Method for inspection and filtering of TCP streams in gateway router

Abstract

A method of monitoring traffic by a router acting as a gateway between a first and second network is described. The router can receive data packets sent from the first device over the TCP connection and can send a TCP ACK packet to the first device in response to each data packet. The data packets can be stored without sending them to the second device. The stored data packets can be examined in order to determine whether to block or allow the TCP connection. In the event that it is determined to allow the TCP connection, the router can send each of the stored data packets to the second device. In the event that it is determined to block the TCP connection, the router can send a TCP RST message to each of the first and second devices in order to close the TCP connection.

Claims

1. A method of monitoring traffic, the method being carried out by a router acting as a gateway between a first and second network, the method comprising: after establishment of a transmission control protocol (TCP) connection between a first device on the first network and a second device on the second network, the router comprising a first processor and a second processor: on the first processor: receiving a plurality of data packets sent from the first device over the TCP connection; sending a TCP acknowledgement (ACK) packet to the first device in response to each data packet of the plurality of data packets; storing said data packets without sending them to the second device; examining at least part of the plurality of the stored data packets in order to determine whether to block or allow the TCP connection; in the event that it is determined to allow the TCP connection: sending each of the stored data packets to the second device; in the event that it is determined to block the TCP connection: sending a TCP reset (RST) message to each of the first and second devices in order to close the TCP connection; and in the event that it is determined to allow the TCP connection, handling subsequent data packets of the TCP connection by forwarding data packets between a first port and a second port via the second processor, wherein the subsequent data packets of the TCP connection omit the first processor based at least in part on the determination to allow the TCP connection.

2. The method according to claim 1, wherein the steps of claim 1 are performed on the first processor, and comprising, in the event that it is determined to allow the TCP connection, handling the subsequent data packets of the TCP connection via the second processor.

3. The method according to claim 1, and comprising, in the event that it is determined to block the TCP connection, sending a substitute response to the first device via the TCP connection prior to sending the TCP RST message, the substitute response containing one or more data packets using the same application layer protocol as the stored data packets.

4. The method according to claim 1, and comprising, in the event that it is determined to block the TCP connection, discarding the stored data packets.

5. The method according to claim 1, and comprising, following sending of the TCP RST message, preventing forwarding of any further data packets between the first and second device.

6. A router comprising: a first port configured to connect to a first network; a second port configured to connect to a second network; a first hardware processor and a second hardware processor; a hardware memory unit for storing data; the first hardware processor configured to: after establishment of a transmission control protocol (TCP) connection between a first device on the first network and a second device on the second network: receive a plurality of data packets sent from the first device over the TCP connection; send a TCP acknowledgement (ACK) packet to the first device in response to each data packet of the plurality of data packets; store said data packets in the hardware memory unit without sending them to the second device; examine the stored data packets in order to determine whether to block or allow the TCP connection; in the event that it is determined to allow the TCP connection: send each of the stored data packets to the second device; in the event that it is determined to block the TCP connection: send a TCP reset (RST) message to each of the first and second devices in order to close the TCP connection; and in the event that it is determined to allow the TCP connection, handle subsequent data packets of the TCP connection by forwarding the data packets between the first and the second port via the second hardware processor, wherein the subsequent data packets of the TCP connection omit the first hardware processor based at least in part on the determination to allow the TCP connection.

7. The router according to claim 6, wherein the second hardware processor configured to forward the data packets between the first and second port, wherein the router is configured to handle data packets using the second hardware processor for the TCP connection following the determination at the first hardware processor to allow that TCP connection.

8. The router according to claim 6, wherein the second hardware processor is configured to have a faster processing speed than the first hardware processor.

9. The router according to claim 6, wherein the first hardware processor is a central processing unit (CPU) and the second hardware processor is an application specification integrated circuit (ASIC).

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) FIG. 1 is a schematic illustration of a router;

(2) FIGS. 2A and 2B show flows in a network during a TCP connection;

(3) FIG. 3 is a schematic illustration of an example of a router.

