Attacks on web sites in recent years has resulted in severe disruption in network services. These attacks can take any one of a number of forms including, but not limited to, SYN flooding.
In a SYN flooding attack an attacker overloads a victim's site to the point where it cannot cope with incoming traffic. Such an attack, typically, focuses on an inherent characteristic of TCP based services.
Essentially, TCP services rely on a three-way hand shaking protocol on connection set up. A client wishing to make connection with a host sends a synchronization signal (SYN) to the host and the host responds to the client with a SYN acknowledgement (ACK) reply. The client then returns an acknowledgement and the connection is established.
Upon completion of a connection the client forwards a finish (FIN) packet to the host indicating that there will be no further data or packets directed to the host and the connection is thereafter closed.
In a SYN flooding attack the attacker will typically use a false or invalid source address such that when the host returns the SYN/ACK message it does not reach a valid client. Under the TCP protocol the host stores half opened connections i.e. connections for which the third leg of the three way protocol has not been completed for a set period of time or until a system time out occurs. If, during this time interval multiple new half opened connections are established at the host site the memory allocated to retaining such connections becomes swamped and eventually is unable to receive any more SYN packets. At this stage the server or host will crash or will not respond to any new connections and the site goes out of service. Because the host is unable to receive further data the attacker has been successful in generating what is known as a denial of service attack.
Denial of service attacks have become an increasingly prevalent form of a security threat and the problem, so far, has been quite difficult to solve. Several countermeasures have been proposed and can be characterized as firewall and router filtering, operating system improvements, protocol improvements and intrusion detection.
A denial of service attack involves blocking somebody's ability to use some service on a network. Denial of Service (DoS) attacks are common across the Internet with many being launched daily at various targets. Many of the attacks involve specially constructed packets designed to either take advantage of flaws in software, or to tie up resources within devices (packet flooding attacks). In co-pending application bearing co-pending application Ser. No. 10/224507 a new method of detecting these packet floods using frequency analysis techniques is described. The contents of the aforementioned application are incorporated herein by reference.
Several attack mitigation solutions exist such as random drop algorithms and rate limiting. Random drop involves dropping packets from queues on a random basis when an attack has been detected. Schemes like this rely on the fact that real connections will spend very little time within queues compared to attack packets and therefore dropped packets from the queue are more likely to belong to an attack.
Rate limiting involves restricting the rate of a certain type of packet to a specified level given that an attack has been detected, by dropping packets which exceed this bandwidth.
Random drop algorithms can work quite well within network hosts, but within carrier equipment it becomes quite difficult to implement. Shadow state tables have to be created and these can become victim to the same attacks that are directed at a victim.
Rate limiting can be a very effective way to ensuring that a server does not become overloaded, but in the process good packets are dropped at the same time as attack packets, thus denying some legitimate users access to a service. A rate limiter is unable to distinguish good traffic from bad.