Abstract:Distributed Denial-of-Service (DDoS) attack remains a serious problem on the Internet today, as it takes advantage of the lack of authenticity in the IP protocol, destination oriented routing, and stateless nature of the Internet. Among various DDoS attacks, the TCP SYN flooding [1] is the most commonly-used one. It exploits TCP’s three-way handshake mechanism and TCP’s limitation in maintaining half-open connections. When a server receives a SYN packet, it returns a SYN/ACK packet and allocates resources (typically backlog queue in the system memory) to track the TCP state. Then the server would wait until either the half-open connection completes or the TCP connection times out. In the SYN flooding attack, the server will receive a large number of SYN packets but never receive the final ACK packets to complete the three-way handshake. Then the victim server’s backlog queue can be easily exhausted, causing all the new incoming SYN requests to be dropped. Furthermore, many other system resources, such as CPU and network bandwidth used to retransmit the SYN/ACK packets, are occupied. The most viable techniques [2] up-to-date to defend SYN floods include SYN cache [3] and SYN cookies [4]. SYN cache is to allocate minimal state when the initial request is received, and only allocate all the resources when the connection is completed. If the backlog queue is full, the oldest entry is removed. SYN cookies allocate no state for half-open connections. Instead, they encode most of the states and encrypt them into the sequence number transmitted in the SYN/ACK packet. The ACK packet that completes the handshake can be used to reconstruct the state to be put into the backlog queue. One problem with SYN cookies is not able to encode all the TCP options, and the other is that TCP protocol with SYN cookies would never retransmit the unacknowledged SYN/ACK packet. In addition, both of them do not handle application data piggybacked on the SYN segment, i.e., incompatible with Transactional TCP (T/TCP)

A Novel Router-based Scheme to Mitigate SYN Flooding DDoS Attacks

A novel mechanism to defend against low-rate denial-of-service attacks

Detecting SYN Flooding Agents under Any Type of IP Spoofing

Router based detection for low-rate agents of DDoS attack

Detection and Response of Low-Rate TCP-targeted Denial of Service Attacks

Optimal control of DDoS defense with multi-resource max-min fairness

A Robust Scheme To Detect Syn Flooding Attacks

Multi-variant Network Address Hopping to Defend Stealthy Crossfire Attack

An Adaptive Defending Mechanism Against Distributed Denial-of-Service (DDoS) Attacks

Detection and Mitigation of SYN Flooding Attacks through SYN/ACK Packets and Black/White Lists

A novel rate limit algorithm against meek DDoS attacks

A novel architecture for detecting and defending against flooding-based DDoS attacks

SYN Flood Attack Detection and Mitigation using Machine Learning Traffic Classification and Programmable Data Plane Filtering

An Active Defense Mechanism for TCP SYN flooding attacks

Analysis and realization of anti-DDoS attack algorithm based on the SYN Cookie mechanism

Effective DDoS Mitigation Via ML-Driven In-network Traffic Shaping

A More Accurate Scheme to Detect SYN Flood Attacks

HTTP DDoS Flooding Attack Mitigation in Software-Defined Networking

More Accurate and Fast SYN Flood Detection

Deep Reinforcement Learning based Smart Mitigation of DDoS Flooding in Software-Defined Networks

Review of syn-flooding attack detection mechanism