||Distributed denial of service (DDoS) attacks has become more and more frequent nowadays. In 2013, a massive DDoS attack was launched against Spamhaus, a non-profit anti-spam mail organization. Up to 75Gbps of DNS reflection traffic were directed to Spamhaus′ servers, causing the service to shut down.|
Although DDoS has been long around ever since the internet has become popular, no good solutions has been offered yet.
In this paper, we present a solution based on TCP redirection using TCP header options. When a legitimate client attempted to connect to a server undergoing an SYN-flood DDoS attack, it will try to initiate a TCP three-way handshake, after it has successfully established a connection, the server will reply with a RST packet, which a new server address and a secret is embedded in the TCP header options. The client can thus connect to the new server that only accepts SYN packets with the corrected secret using the supplied secret.
||M. Abu Rajab, J. Zarfoss, F. Monrose, et al., "A multifaceted approach to understanding the botnet phenomenon," in Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, 2006, pp. 41-52.|
Kaspersky Lab. (2015, May 29). Statistics on botnet-assisted DDoS attacks in Q1 2015 [Online]. Available: https://securelist.com/blog/research/70071/statistics-on-botnet-assisted-ddos-attacks-in-q1-2015/
M. Prince (2013, Mar. 20). The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) [Online]. Available: https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
R. Graham (2015, Apr. 01) Pin-pointing China′s attack against GitHub [Online]. Available: http://blog.erratasec.com/2015/04/pin-pointing-chinas-attack-against.html
RFC 793 - Transmission Control Protocol [Online]. Available: https://tools.ietf.org/html/rfc793
J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, pp. 39-53, 2004.
Juniper Networks, Inc. Understanding Teardrop Attacks [Online]. Available: https://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/understanding-teardrop-attacks.html
L. Miao, W. Ding, and J. Gong, "A real-time method for detecting internet-wide SYN flooding attacks," in Local and Metropolitan Area Networks (LANMAN), 2015 IEEE International Workshop on, 2015, pp. 1-6.
Transmission Control Protocol (TCP) Parameters [Online]. Available: http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-1
P. Salzman (2007, May 18). The Linux Kernel Module Programming Guide [Online]. Available: http://www.tldp.org/LDP/lkmpg/2.6/html/lkmpg.html#AEN40
Netfilter Architecture [Online]. Available: http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
J. Lemon, "Resisting SYN Flood DoS Attacks with a SYN Cache," in BSDCon, 2002, pp. 89-97.
H. Jin, D. Tang, Y. Zhang, and H. Chen, "SHAK: eliminating faked three-way handshaking in socket handoff," in Parallel and Distributed Processing Symposium, 2004. Proceedings. 18th International, 2004, p. 184.
W. Tang, L. Cherkasova, L. Russell et al., "Modular TCP Handoff Design in STREAMS–Based TCP/IP Implementation," in Networking—ICN 2001, ed: Springer, 2001, pp. 71-81.
Z. Wu and Z. Chen, "A three-layer defense mechanism based on web servers against distributed denial of service attacks," in Communications and Networking in China, 2006. ChinaCom′06. First International Conference on, 2006, pp. 1-5.
P. McHardy. (2013, Aug. 7). netfilter: implement netfilter SYN proxy [Online]. Available: https://lwn.net/Articles/563151/
Hping - Active Network Security Tool [Online]. Available: http://www.hping.org