DETAILED DESCRIPTION

(4) FIGS. 2A and 2B show network flows between a downstream device 201 in a LAN, a router 202, and an upstream device 203 in a WAN. It will be appreciated that while these figures show a connection initiated by the downstream device, the same procedures could also be applied to connections initiated by the upstream device.

(5) FIG. 2A shows the network flow for safe traffic, and FIG. 2B shows the flow for malicious or suspicious traffic. Steps 210 and 220 are identical in both cases. In step 210, a TCP connection is established between the downstream device 201 and the upstream device 203, via the router 202. Step 210 comprises substeps of: (211) the downstream device sending a SYN packet to the upstream device, which is forwarded by the router and received by the upstream device; (212) the upstream device sending a SYN/ACK packet in response, which is forwarded by the router and received by the downstream device; (213) the downstream device sending an ACK packet in response, which is forwarded by the router and received by the upstream device.

(6) In step 220, the router captures and buffers data sent from the downstream device. Step 221 comprises substeps of (221) the downstream device sends a data packet to the upstream device. This data packet is intercepted by the router, and stored in the router, and is not forwarded to the upstream device during step 220. (222) the router sends an ACK packet to the downstream device in response to the data packet. This ACK packet is configured to appear to come from the upstream device. Steps 221 and 222 are repeated until the router has sufficient information to make a determination as to whether the traffic is safe or malicious. This may be a fixed limit (e.g. a specified time period or number of packets), or may be the result of attempts to make a determination after each packet arrives, until a desired level of certainty is achieved.

(7) In step 230, the router makes a determination as to whether the connection is safe or malicious, based on the stored data packets. This determination may be positive (231)—i.e. the traffic is considered safe and the connection is allowed, or negative (232) i.e. the traffic is considered malicious and the connection is blocked. It will be appreciated that the present disclosure is focused on the processes surrounding this determination, and not on the determination itself, so any suitable packet inspection or other tool for determining whether traffic is malicious or unwanted may be used. Further examples will be given later, as illustration only.

(8) Focusing first on the case where the traffic is considered safe (i.e. FIG. 2A), in step 240 the router forwards the buffered data packets 4944 to the upstream device. Step 240 comprises substeps of: (241) the router sending each data packet to the upstream device. This involves presenting the packets as if they have come from the downstream device without buffering and storage. (242) the upstream device sending an ACK packet as acknowledgement of each data packet to the downstream device, which is intercepted by the router and not forwarded to the downstream device (which has already received acknowledgement of the packets). Steps 241 and 242 are repeated for each of the buffered packets. If sending of a buffered packet in step 241 fails, then the connection can be recovered as specified in TCP protocols, with the router continuing to present packets as if it were the downstream device, and intercepting TCP error messages from the upstream device which relate to the buffered packets. Any further packets received from the downstream device during this time may be added to the buffer queue, to be sent after the packets buffered in step 220.

(9) In step 250, the connection is flagged as safe in the router, and any further traffic on the connection is passed directly to the “fast path” (e.g. ASIC) for processing, rather than being handled by the CPU.

(10) Turning now to the case where the traffic is considered malicious (i.e. FIG. 2B), in step 260 the router may send substitute content to the downstream device. In the case where the TCP connection is transmitting HTTP traffic, this may be a substitute webpage notifying the user that the connection has been blocked, and the reasons why, and in the case where the TCP connection is transmitting traffic for a protocol with defined error messages, it may be a suitable error message in that protocol. In substeps 261 and 262, the data is transmitted by the router to the downstream device (appearing to originate from the upstream device) and acknowledged by the downstream device (with the router preventing any forwarding of such acknowledgement).

(11) In step 270, the router terminates the connection by sending an RST packet to each of the downstream device (271) and upstream device (272), appearing to come from the other of the upstream or downstream device. The router then drops any further packets sent from the downstream device to the upstream device (273), or vice versa (274).

