Network adaptor configured for connection establishment offload

Description

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of prior, pending U.S. application Ser. No. 11/735,861, filed on Apr. 16, 2007 and entitled “NETWORK ADAPTOR CONFIGURED FOR CONNECTION ESTABLISHMENT OFFLOAD,” which is incorporated herein by reference in its entirety for all purposes.

BACKGROUND

Denial of Service (DoS) attacks are attempts to deny service of a target computer to legitimate users attempting to access the target computer via a network. In one form, a DoS attack is such that the target computer is forced to expend resources on activities related to the attack. As a result, during the attack, the target computer does not have resources available to provide service to the legitimate users.

One type of DoS attack of this form is a SYN flood attack. During a SYN flood attack, illegitimate TCP/SYN packets (i.e., ones for which there is no intention to initiate a TCP connection) are sent to the target computer. The target computer, handling the illegitimate TCP/SYN packets as legitimate, needlessly consumes resources in responding to the illegitimate TCP/SYN packets with a TCP/SYN−ACK (acknowledgement) packet. Perhaps even worse, the target computer allocates and ties up resources while waiting for details of the “connection”—such details never come. Furthermore, using viruses or other malware, multiple computers on a network such as the internet may be compromised to cause all the computers to simultaneously attack the target computer. Such attacks are known as distributed attacks.

There have been attempts to respond to DoS attacks. For example, SYN cookies may be utilized such that resources of the target computer are not allocated until the sender of the TCP/SYN request, responds with an TCP/ACK to the TCP/SYN+ACK, or even not until the first data carrying packet is received from the peer. The SYN cookies approach requires a modification to the TCP protocol and handling by the target computer.

In some systems, firewalls are employed to distinguish between good traffic and attack traffic. The firewalls confirm that the TCP connections are valid and then proxy packets of the confirmed connection on to the intended destination endpoint. Such firewalls can be effective against DoS attacks. However, resources are utilized during the data transfer phase to handle the overhead of proxying packets of the confirmed connections on to the intended destination.

Even legitimate TCP/SYN packets (i.e., TCP/SYN packets from legitimate peers legitimately intending to initiate a TCP connection), if numerous enough, can bog down a host computer such that, for example, the host computer cannot perform other functions such as communicating on already established connections.

SUMMARY

In accordance with an aspect, coupling circuitry (such as an intelligent network adaptor) couples a network to a host. The host is executing an operating system, and the host is further configured for transfer of data between the host and at least one peer via the network using at least one stateful connection between the host and the at least one peer according to a connection-oriented protocol.

The coupling circuitry receives indications of attempts to establish stateful connections with a host according to the connection-oriented protocol. The coupling processes each of the received indications by attempting to establish a stateful connection to a peer indicated by that connection establishment attempt indication such that, for a genuine attempt by a peer to establish a stateful connection with the host, the coupling circuitry interoperates with the peer to perform establishment-phase protocol processing of the attempted stateful connection between the peer and the host according to the connection-oriented protocol.

For each of the established stateful connections, the coupling circuitry operates to cause a state of that established stateful connection to be provided from the coupling circuitry to the host, wherein the operating system of the host handles data transfer phase protocol processing of that established stateful connection.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 schematically illustrates an architecture of a system in which setup activities of a host with respect to stateful connections (such as using the TCP/IP protocol) are offloaded to offload circuitry such as to a network interface card.

FIG. 2 is a flowchart illustrating an example of processing in the network adaptor of the FIG. 1 architecture.

FIG. 3 schematically illustrates, in slightly greater detail than that illustrated in FIG. 1, the interface between the network adaptor and the OS of the host system.

DETAILED DESCRIPTION

The inventors have realized that offloading the connection setup requests to an intelligent adapter can be used to increase the connection rate of the hosts. Conventional software implementation of TCP/IP protocol stacks cannot handle incoming SYN packets at line rate. In one example, a host executing software can handle five million incoming SYN requests when connected to 10 Gbps Ethernet, but an intelligent adapter can handle up to 16 million requests, therefore greatly increasing the likelihood that a DoS attack will not be successful. In accordance with an inventive aspect, connection setup activities of a host with respect to stateful connections (such as using the TCP/IP protocol) are offloaded to offload circuitry such as to a network interface card. The offload circuitry handles connection setup activities such that resources of the host are not allocated until the connection is set up. The connection is transferred to the host by providing, from the offload circuitry to the host, data indicative of the connection state such that the host can handle the protocol processing of the data transfer phase of the established stateful connection.

