Modern data transmission systems are subject to increasingly sophisticated attacks, such as for instance attacks of the buffer oversizing type. This kind of attack consists in exhausting the resources of network systems.
Indeed, a possible attack against a TCP network device is to open a large number of fake TCP connections and send segments with inconsistent sequence numbers. For instance, an attacker can send a set of very small segments with non-consecutive sequence numbers throughout the TCP window, and never send the packet located at the Bottom of Window (BoW), or more subtly, send BoW segments at a very low rate. In that context, the TCP network device allocates a set of re-assembly buffers so that it can observe the whole TCP window, but never releases them. By doing that, the attacker forces the TCP network device to allocate a large volume of memory per controlled TCP connection.
Many efforts have been made to prevent or at least limit damages from that kind of attacks, which have let to various types of answers.
Nevertheless, none of the known techniques of protection proves entirely satisfactory in all types of situations. The resource allocation must result from a trade-off between the need to provide the equipment with some level of resilience to attacks at which they may be targeted and the necessity not to degrade too much their operation when they are not under attack.