Intentional SYN Drop for mitigation against SYN flooding attacks
draft-park-tcpm-intentional-syn-drop-option-00

Document Type Active Internet-Draft (individual)
Last updated 2018-12-04
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                             S. Ahn
Internet-Draft                                                   M. Park
Intended status: Informational                       Soongsil University
Expires: June 8, 2019                                   December 5, 2018

    Intentional SYN Drop for mitigation against SYN flooding attacks
             draft-park-tcpm-intentional-syn-drop-option-00

Abstract

   This document proposes an option to mitigate SYN flooding attacks,
   called Intentional SYN Drop (ISD).  This option can mitigate the SYN
   flooding attack by intentionally dropping the first SYN.  It also
   includes a connection management mechanism to detect intelligent
   attackers who mimic normal clients.  Therefore, it can effectively
   mitigate the SYN flooding DDoS attack.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 8, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Ahn & Park                Expires June 8, 2019                  [Page 1]
Internet-Draft            Intentional_SYN_Drop             December 2018

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  The concept of Intentional SYN Drop . . . . . . . . . . . . .   2
   4.  Intelligent attack  . . . . . . . . . . . . . . . . . . . . .   3
   5.  Proposed Intentional SYN Drop Mechanism . . . . . . . . . . .   4
     5.1.  Dropped SYN List  . . . . . . . . . . . . . . . . . . . .   4
     5.2.  SYN-RCVD Timer  . . . . . . . . . . . . . . . . . . . . .   4
   6.  Informative References  . . . . . . . . . . . . . . . . . . .   5
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   This document proposes an option to mitigate SYN flooding attacks
   which drops the first SYN packet of a new TPC session in order to
   distinguish attack traffic from normal traffic.  Unlike a typical
   reaction of normal clients, i.e., re-transmission of the SYN,
   attackers are not likely to re-transmit the SYN packet.  Therefore, a
   server does not allocate any resource for the connection for the
   attack, by which the server can avoid resource exhaustion caused by a
   lot of half-open connection.  In the case that attackers mimic normal
   clients, a connection management mechanism is also proposed.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  The concept of Intentional SYN Drop

   The main idea is based on the straightforward fact, i.e., while
   normal clients re-transmit a TCP packet when a timeout occurs,
   attackers do not re-transmit anything.  Therefore, nothing happens in
   a server.

Ahn & Park                Expires June 8, 2019                  [Page 2]
Internet-Draft            Intentional_SYN_Drop             December 2018

   client     Server     Attcker1  Attacker2  Attacker3   Server
     |            |            |          |          |        |
     |SYN         |            |SYN       |          |        |
     |----------->|drop        |----------------------------->|drop
     |---+        |            |          |          |        |
     |   |        |            |          | SYN      |        |
     |timeout     |            |          |------------------>|drop
     |   |        |            |          |          |        |
     |<--+        |            |          |          | SYN    |
Show full document text