An approach based on IPtables to control TCP SYN flood distributed denial of service attack

Abstract

TCP SYN Flood attacks are among the commonest distributed denial-of-service attacks (DDoS) affecting online system. The attack exploits the TCP three-way handshake by making the server or network inaccessible. An attacker sends a beam of SYN requests continuously to the target with false return address. In turn, the victim responds to all requests using the false IP addresses provided by the attacker. Notably the victim fails to reach the attacker keeping an open incomplete handshake. Each of the connections in resource intense and Cumulatively these connections Maintaining all connections the victim’s resources and maximum concurrent connections runs out thus a TCP SYN flood attack. Many approaches to detect and mitigate TCP SYN flood attacks are in place but the attacks are still prevalent. This is due to the efficiency and effectiveness levels the approaches present and considerations of the new attack models that are more sophisticated. The research report presents an extended study relating to TCP SYN flood attacks, an approach based on Iptables to detect and mitigate TCP SYN Flood attacks on the fly and experimental results showing the effectiveness of the tool. For this study, data was simulated to create an attack instance, analyzed using Wireshark (Packet analyzer tool) to study the effect of the attack. A designed approach based on firewall scripts was deployed and traffic analyzed again to measure the effectiveness of the approach. Analysis of the results showed effective of the tool, and once the approach is adopted by system/network administrators the likelihood of TCP SYN flood attacks will be minimal.