
`
`
`
`
`
`
`communication stream. For each secured communication
`
`
`
`
`
`
`Generally, program modules include routines, programs,
`
`
`
`
`
`
`
`
`
`
`
`
`
`objects, components, data structures, etc. that perform par-
`stream, a separate SA has to be negotiated and maintained.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ticular tasks or implement particular abstract data types.
`Because of the system resources required for handling each
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Moreover, those skilled in the art will appreciate that the
`communication requests,
`it is possible for an attacker to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`invention may be practiced with other computer system
`construct and send a large number of false communication
`
`
`
`
`
`
`
`
`
`
`
`
`
`configurations,
`including hand-held devices, multi-
`requests, forcing the IKE server to consume large amounts
`
`
`
`
`
`
`
`
`
`
`
`
`
`processor systems, microprocessor based or programmable
`of system resources. Such an attack potentially can burden
`
`Splunk Inc.—Exhibit 1027 Page 5
`
`15
`
`
`
`20
`
`25
`
`
`
`30
`
`35
`
`
`
`40
`
`
`
`45
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`
`
`
`While the appended claims set forth the features of the
`
`
`
`
`
`
`present invention with particularity, the invention, together
`
`
`
`
`
`
`
`with its objects and advantages, may be best understood
`
`
`
`
`
`
`from the following detailed description taken in conjunction
`
`
`
`
`
`with the accompanying drawings of which:
`
`
`
`
`
`FIG. 1 is a block diagram generally illustrating an exem-
`
`
`
`
`
`
`
`plary computer system on which the present invention may
`
`
`be reside;
`
`
`
`
`
`FIG. 2 is a schematic diagram showing a networked
`
`
`
`
`
`
`
`computer having a negotiation server for negotiation of
`
`
`
`
`
`
`security parameters for securing network communications;
`and
`
`
`
`
`
`
`
`
`
`
`
`
`Splunk Inc. Exhibit 1027 Page 5
`
`

`

`
`
`US 6,904,529 B1
`
`10
`
`15
`
`
`
`25
`
`
`
`30
`
`35
`
`
`
`40
`
`
`
`20
`
`
`
`3
`4
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the elements described aboverelative to the personal com-
`consumerelectronics, network PCs, minicomputers, main-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`puter 20, although only a memory storage device 50 has
`frame computers, and the like. The invention may also be
`
`
`
`
`
`
`
`
`
`
`
`
`
`been illustrated in FIG. 1. The logical connections depicted
`practiced in distributed computing environments where
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`in FIG. 1 include a local area network (LAN) 51 and a wide
`tasks are performed by remote processing devices that are
`
`
`
`
`
`
`
`
`
`
`
`
`area network (WAN) 52. Such networking environments are
`linked through a communications network.In a distributed
`
`
`
`
`
`
`
`
`
`
`commonplace in offices, enterprise-wide computer
`computing environment, program modules may be located
`
`
`
`
`
`
`
`
`
`
`
`
`
`networks, intranets and the Internet.
`in both local and remote memorystorage devices.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`When used in a LAN networking environment, the per-
`With reference to FIG. 1, an exemplary system for imple-
`
`
`
`
`
`
`
`
`
`
`
`
`sonal computer 20 is connected to the local network 51
`menting the invention includes a general purpose computing
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`through a network interface or adapter 53. When used in a
`device in the form of a conventional personal computer 20,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`WAN networking environment,
`the person computer 20
`including a processing unit 21, a system memory 22, and a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`typically includes a modem 54 or other meansfor establish-
`system bus 23 that couples various system components
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing communications over the WAN 52. The modem 54,
`including the system memoryto the processing unit 21. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`which maybe internal or external, is connected to the system
`system bus 23 may be any of several types of bus structures
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`bus 23 via the serial port
`interface 46. In a networked
`including a memory bus or memory controller, a peripheral
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`environment, program modules depicted relative to the
`bus, and a local bus using any of a variety of bus architec-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`personal computer 20, or portions thereof, may be stored in
`tures. The system memory includes read only memory
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(ROM) 24 and random access memory (RAM) 25. A basic
`the remote memory storage device. It will be appreciated
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`input/output system (BIOS) 26,containing the basic routines
`that the network connections shownare exemplary and other
`
`
`
`
`
`
`
`
`
`
`
`
`
`means of establishing a communications link between the
`that help to transfer information between elements within
`
`
`
`
`
`
`
`
`
`
`
`computers may be used.
