Publication Details

Defense Against SYN Flood DoS Attacks Using Network-based Mitigation Techniques

GOLDSCHMIDT, P.; KUČERA, J. Defense Against SYN Flood DoS Attacks Using Network-based Mitigation Techniques. In Proceedings of the IM 2021 - 2021 IFIP/IEEE International Symposium on Integrated Network Management. Bordeaux: International Federation for Information Processing, 2021. p. 772-777. ISBN: 978-3-903176-32-4.
Type
conference paper
Language
English
Authors
Keywords

TCP SYN Flood, DDoS mitigation, TCP SYN Authentication, RST Cookies, SYN Drop, TCP Handshaker

Abstract

TCP SYN Flood is one of the most widespread DoS attack types performed on computer networks nowadays. As a possible countermeasure, we implemented and deployed modified versions of three network-based mitigation techniques for TCP SYN authentication. All of them utilize the TCP three-way handshake mechanism to establish a security association with a client before forwarding its SYN data. These algorithms are especially effective against regular attacks with spoofed IP addresses. However, our modifications allow deflecting even more sophisticated SYN floods able to bypass most of the conventional approaches. This comes at the cost of the delayed first connection attempt, but all subsequent SYN segments experience no significant additional latency (<0.2ms). This paper provides a detailed description and analysis of the approaches, as well as implementation details with enhanced security tweaks. The discussed implementations are built on top of the hardware-accelerated FPGA-based DDoS protection solution developed by CESNET and are about to be deployed in its backbone network and Internet exchange point at NIX.CZ.

Published
2021
Pages
772–777
Proceedings
Proceedings of the IM 2021 - 2021 IFIP/IEEE International Symposium on Integrated Network Management
Conference
IFIP/IEEE International Symposium on Integrated Management, Bordeaux, France, FR
ISBN
978-3-903176-32-4
Publisher
International Federation for Information Processing
Place
Bordeaux
UT WoS
000696801700114
EID Scopus
BibTeX
@inproceedings{BUT168490,
  author="Patrik {Goldschmidt} and Jan {Kučera}",
  title="Defense Against SYN Flood DoS Attacks Using Network-based Mitigation Techniques",
  booktitle="Proceedings of the IM 2021 - 2021 IFIP/IEEE International Symposium on Integrated Network Management",
  year="2021",
  pages="772--777",
  publisher="International Federation for Information Processing",
  address="Bordeaux",
  isbn="978-3-903176-32-4",
  url="https://www.fit.vut.cz/research/publication/12359/"
}
Files
Back to top