As computer networks and the Internet become more critical for many businesses, guaranteeing the appropriate operation at a reasonable service level becomes a top priority. Allowing business services over the Internet makes the organization's network much more vulnerable to attacks, which may reduce performances or even bring the entire network down. For this reason, network security, and in particular protecting the network against malicious attacks, has also become increasingly significant for many businesses.
One of the most common and dangerous types of attacks is known as the Denial of Service (DoS) attack. DoS attacks are designed to bring down a computer or network by overloading it with a large amount of network traffic using TCP, UDP, or ICMP data packets. On their own, these packets look harmless, making them easily allowed through a company's routers and firewalls. As indicated by its name, DoS attack denies the appropriate service from legitimate customers by overloading both the network and the attacked server.
One specific form of the DoS attack is the Coordinated SYN DoS attack (CSDoS). In this attack, several malicious hosts, working on a coordinated basis and therefore operating essentially simultaneously, send only SYN packets (which are the first packet in the TCP connection establishment protocol) towards an intended victim server, using forged sender IP addresses. In this way, the attacker creates both a very large amount of entries in the victim server's TCP connection table, as well as a very high load on the links that connect that server to the Internet. The use of forged sender IP addresses makes the server send its SYN/ACK packets (which are the TCP reply packets to SYN packets) to non existing addresses, and thus the entries in the connection tables stay until they are timed out. In addition, there is no easy way to find out the addresses of the comprised malicious hosts, thus preventing an effort to filter out packets from these hosts.
RFC 2827 talks about these attacks and suggests ways to block packets with forged sender IP addresses. The manufacturers of layers 4-7 switches1 promote the use of these devices to filter out unwanted traffic and for load balancing that can be used to alleviate the load from a Network Intrusion Detection (NID) systems. However, these techniques have not been successful because the efficacy of ingress filtering (as described in RFC 2827) and like techniques depends heavily on voluntarily cooperation from every individual network in the Internet. Furthermore, such approaches are costly to operate, and are subject to the negative effects of misconfigured access lists. 1There is often some confusion regarding terminology among experts in the field, relating to layer 4 and layer 7 switches. In this specification, “layer 4-7 switches” refers to this type of devices, in general. Where there are differences between layer 4 and layer 7 switches, these differences are pointed out.