`the personal computer 20, such as during start-up, is stored
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`in ROM 24. The personal computer 20 further includes a
`the invention will be
`In the description that follows,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`hard disk drive 27 for reading from and writing to a hard disk
`described with reference to acts and symbolic representa-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`60, a magnetic disk drive 28 for reading from or writing to
`tions of operations that are performed by one or more
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`a removable magnetic disk 29, and an optical disk drive 30
`computers, unless indicated otherwise. As such, it will be
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`for reading from or writing to a removable optical disk 31
`understood that such acts and operations, which are at times
`
`
`
`
`
`
`
`
`
`
`
`such as a CD ROMorother optical media.
`referred to as being computer-executed, include the manipu-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`lation by the processing unit of the computer of electrical
`The hard disk drive 27, magnetic disk drive 28, and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`signals representing data in a structured form. This manipu-
`optical disk drive 30 are connected to the system bus 23 by
`
`
`
`
`
`
`
`
`
`
`lation transforms the data or maintainsit at locations in the
`
`
`
`
`
`
`
`a hard disk drive interface 32, a magnetic disk drive inter-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`memory system of the computer, which reconfigures or
`face 33, and an optical disk drive interface 34, respectively.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`otherwise alters the operation of the computer in a manner
`The drives and their associated computer-readable media
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`well understood by those skilled in the art. The data struc-
`provide nonvolatile storage of computer
`readable
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tures where data is maintained are physical locations of the
`instructions, data structures, program modules and other
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`memory that have particular properties defined by the format
`data for the personal computer 20. Although the exemplary
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of the data. However, while the invention is being described
`environment described herein employs a hard disk 60, a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`in the foregoing context, it is not meant to be limiting as
`removable magnetic disk 29, and a removable optical disk
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`those of skill in the art will appreciate that variousof the acts
`31, it will be appreciated by those skilledin theart that other
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and operation described hereinafter may also be imple-
`types of computer readable media which canstore data that
`
`
`
`
`
`
`
`mented in hardware.
`
`
`is accessible by a computer, such as magnetic cassettes, flash
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`memory cards, digital video disks, Bernoulli cartridges,
`Referring now to FIG. 2, the present invention is directed
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`random access memories, read only memories, and the like
`to a way to protect a security parameter negotiation server,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`may also be used in the exemplary operating environment.
`such as an IKE server of the IPSec suite, from malicious
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`denial-of-service attacks that attemptto flood the server with
`Anumberof program modules may be stored on the hard
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`45
`the
`false connection requests. For illustration purposes,
`disk 60, magnetic disk 29, optical disk 31, ROM 24 or RAM
`
`
`
`
`
`
`
`
`invention will be described below in connection with a
`
`
`
`
`
`
`
`25, including an operating system 35, one or more applica-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`preferred embodiment
`implements the IPSec Suite
`tions programs 36, other program modules 37, and program
`that
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`protocols for secured delivery of network communications.
`data 38. A user may enter commands and information into
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`It will be appreciated, however, that the system and method
`the personal computer 20 through input devices such as a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of the invention for providing protection against denial-of-
`keyboard 40 and a pointing device 42. Other input devices
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(not shown) may include a microphone, joystick, game pad,
`service attacks can also be effectively used with other
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network security protocols that require negotiations of secu-
`satellite dish, scanner, or the like. These and other input
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`rity parameters for securing network communications.