FIG. 1 schematically illustrates an architecture of a system in accordance with this aspect. Referring to FIG. 1, a peer 102 is configured to provide a legitimate TCP/SYN packet 104, via a network 106 (such as the internet) in an attempt to establish a connection with the host 106. Network adaptor circuitry 108 (e.g., such as a network interface controller card) associated with the host 106 receives the legitimate TCP/SYN packet 104 and attempts (indicated by reference numeral 110) to establish a TCP/IP connection with the peer 102. Thus, for example, the attempt 110 may comprise engaging in connection setup activities with the peer according to the TCP/IP protocol.

In the case where a TCP/SYN packet is legitimate (e.g., the TCP/SYN packet 104), the connection setup activities result, in the network adaptor 108, in data 112 characterizing the established connection. The connection is then “transferred” to a protocol stack of an operating system 118 being executed by the host 106. In one example, the data 112 characterizing the established connection is copied from memory of the network adaptor 108 to memory associated with the operating system 118 being executed by the host. In another example, the operating system 118 accesses the data 112 in a memory that is shared between the operating system 118 and the network adaptor 108 or is otherwise accessible to the operating system 118. The operating system 118 handles data transfer phase protocol processing of the established connection.

Even the case where the TCP/SYN packet is not legitimate (e.g., the illegitimate TCP/SYN packets 120), the network adaptor circuitry 108 associated with the host 106 attempts (again indicated by reference numeral 110) to establish a TCP/IP connection with the nominal peer, which is the peer indicated in the received illegitimate TCP/SYN packet. Thus, for example, the attempt 110 may in this case comprise attempting to engage in connection setup activities with the nominal peer according to the TCP/IP protocol. A connection will not be established based on a received illegitimate TCP/SYN packet and, thus, resources of the operating system 118 will not be implicated in dealing with illegitimate TCP/SYN packets.

Another type of attack may include illegitimate TCP/SYN+ACK packets being sent. In this case, where the network adaptor circuit 108 has no knowledge of a corresponding TCP/SYN packet that should have preceded a received illegitimate TCP/SYN+ACK packet, there will be no or minimal corresponding processing in the network adaptor 108 and, perhaps more significantly, resources of the OS 118 will not be implicated in processing (or otherwise resulting from) the illegitimate TCP/SYN+ACK packets.

FIG. 2 is a flowchart illustrating processing in a network adaptor in accordance with an inventive aspect. At step 202, a TCP/SYN packet is received. At step 204, the received TCP/SYN packet is processed in an attempt to establish a TCP connection based on the received TCP/SYN packet. At step 206, it is determined if a connection has been successfully established. For example, there may be a wait time between steps 204 and 206 or within the processing of step 204. Based on a determination that a connection has not been successfully established, the processing in FIG. 2 ends. Based on a determination that a connection has been successfully established, at step 208, the connection state information for the established connection is caused to be provided to a protocol processing stack (e.g., of a host operating system). In this way, the host need not be involved with the illegitimate connection attempts and, even for legitimate connection attempts, the connection rate can be increased by offloading the connection setup.

FIG. 3 schematically illustrates, in slightly greater detail than that illustrated in FIG. 1, the interface between the network adaptor 306 and the OS 312 of the host system 302. In particular, referring to FIG. 3, the network adaptor 308 includes memory in which data of the state of an established connection is stored. The network adaptor 306 communicates with a driver 314 of the operating system 312 via a message passing protocol 316. The operating system 312 may be, for example, a general purpose or special purpose operating system that includes a protocol processing stack. The protocol processing stack is configured to operate a connection to a peer based on data of the state of a connection stored in a memory 310 accessible to the protocol processing stack of the operating system.

Based on the messages exchanged via the message passing protocol 316 (generated at least in part based on a connection to a peer being established by the network adaptor 306), the data of the state of the established connection may be transferred 318 from the memory of the network adaptor 306 to the memory 310 of the protocol processing stack.

It is noted that a network adaptor configured to establish a stateful connection and then to pass the state of the stateful connection to a host for data transfer phase protocol processing may comprise hardware alone, primary a programmed processor, or may be some combination. In some examples, the network adaptor comprises a populated interface card configured to communicate with the host via interface circuitry such as via a PCI local bus.