Distributed denial-of-service (DDoS) attacks have been popular for a simple reason: they work. The results of a DDoS attack can be crippling. An attacker can use a DDoS attack to shut down a business, for example, or prevent a political adversary from sharing opinions. Before the rise of DDoS attacks in 1999, attackers usually launched denial-of-service attacks from a handful of networked machines. When tools like Trinoo and Tribe Flood Network 2000 were widely released, launching a flood from thousands of machines became quite easy. Today, most DDoS attacks are launched from botnets, which are comprised of tens of thousands of machines or more. Some current reports claim there are a few botnets boasting more than a million infected machines.

During the past few years, service providers have been implementing more proactive defenses, using automated sensors and blocking technology to look for unusual traffic patterns that are often associated with a DDoS attack. Mechanisms, implemented in tools like Arbor Networks Inc.’s Peakflow, Cisco Systems Inc.’s Guard DDoS mitigation appliances and Mazu Networks Inc.’s Enforcer, look for the tell-tale sign of a SYN flood.

Before discussing SYN flood detection mechanisms, it’ll be useful to review the process of a Transmission Control Protocol (TCP) connection. Read More…