In a Denial-of-Service (DoS) attack, an attacker bombards a victim network or server with a large volume of message traffic. Handling this traffic consumes the victim's available bandwidth, CPU capacity, or other critical system resources, and eventually brings the victim to a situation in which it is unable to serve its legitimate clients. Distributed DoS (DDoS) attacks can be even more damaging, as they involve creating artificial network traffic from multiple sources simultaneously. In a “conventional” massive-bandwidth attack, the source of the attack may be traced with the help of statistical analysis of the source Internet Protocol (IP) addresses of incoming packets. The victim can subsequently filter out any traffic originating from the suspect IP addresses, and can use the evidence to take legal action against the attacker. Many attacks, however, now use “spoofed” IP packets—packets containing a bogus IP source address—making it more difficult for the victim network to defend itself against attack.
The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is the most widely-used transport protocol in digital packet networks today. TCP is a connection-oriented, end-to-end, full-duplex protocol, which provides for reliable inter-process communication between pairs of processes in host computers. The information exchanged between TCP peers is packed into datagrams known as segments, each comprising a TCP header followed by payload data. The segments are transported over the network in IP packets. TCP is described by Postel in RFC 793 of the U.S. Defense Advanced Research Projects Agency (DARPA), entitled “Transmission Control Protocol: DARPA Internet Program Protocol Specification” (1981), which is incorporated herein by reference. The description given hereinbelow of certain features of TCP is based on information in RFC 793, and readers should refer to the RFC for further details.
Each octet transmitted in a TCP segment is assigned a sequence number, which is used by the receiving computer to recover from damage, loss and duplication of packets and to reorder segments that are delivered out of order. Upon receiving a segment, the receiver is expected to give a positive acknowledgment (ACK), by returning a packet to the sender in which the “ACK” control bit is set in the TCP header. If the sender does not receive the ACK within a timeout interval, it retransmits the data. Since TCP is a full-duplex protocol, the header of each segment contains fields for both the sequence number and an acknowledgment number. The sequence number field holds the sequence number of the first data octet in the segment (or an initial sequence number, ISN, in the case of a SYN packet, as described below). The acknowledgment number field contains the value of the next sequence number the sender of the segment is expecting to receive over the TCP connection. The acknowledgment number is thus determined by the highest sequence number in the last segment that was received. To govern the amount of data sent by the sender, the receiver returns a “window” with every ACK, indicating a range of acceptable sequence numbers beyond the last segment successfully received.
To establish a TCP connection, the two participating computers use the well-known “three-way handshake” to synchronize on each other's initial sequence numbers. The handshake is based on an exchange of connection-establishing segments carrying a control bit called “SYN” in their segment headers, along with the initial sequence numbers. Each side must also receive the other side's initial sequence number and send a confirming acknowledgment. To initiate the connection, computer A sends a SYN packet to computer B, indicating its initial sequence number (ISN). Computer B responds with a SYN-ACK packet, giving its own ISN and acknowledging the ISN sent by computer A (by setting the ACK bit and placing the value ISN+1 in the acknowledgment number field). Computer A finally responds with an ACK packet, acknowledging the ISN sent by computer B, and the connection is thus established.
The TCP segment header also contains a “RST” control bit, which is used when it is necessary to reset a TCP connection that is not properly synchronized. As a general rule, a RST packet (in which the RST bit is set) is sent whenever a segment arrives which apparently is not intended for the current connection as long as the connection is not in an “established” state. Thus, for example, if one of the computers in the course of establishing a TCP connection receives an ACK packet that contains an unexpected acknowledgment number, the receiving computer will return a RST packet to the sending computer.