Tizian-Maxime-Weigt/Known-TCP-Connection-Validation-Methods
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

README.md hinzugefügt

Browse Source
This commit is contained in:
Tizian Maxime Weigt 2025-06-19 09:53:31 +00:00
commit 3306d4caa9
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md Normal file
View File

@ -0,0 +1,12 @@
| **Mitigation Method** | **Operation Principle** | **Resource Usage on Server** | **Effectiveness on Attack Volume** | **Spoofing Protection** | **Latency Impact** | **Recommended Use Case** | **Pros** | **Cons** |
| ----------------------------------------------- | --------------------------------------------------------------------------- | -------------------------------------- | ---------------------------------- | ----------------------- | ---------------------------------- | -------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- |
| **ACK Cookie** | Sends two ACK packets: one valid, one invalid; verifies client response | Low (only ACK responses handled) | Medium to High | Good | Low | When reverse bandwidth is sufficient | Accurate spoof detection; simple mechanism | Requires reverse bandwidth; slightly more complex |
| **SYN Cookie** | Encodes connection info in SYN/ACK sequence number (cookie) | Very Low (stateless until ACK arrives) | High | Good | Low to medium | High-volume attacks without reverse bandwidth | Stateless; scalable under high load | Limited TCP options; some legitimate options lost |
| **SYN Retransmission Verification** | Drops initial SYN, waits for retransmitted SYNs to confirm legitimacy | Low to Medium | Low to Medium | Moderate | Medium (waits for retransmissions) | Low volume attacks or environments with retransmission | Simple; leverages TCP behavior | Not suitable for high volume; delay in connection setup |
| **TCP SYN Cache** | Stores hashed SYN info, allocates full connection only after ACK | Low to Medium | Medium to High | Good | Low | General purpose, moderate attack volume | Reduces memory use; allows full handshake later | Cache overflow risk; may drop connections under heavy load |
| **TCP SYN Proxy** | Completes handshake on behalf of server, forwards only verified connections | Low on server (proxy handles load) | High | Excellent | Medium (proxy delay) | High-volume attacks, critical servers | Strong spoof protection; protects server resources | Adds latency; complexity in setup; may break TCP options |
| **TCP Window Scaling Verification** | Validates window scaling option to filter invalid SYNs | Minimal | Low to Medium | Moderate | Negligible | Environments where spoofed packets misuse window scaling | Lightweight verification | Limited filtering power; may block some legit clients |
| **Three-Way Handshake Completion Verification** | Allocates resources only after full handshake | Low | Medium to High | Good | Low | Standard defense for most TCP servers | Prevents early resource exhaustion | May delay connection establishment slightly |
| **TCP Timestamp Validation** | Checks TCP timestamp option in SYN packets | Minimal | Low to Medium | Moderate | Negligible | Supplementary verification | Simple heuristic check | Attackers may mimic timestamps; limited alone |
| **Selective SYN ACK Retransmission** | Sends SYN/ACK only to clients meeting heuristics | Low | Medium | Moderate | Low to Medium | Environments with good profiling of client behavior | Reduces unnecessary SYN/ACKs; reduces load | Risk of false positives; complex heuristics required |
| **IP Traceback and Validation** | Verifies source IP authenticity using network-level checks | Low | Medium to High | Excellent | Negligible | When combined with edge network devices | Strong spoof detection; early packet filtering | Requires infrastructure support; not standalone defense |