本篇論文嘗試透過 TCP設計時保留之option欄位,因一般進行SYN-flood之惡意客戶端不會嘗試完成TCP三方交握之程序,如果有一經過認證、合法的客戶端嘗試連線至正遭受SYN-flood分散式阻斷服務攻擊之伺服器,在完成三方交握之後,伺服器端會回傳一特定封包,其TCP封包檔頭之option欄位會包含有新伺服器的IP位置與祕密字串,合法客戶端連線至新伺服器時,新伺服器會檢查是否有包含此祕密字串,若是檢查通過才放行此SYN封包,允許建立連線。;Distributed denial of service (DDoS) attacks has become more and more frequent nowadays. In 2013, a massive DDoS attack was launched against Spamhaus, a non-profit anti-spam mail organization. Up to 75Gbps of DNS reflection traffic were directed to Spamhaus′ servers, causing the service to shut down.
Although DDoS has been long around ever since the internet has become popular, no good solutions has been offered yet.
In this paper, we present a solution based on TCP redirection using TCP header options. When a legitimate client attempted to connect to a server undergoing an SYN-flood DDoS attack, it will try to initiate a TCP three-way handshake, after it has successfully established a connection, the server will reply with a RST packet, which a new server address and a secret is embedded in the TCP header options. The client can thus connect to the new server that only accepts SYN packets with the corrected secret using the supplied secret.
