Counteract SYN flooding using second chance packet filtering

摘要

One barrier that hinders wired and wireless LAN, is the security problems caused by ubiquitous attackers. From the 4-layer protocol stack architecture in the Internet, the TCP layer seems to be vulnerable to flooding attacks, like the notorious Distributed Denial of Service (DDoS), due to 3-way handshaking mechanism defined in the connection-oriented TCP layer. In wireless LAN, the assaulting patterns from TCP-based DDoS have the similar destructive patterns as that in the wired Internet. In this article, we propose a feasible approach to alleviate the impact caused by TCP SYN Flooding. With the effective dual-queue application, the proposed Second Chance Packet Filtering (SCPF) scheme can efficiently decrease the probability of accepting bad frames, under the condition of not bothering the legal frames as possible, and therefore counteract the TCP SYN Flooding to an acceptable level. Although the proposed method cannot solve the TCP SYN Flooding problem completely, it still provides an efficient, cost-effective approach to mitigate the DDoS attacks for the legitimate users.