| US 7,500,264 B1 | ||
| Use of packet hashes to prevent TCP retransmit overwrite attacks | ||
| Nicholas Leavy, Palo Alto, Calif. (US); Michael L. Hall, Jr., Austin, Tex. (US); Timothy Hahn, Sunnyvale, Calif. (US); and Mohit Jaggi, Sunnyvale, Calif. (US) | ||
| Assigned to Cisco Technology, Inc., San Jose, Calif. (US) | ||
| Filed on Apr. 08, 2004, as Appl. No. 10/820,327. | ||
| Int. Cl. G06F 7/04 (2006.01); G06F 7/58 (2006.01); G06F 15/16 (2006.01); G06F 17/30 (2006.01) | ||
| U.S. Cl. 726—13 [726/2; 726/22; 726/26] | 35 Claims |
| 1. In an intrusion detection system, a method of blocking attacks on a computer network, comprising:
receiving, in circuitry of the intrusion detection system, original packets and corresponding retransmit packets from a network,
wherein:
each said original packet and corresponding retransmit packet belong to a flow; and
each said original packet and corresponding retransmit packet has a plurality of non-mutable field values;
hashing, in the circuitry of the intrusion detection system, said non-mutable field values of each said original packet to
produce a validation signature of each said original packet;
storing, in the circuitry of the intrusion detection system, said validation signatures;
hashing, in the circuitry of the intrusion detection system, said non-mutable field values of each said corresponding retransmit
packet to produce a test signature of each said corresponding retransmit packet;
comparing, in the circuitry of the intrusion detection system, said validation signature to said test signature; and
if said test signature and said validation signature are not identical, terminating said flow by operating a flow terminator
circuit of the intrusion detection system.
|