A Poisoning-Resilient TCP Stack

We treat the problem of large-scale TCP poisoning: an attacker, who is able to monitor TCP packet headers in the network, can deny service to all flows traversing the monitoring point simply by injecting a single spoofed data or control packet into each of the flows. One of the entities responsible for this severe vulnerability is certainly the TCP protocol itself: it behaves as a "dummy" state machine that can more-than-easily become desynchronized by an attacker. In this paper, we explore ways for upgrading TCP endpoints into viable DoS-resilient protocol entities, capable of mitigating large-scale poisoning attacks. We show, by means of analytical modeling, simulations, and Internet experiments, how small upgrades implemented by the endpoints can dramatically improve resilience to attacks. The key mechanisms unique to our approach are (i) deferred protocol reaction, used to accurately detect poisoning attacks; (ii) forward nonces, applied to distinguish among different traffic sources during the attack; and (iii) self-clocking-based correlation, utilized for successfully detecting legitimate packet streams. Our solution solely relies on the protocol design, it is incrementally deployable, and TCP friendly.