`devices are often connected to the processing unit 21
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`through a serial port interface 46 that is coupled to the
`In the embodiment shown in FIG. 2, a computer 70
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`system bus, but may be connected by other interfaces, such
`implements the IPSec Suite protocols for secured delivery of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`as a parallel port, game port or a universal serial bus (USB).
`IP-based packets. The components supporting the IPSec
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`A monitor 47 or other type of display device is also
`protocols include a policy agent 72, an IPSec driver 74, and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`connected to the system bus 23 via an interface, such as a
`an Internet Key Exchange (“IKE”) server 76. The security
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`video adapter 48.
`In addition to the monitor, personal
`policies assigned to the host computer 70 by the adminis-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computers typically include other peripheral output devices,
`trator of the system determine the levels of security for
`
`
`
`
`
`
`
`
`
`
`
`
`
`not shown, such as speakers and printers.
`various types of communications. The security policies are
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`picked up by the policy agent 72 and passed the IKE server
`The personal computer 20 may operate in a networked
`
`
`
`
`
`
`
`
`76 and the [IPSec driver 74. The IKE server 76 uses the
`
`
`
`
`
`
`
`
`
`
`
`
`environment using logical connections to one or more
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`negotiation policies associated with the assigned security
`remote computers, such as a remote computer 49. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`policies to conduct negotiations with a peer (i.e., the IKE
`remote computer 49 may be another personal computer, a
`
`
`
`
`
`
`
`
`
`
`
`
`
`component of another computer on the network) to establish
`server, a router, a network PC, a peer device or other
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`security parameters for communications with the host of the
`common network node, and typically includes manyorall of
`
`Splunk Inc.—Exhibit 1027 Page 6
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`65
`
`
`
`Splunk Inc. Exhibit 1027 Page 6
`
`

`

`
`
`US 6,904,529 B1
`
`10
`
`15
`
`
`
`
`
`25
`
`
`
`6
`5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`whether the server is the initiator or responder of the
`peer. The negotiated security parameters include,
`for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`negotiation,
`the current state of the negotiation (e.g., an
`example, the parameters for authentication and encryption
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`OAK_MM_SETUPstate as will be described below). As
`methods and the keys, and are collectively referred to in the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`IPSec Suite protocols as a Security Association (“SA”). The
`the negotiation proceeds, more informationisfilled into the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SAstate, such as the key generation data, the negotiation
`results of the negotiation by the IKE server 76 is passed to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`attributes, the authentication material, etc. At the end of the
`the IPSec driver 74, which performs security operations,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`main mode phase of the negotiation, the SA is fully filled
`such as data encryption, on packets of a communication
`out.
`
`
`
`
`
`
`
`stream using the negotiated SA for that stream.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`It is important to note that at the time the SAstate is
`In this illustrated embodiment, the host computer 70 on
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`created in response to a negotiation request, the IKE does
`which the IPSec components reside is part of an internal
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`not know whether the request
`is really from the peer
`network 80 such as a local-area network (“LAN”). The host
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`computeridentified in the request. After creating the state for
`computer 70 is also connected to an external network 82,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the new negotiation request, the IKE server processes the
`such as the Internet, and communicates with other comput-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`request to see whetherit is valid, and then respondsif the
`ers on the external network by sending and receiving packets
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`request is valid. The rest of negotiation then follows, with
`based on the Internet Protocol. The host computer 70 in this
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`four more round trip packet exchanges. Part of this exchange
`arrangementfunctionsas a firewall or gateway for comput-
`
`
`
`
`
`
`
`
`
`
`ers on the internal network 80 to communicate with com-
`
`
`
`
`
`
`
`authenticates the peer, and at that time the IKE can deter-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mine if it should allow access to that peer. This peer
`puters on the external network 82. For example, a computer
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`authentication does not occur until
`the third round trip,
`84 on the internal network may communicate with a com-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`20
`however. In short,
`the IKE server has to create a state
`puter 86 on the external network 82 by transmitting IP-based
`
`
`
`
`
`
`
`
`
`
`
`
`
`immediately in response to a request from any unknown
`communication packets 92 through the host computer 70,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`source, and the peer authentication takes place later. Thus, a
`whose IPSec components will handle the task of securing
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`malicious user of the peer computer can send in a large
`the communication stream. When the host computer is used
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`number of requests to force the IKE sever to create a large
`in this capacity of a gateway for the internal network, the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`numberof states. This consumes system resources, making
`IPSec components, such as the IKE server 76, especially
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the system to run slower. As the system runs slower, it
`haveto beresilient to attacks mounted by malicious attack-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cannot reclaim resources quickly, causing the system to run
`ers on the external network while providing services to
`
`
`
`
`
`
`
`
`
`even slower and finally coming to a grinding halt.
