This invention relates to techniques to thwart network-related denial of service attacks.
In denial of service attacks, an attacker sends a large volume of malicious traffic to a victim. In one approach an attacker, via a computer system connected to the Internet infiltrates one or a plurality of computers at various data centers. Often the attacker will access the Internet through an Internet Service Provider (ISP). The attacker by use of a malicious software program places the plurality of computers at the data centers under its control. When the attacker issues a command to the computers at the data centers, the machines send data out of the data centers at arbitrary times. These computers can simultaneously send large volumes of data over various times to the victim preventing the victim from responding to legitimate traffic.
One type of attack is a transport control protocol (TCP) SYN flood attack. With the transport control protocol (TCP) a connection between two hosts on the network is initiated via a three-way handshake. During a TCP SYN flood attack, an attacker will send many SYN packets to victim.
One approach is described in “Analysis of a denial of service attack on TCP” by Schuba et al. Proceedings of the 1997 IEEE Symposium on Security and Privacy (IEEE Computer Society Press, May 1997). This paper analyzes a network-based denial of service attack for IP (Internet Protocol) based networks. The paper provides an approach for protection against SYN flooding attacks for all connected to the same local area network. The approach recognizes that the attacking site generally will not respond by sending ACK packets to the victim in response to the victim sending corresponding SYN ACK packets.