Browse Prior Art Database

METHOD FOR PROTECTION AGAINST SYN FLOOD ATTACK WITH IP SPOOFING BASED ON IP HEADER INFORMATION

IP.com Disclosure Number: IPCOM000016113D
Original Publication Date: 2002-Oct-12
Included in the Prior Art Database: 2003-Jun-21

Publishing Venue

IBM

Abstract

Disclosed is a system for protecting Internet hosts against SYN flood attack with IP spoofing. The essence of SYN flood attack is sending multiple SYN packets to the victim machine, thus forcing it to potentially overflow its memory by the data structures dedicated to the half-open connections. A malicious technology known as IP spoofing is often used by attackers in conjunction with SYN flood attack, thus making it difficult to trace the SYN packets back to their source, and making virtually useless simple filtering anti-SYN flood algorithms operating on the assumption that the attack is initiated from a limited number of hosts. The proposed solution is based on the assumption that for every host in a wide-area IP network (e.g. the Internet), there is a noticeable correlation between the source IP subnet of a packet and the value of TTL field in the IP header of the same packet, i.e. in any given point of a WAN it is possible to collect historical data and then use regression and correlation analysis methods to produce an equation describing the value of TTL as a function of IP source address and some other parameters: TTL est F(SUBNET(source_IP), P1, P2,…) , (1)