(12) While the above has been presented as a single method, it will be appreciated that there are several improvements involved in the method (compared to typical user-mode packet filtering) which may be applied together or independently.

(13) Firstly, there is the buffering of packets (220) prior to making a decision on the safety of the traffic (230), and the forwarding of those packets if the traffic is deemed safe (240). This ensures that the only communication between the LAN and WAN on a malicious TCP channel is the initial setup of the TCP channel (i.e. the SYN/ACK exchange). This is of particular importance in situations such as blocking communication between malware and a command and control server, preventing exfiltration of sensitive data from the LAN, or preventing receipt of malicious data by a device within the LAN—i.e. situations where any data transfer is potentially harmful. Buffering the packets prior to the decision being made allows them to be discarded if the TCP connection is deemed malicious, or to be transmitted with only a small delay if it is deemed safe.

(14) Secondly, there is the use of substitute content if the TCP connection is deemed malicious. Depending on the application layer content of the TCP packets, this substitute content may be used to inform the user of the reasons for blocking the traffic (e.g. by providing a substitute website via HTTP), or to provide a more meaningful error to the program which initiated the connection (e.g. FTP 425 or FTP 426 reply codes—indicating a failure to make a connection). In some cases, substitute content which does not indicate an error may be used—e.g. where an attempt by malware to contact a command and control server is detected, a spoofed command may be returned to that malware if the command syntax is known. The use of substitute content does not rely on buffering—but to prevent clashes, if buffering is not used then any real return packets from the upstream device may be dropped.

(15) Thirdly, there is the flagging of safe connections so that future traffic on that connection can be passed directly to the “fast path” processing of the router. This means that the majority of traffic (after the initial review to determine whether it is safe) can travel in the “fast path” via the ASIC rather than being processed primarily in the CPU, and as such results in significantly increased throughput compared to current network monitoring solutions in the router (˜800 Mb/s on a gigabit router). This saving is achieved even if the packet monitoring is implemented in “user mode” on the CPU, rather than “kernel mode”—meaning that the software can deliver good throughput while still being easily portable to different models of router.

(16) FIG. 3 is a schematic illustration of a router implementing the above methods. The router 300 comprises a first processor 301 (e.g. the CPU) and a second processor 302 (e.g. the ASIC). The router further comprises first and second ports 303, 304, configured to connect to first and second networks.

(17) The first processor is configured to, after establishment of a TCP connection between a first device on the first network and a second device on the second network: receive a plurality of data packets sent from the first device over the TCP connection; acknowledge each received data packet by sending an ACK packet to the first device; store said data packets without sending them to the second device; examine the stored data packets in order to determine whether to block or allow the TCP connection; in the event that it is determined to allow the TCP connection: send each of the stored data packets to the second device; in the event that it is determined to block the TCP connection: send a TCP RST message to each of the first and second devices in order to close the TCP connection.

(18) The first processor may be further configured to, in the event that it is determined to allow the TCP connection, pass any further packets on the TCP connection to the second processor (i.e. the “fast path”).

Method for inspection and filtering of TCP streams in gateway router

Assignee

Inventors

Cpc classification

Classification Explorer

H04L63/166

ELECTRICITY

Classification Explorer

H04L47/2466

ELECTRICITY

Classification Explorer

H04L63/1441

ELECTRICITY

Classification Explorer

H04L63/0236

ELECTRICITY

Classification Explorer

H04L69/163

ELECTRICITY

Classification Explorer

H04L69/169

ELECTRICITY

Classification Explorer

H04L63/0227

ELECTRICITY

Classification Explorer

H04L45/42

ELECTRICITY

Classification Explorer

H04L63/20

ELECTRICITY

International classification

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

H04L45/42

ELECTRICITY

Classification Explorer

H04L47/2466

ELECTRICITY

Classification Explorer

H04L69/163

ELECTRICITY

Abstract

Claims

Description