Skip to Main Content
This paper presents a novel scheme to mitigate the effect of SYN flooding attacks. The scheme, called intentional dropping based filtering, is based on the observation of client's persistence (i.e., client's reaction to packet loss by subsequent retransmissions) which is very widespread as it is built in TCP's connection setup. The main idea is to intentionally drop the first SYN packet of each connection request. Subsequent SYN packet from a request is passed only if it adheres to the TCP's timeout mechanism. Our analysis shows that the proposed scheme reduces attacker's effective attack rate significantly with an acceptable increase in connection establishment latency.