Abstract: A method and non-transitory computer-readable medium are disclosed for extending a hold timer that binds an application-layer session when a transport-layer out-of-order message queue includes an out-of-order message for the application-layer session. An application receives an application-layer message from transport protocol logic that is configured to deliver in-order application-layer messages to the application. The received application-layer message is a next in-order application-layer message for an application-layer session that is bound by a hold timer. After an amount time has passed, the application detects an expiration of the hold timer. In response, rather than immediately tearing down the application-layer session, the application inspects an out-of-order queue of the transport protocol logic. The hold timer is extended when the out-of-order queue includes an out-of-order application-layer message for the application-layer session.

Abstract: A method and non-transitory computer-readable medium are disclosed for extending a hold timer that binds an application-layer session when a transport-layer out-of-order message queue includes an out-of-order message for the application-layer session. An application receives an application-layer message from transport protocol logic that is configured to deliver in-order application-layer messages to the application. The received application-layer message is a next in-order application-layer message for an application-layer session that is bound by a hold timer. After an amount time has passed, the application detects an expiration of the hold timer. In response, rather than immediately tearing down the application-layer session, the application inspects an out-of-order queue of the transport protocol logic. The hold timer is extended when the out-of-order queue includes an out-of-order application-layer message for the application-layer session.

Abstract: Approaches for preventing TCP RST attacks intended to cause denial of service in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, an endpoint node determines whether the TCP segment contains valid authentication information. The TCP RST segment is accepted and the TCP connection is closed only when the authentication information is valid. Authentication information may comprise a reset type values, and either initial sequence numbers of both endpoints, or a copy of a TCP header and options values previously sent by the endpoint node that is performing the authentication. Thus, attacks are thwarted because an attacker cannot know or reasonably guess the required authentication information.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.

Abstract: Approaches are disclosed for switching transport protocol connection keys. A method of automatically changing a message authentication key at each of two endpoints of a connection in a telecommunications network comprises testing a sequence value received in each of a plurality of data segments on the connection; and selecting a next message authentication key, from among a plurality of stored message authentication keys, for use in authenticating subsequently received data segments, when the sequence value matches a specified characteristic.

Abstract: Approaches for preventing TCP RST attacks intended to cause denial of service in packet-switched networks are disclosed. In one approach, upon receiving a TCP RST packet, an endpoint node determines whether the TCP segment contains valid authentication information. The TCP RST segment is accepted and the TCP connection is closed only when the authentication information is valid. Authentication information may comprise a reset type values, and either initial sequence numbers of both endpoints, or a copy of a TCP header and options values previously sent by the endpoint node that is performing the authentication. Thus, attacks are thwarted because an attacker cannot know or reasonably guess the required authentication information.