Defending against tcp syn flooding with a new kind of syn-agent

TCP-based flooding attack is a common form of denial-of-service (DoS) attacks which abuses network resources and may bring serious threats to the network. The SYN flood attack is a DoS method affecting hosts to retain the half-open state and exhaust its memory resources. This attack is hard to be filtered by the routers in case that the source IP address is always spoofed. There are some common ways to defend against this attach, but all of them either requires a high-performance firewall or trade time for space. In this paper, we proposed a method to build a new kind of syn-agent which uses the TCP header reserved flag bits to notify the server a complete three-way TCP handshake. First the syn-agent instead of the real server answer the client with ACK after received a SYN packet from the client. Then if it is a syn-attack, there should be no further ACKs after this. After a given short period, the half-open TCP sock should be deleted from the agent. If it is a really connection request, after the third time handshake packet arrived, the agent set the reserved bit in the TCP header to be dasia1psila and route the packet to the real server. When the server received a packet with the reserved bits set to be dasia1psila, it directly allocates memory for the connection and begins to communicate.