`legitimate users.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In accordance with the invention,the resilience of the IKE
`In accordance with an aspect of the invention, the IKE
`
`
`
`
`
`
`
`
`
`
`
`
`
`server
`to the denial-of-service attack is significantly
`server 76 may be vulnerable to denial-of-service attacks that
`
`
`
`
`
`
`
`
`
`
`
`
`improved by dynamically detecting when the performance
`flood it with false connection requests if no special protec-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of the system begins to degrade, and adjusting performance
`tion measureis taken. The vulnerability of the IKE server to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`variables to actively remove unneeded states and reduce the
`such flooding attacks comes from the need for the IKE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`workload of the IKE server. The effectiveness of the pro-
`server to store states not only for successful negotiations but
`
`
`
`
`
`
`
`
`
`
`
`
`
`tection against denial-of-service attacks is further enhanced
`also for on-going negotiations. As shown in FIG. 2, when an
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`and the ability of the server to serve legitimate requests is
`initial communication request 90 comes from a computer 86
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`improved by limiting the number of states for pending
`on the external network 82, the IKE server 76 initiates a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`negotiations for each client and the total number of such
`negotiation process with the peer IKE 88 of the requesting
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`states. These protective measures are described in greater
`computer 86 to establish the security parameters for the
`
`
`
`
`
`
`
`
`
`
`
`detail in the following description.
`communication. Under the IKE protocol of the IPSec suite,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the
`In accordance with a feature of the embodiment,
`this negotiation involves two phases. In the first phase, the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`activation periodicity of a reaper component 122 of the
`two IKE peers 76 and 88 establish a secure channel for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`conducting the IKE negotiation (called the IKE SA). In the
`system is used as a primary barometer for the system health.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The function of the reaper 122 is to remove unwantedstates
`second phase, the two IKE peers negotiate general purpose
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`from the state table 120 of the IKE server 76. The reaperis
`SAs over the secure channel established in the first phase.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`scheduled to run at fixed intervals, although the actual
`Thefirst phase is typically accomplished in a “main mode”
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`intervals between consecutive runs of the reaper would
`that
`involves three two-way exchanges between the SA
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`depend on the system workload. For instance, in a multi-
`initiator and the recipient. The second phase is accomplished
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`threading system, the reaper thread may be scheduled to run
`in a “quick mode” that is less complicated than the main
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`every 45 seconds. On a lightly loaded system, the reaper
`modesince the negotiation is already inside a secure chan-
`
`
`
`
`
`
`
`
`
`thread will be activated at or close to the scheduled time.
`
`
`
`
`
`
`
`
`nel. As these phases and modes of the IKE negotiation
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Whenthe system is under a heavy workload, however, the
`process are defined in the IKE protocol and well known to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`operating system may fall behind its schedule and activate
`those skilled in the art, it is not necessary to describe them
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the reaper later than the scheduled time. As a result, the
`in greater detail here.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`interval between two consecutive runs of the reaper becomes
`It is important, however, for purposes of the invention to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`longer than 45 seconds. As the workload of the sy