A mitigation model for TCP SYN flooding with IP spoofing

DDoS attack is considered to be a major threat among security problems in today´s Internet. These kinds of attack are potentially severe. They bring down business of company drastically. DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. There are attacks exploiting some vulnerability or implementation bug in the software implementation of a service, to bring the server down. Some attacks will use all the available resources at the target machine. This paper deals on attacks that consume all the bandwidth available to the victim machine. While concentrating on the bandwidth attack the TCP SYN flood is the more prominent attack. TCP/IP protocol suite is the most widely used protocol suite for data communication. The TCP SYN flood works by exhausting the TCP connection queue of the host and thus denying legitimate connection requests. There are various methods used to detect and prevent this attack, one of which is to block the packet based on SYN flag count from the same IP address. This kind of prevention methods becomes unsuitable when the attackers use the Spoofed IP address. For the prevention of this kind of attacks, the TCP specific probing is used in the proposed scheme where the client is requested to change the windows size/ cause packet retransmission while sending the ACK in the three way hand shake. This is very useful to find the Spoofed IP Packets/TCP SYN flood and preventing them.