Browse Prior Art Database

METHOD FOR PROTECTION AGAINST SYN FLOOD ATTACK WITH IP SPOOFING BASED ON IP HEADER INFORMATION

IP.com Disclosure Number: IPCOM000016113D
Original Publication Date: 2002-Oct-12
Included in the Prior Art Database: 2003-Jun-21
Document File: 2 page(s) / 79K

Publishing Venue

IBM

Abstract

Disclosed is a system for protecting Internet hosts against SYN flood attack with IP spoofing. The essence of SYN flood attack is sending multiple SYN packets to the victim machine, thus forcing it to potentially overflow its memory by the data structures dedicated to the half-open connections. A malicious technology known as IP spoofing is often used by attackers in conjunction with SYN flood attack, thus making it difficult to trace the SYN packets back to their source, and making virtually useless simple filtering anti-SYN flood algorithms operating on the assumption that the attack is initiated from a limited number of hosts.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

  METHOD FOR PROTECTION AGAINST SYN FLOOD ATTACK WITH IP SPOOFING BASED ON IP HEADER INFORMATION

  Disclosed is a system for protecting Internet hosts against SYN flood attack with IP spoofing. The essence of SYN flood attack is sending multiple SYN packets to the victim machine, thus forcing it to potentially overflow its memory by the data structures dedicated to the half-open connections. A malicious technology known as IP spoofing is often used by attackers in conjunction with SYN flood attack, thus making it difficult to trace the SYN packets back to their source, and making virtually useless simple filtering anti-SYN flood algorithms operating on the assumption that the attack is initiated from a limited number of hosts.

The proposed solution is based on the assumption that for every host in a wide-area IP network
(e.g. the Internet), there is a noticeable correlation between the source IP subnet of a packet and the value of TTL field in the IP header of the same packet, i.e. in any given point of a WAN it is possible to collect historical data and then use regression and correlation analysis methods to produce an equation describing the value of TTL as a function of IP source address and some other parameters:

TTLest = F(SUBNET(source_IP), P1, P2,...) , (1)

Where TTLest is estimated TTL value,

source_IP - packet's source IP address,

SUBNET(source_IP) - subnet which the source IP belongs to

P1, P2,... - parameters of the method (such as time of the day, and other parameters that will be defined during the data collection stage using regression analysis methods).

The validity of the assumption can be illustrated by the fact that some secure connection protocols (such as VPNs) deliberately set the TTL field to a value of (base + random number) to hide any clues that would facilitate the detection of packet source.

According to the proposed solution, the protection system would have three modules:

Network Topology Module Data Collection Module Packet Filtering Module

The Network Topology Module obtains the network topology information from routers (using...