TCP, defined for example in RFC 793, is a widely used protocol of the Internet that allows for reliable and ordered delivery of data. For example web browsers commonly use TCP when connecting to origin servers on the Internet. The TCP segment (sometimes referred to as a TCP packet) includes a header that includes a number of fields including source port, destination port, sequence number, acknowledgement number, data offset, reserved, control bits, window, checksum, urgent pointer, options, padding, and a field for the data. The TCP segment is commonly encapsulated into an IP packet whose header includes a number of fields including among others source IP address, destination IP address, and options.
TCP uses sequence numbers to identify the order of data such that the data may be received out of order and reassembled. A client establishes a TCP connection with a server though a series of messages commonly referred to as a handshake. The handshake includes the client transmitting a TCP SYN message to the server which initiates a TCP connection to the server. The server responds with a TCP SYN-ACK message which acknowledges the TCP SYN message and sets an initial sequence number (ISN) to a value chosen by the server. The client responds with a TCP ACK message that acknowledges the TCP SYN-ACK message and includes an acknowledgement number that is the ISN incremented by one. After these three messages, the TCP connection between the client and the server is established. TCP packets also include a TCP checksum which is the ones' complement sum of certain fields in the TCP header.
A fairly common denial of service (DoS) attack is a SYN flood from one or more clients (which may be participating in a botnet) that causes a high rate of incomplete TCP connections. For example, a half-open connection is a connection where the client has sent SYN message, the server has responded with a SYN-ACK message, and the server is waiting for the client to respond with an ACK message. In a SYN flood attack, malicious client(s) typically send many SYN messages to a TCP server with no intention of ever responding to the SYN-ACK message with an ACK message. The server may maintain state for all half-open connections (e.g., waiting for the client to respond with a TCP ACK message to complete the handshake) and the SYN flood may consume all of the available memory for TCP on the server (an overflowing state table), which may lead to the server failing or denying service to legitimate clients, and it may create a high interrupt rate from the network interface card on the attacked server. Thus, these incomplete TCP connections consume resources on web servers both in CPU time and memory space.
One solution to the overflowing state table is to implement SYN cookies. A SYN cookie is a specifically chosen ISN by the server that allows the server to not maintain the state table but also allows the server to recreate the TCP session so the connection can be established and maintained. The SYN cookie may be based on a timestamp (such that the cookie is valid only for a certain period of time), a maximum segment size (MSS) value selected by the server, and a cryptographic hash computed over the server's IP address and port, the client's IP address and port, and the timestamp. For example, the SYN cookie may be a 32 bit value where the top 5 bits are equal to t mod 32, where t is a 32-bit time counter that increases every 64 seconds; the next 3 bits are an encoding of the MSS selected by the server; and the bottom 24 bits is the result of a cryptographic hash computed over the server's IP address and port, the client's IP address and port, and t. When the server receives an ACK from the client (which should be the SYN cookie value incremented by one), the server subtracts one and checks the value t against the current time to see whether the connection has expired, computes the cryptographic hash to determine whether it is a valid SYN cookie, and uses the MSS to reconstruct the SYN queue entry.
The use of TCP SYN cookies addresses the problem of the overflowing state table, but it does not address the problem of the high interrupt rate caused by incomplete TCP connections (e.g., caused by a SYN flood attack). The high interrupt rate causes the CPU load on the attacked machine to be increased which may starve it of CPU time for other legitimate purposes. For example, the CPU on the attacked machine is forced to perform calculations necessary for TCP connection establishment such as TCP checksumming. In a significant denial of service attack, the CPU starvation can be significant.
Some TCP servers (e.g., web servers, proxy servers, etc.) may be configured to accept TCP connections from only known and approved source IP addresses. For example, upon receiving a TCP SYN message from a TCP client, the TCP server may check whether the source IP address of the encapsulating IP packet is of a known and approved source IP address. If the source IP address is not known or approved, then the TCP server will not accept the TCP connection.
The entity controlling the TCP server may not control or manage the IP addresses of TCP clients. Thus, the entity controlling the TCP server may not necessarily know the IP addresses of TCP clients that it should accept connections from or know the IP addresses of TCP clients that it should not accept connections from. In addition, the IP addresses of TCP clients may and often change. In some instances, the entity controlling the TCP server may receive a list of IP addresses that it should accept connections from (a whitelist of IP addresses) and/or a list of IP addresses that it should not accept connections from (a blacklist of IP addresses). These IP addresses would be installed in the server or firewall in front of the server and used to accept or deny connections. The use of such a list is subject to a synchronization problem if the IP addresses of legitimate TCP clients are changed and the list is not updated accordingly. Also the list may be subject to abuse if the list of IP addresses is compromised such that malicious users could use that knowledge to spoof its source IP address such that they look like legitimate TCP clients.