Network security is an important factor in today's networking environment. One current method of attacking a computer network is a distributed denial of service attack (DDoS). In a DDoS attack, malicious agents attempt to overload server computers of an entity by bombarding the server computers with traffic. One type of DDoS attack is a connection request attack. In a connection request attack, one or more malicious system attempt to overload server computers by “Hooding” the server computers with bogus connection requests. For example, one such attack is a transport connection protocol (TCP) synchronization (SYN) flood attack. In a SYN flood attack, server computers are overloaded with SYN requests to establish bogus TCP connections.
The most commonly used method to mitigate SYN flood attacks is to use SYN cookies. In this method, a mitigation system, which is located between client computers and server computers, sends synchronization-acknowledgment (SYN-ACK) communications on behalf of a server computer that it is protecting in response to a SYN request. The mitigation system proposes an initial SYN sequence number that is representative of the connection state. If the client computer responds with an ACK segment, the connection is validated by regenerating the initial state and by decompressing the acknowledgment (ACK) sequence. The mitigation system then opens a TCP connection to the server computer that it is protecting. The mitigation system then translates the sequence number between the two connections as the initial sequence numbers proposed by the mitigation system to the client computer will be different from that proposed by the server computer to the mitigation system. This imposes a restriction that the mitigation system must see traffic in both directions i.e., traffic from the client computer to the server computer and traffic from the server computer to the client computer. In cases where traffic from the server computer takes a different route to reach the client computer, this method does not work.
Accordingly, there is a need for methods and systems that mitigate network attacks without seeing the network traffic in both directions.