| Mitigation Method | Operation Principle | Resource Usage on Server | Effectiveness on Attack Volume | Spoofing Protection | Latency Impact | Recommended Use Case | Pros | Cons |
|---|---|---|---|---|---|---|---|---|
| ACK Cookie | Sends two ACK packets: one valid, one invalid; verifies client response | Low (only ACK responses handled) | Medium to High | Good | Low | When reverse bandwidth is sufficient | Accurate spoof detection; simple mechanism | Requires reverse bandwidth; slightly more complex |
| SYN Cookie | Encodes connection info in SYN/ACK sequence number (cookie) | Very Low (stateless until ACK arrives) | High | Good | Low to medium | High-volume attacks without reverse bandwidth | Stateless; scalable under high load | Limited TCP options; some legitimate options lost |
| SYN Retransmission Verification | Drops initial SYN, waits for retransmitted SYNs to confirm legitimacy | Low to Medium | Low to Medium | Moderate | Medium (waits for retransmissions) | Low volume attacks or environments with retransmission | Simple; leverages TCP behavior | Not suitable for high volume; delay in connection setup |
| TCP SYN Cache | Stores hashed SYN info, allocates full connection only after ACK | Low to Medium | Medium to High | Good | Low | General purpose, moderate attack volume | Reduces memory use; allows full handshake later | Cache overflow risk; may drop connections under heavy load |
| TCP SYN Proxy | Completes handshake on behalf of server, forwards only verified connections | Low on server (proxy handles load) | High | Excellent | Medium (proxy delay) | High-volume attacks, critical servers | Strong spoof protection; protects server resources | Adds latency; complexity in setup; may break TCP options |
| TCP Window Scaling Verification | Validates window scaling option to filter invalid SYNs | Minimal | Low to Medium | Moderate | Negligible | Environments where spoofed packets misuse window scaling | Lightweight verification | Limited filtering power; may block some legit clients |
| Three-Way Handshake Completion Verification | Allocates resources only after full handshake | Low | Medium to High | Good | Low | Standard defense for most TCP servers | Prevents early resource exhaustion | May delay connection establishment slightly |
| TCP Timestamp Validation | Checks TCP timestamp option in SYN packets | Minimal | Low to Medium | Moderate | Negligible | Supplementary verification | Simple heuristic check | Attackers may mimic timestamps; limited alone |
| Selective SYN ACK Retransmission | Sends SYN/ACK only to clients meeting heuristics | Low | Medium | Moderate | Low to Medium | Environments with good profiling of client behavior | Reduces unnecessary SYN/ACKs; reduces load | Risk of false positives; complex heuristics required |
| IP Traceback and Validation | Verifies source IP authenticity using network-level checks | Low | Medium to High | Excellent | Negligible | When combined with edge network devices | Strong spoof detection; early packet filtering | Requires infrastructure support; not standalone defense |