A Novel Router-based Scheme to Mitigate SYN Flooding DDoS Attacks

Distributed Denial-of-Service (DDoS) attack remains a serious problem on the Internet today, as it takes advantage of the lack of authenticity in the IP protocol, destination oriented routing, and stateless nature of the Internet. Among various DDoS attacks, the TCP SYN flooding [1] is the most commonly-used one. It exploits TCP’s three-way handshake mechanism and TCP’s limitation in maintaining half-open connections. When a server receives a SYN packet, it returns a SYN/ACK packet and allocates resources (typically backlog queue in the system memory) to track the TCP state. Then the server would wait until either the half-open connection completes or the TCP connection times out. In the SYN flooding attack, the server will receive a large number of SYN packets but never receive the final ACK packets to complete the three-way handshake. Then the victim server’s backlog queue can be easily exhausted, causing all the new incoming SYN requests to be dropped. Furthermore, many other system resources, such as CPU and network bandwidth used to retransmit the SYN/ACK packets, are occupied. The most viable techniques [2] up-to-date to defend SYN floods include SYN cache [3] and SYN cookies [4]. SYN cache is to allocate minimal state when the initial request is received, and only allocate all the resources when the connection is completed. If the backlog queue is full, the oldest entry is removed. SYN cookies allocate no state for half-open connections. Instead, they encode most of the states and encrypt them into the sequence number transmitted in the SYN/ACK packet. The ACK packet that completes the handshake can be used to reconstruct the state to be put into the backlog queue. One problem with SYN cookies is not able to encode all the TCP options, and the other is that TCP protocol with SYN cookies would never retransmit the unacknowledged SYN/ACK packet. In addition, both of them do not handle application data piggybacked on the SYN segment, i.e., incompatible with Transactional TCP (T/TCP)