commit 3306d4caa9df25325450584cf586db3da51a1794 Author: Tizian Maxime Weigt Date: Thu Jun 19 09:53:31 2025 +0000 README.md hinzugefĆ¼gt diff --git a/README.md b/README.md new file mode 100644 index 0000000..896ce79 --- /dev/null +++ b/README.md @@ -0,0 +1,12 @@ +| **Mitigation Method** | **Operation Principle** | **Resource Usage on Server** | **Effectiveness on Attack Volume** | **Spoofing Protection** | **Latency Impact** | **Recommended Use Case** | **Pros** | **Cons** | +| ----------------------------------------------- | --------------------------------------------------------------------------- | -------------------------------------- | ---------------------------------- | ----------------------- | ---------------------------------- | -------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | +| **ACK Cookie** | Sends two ACK packets: one valid, one invalid; verifies client response | Low (only ACK responses handled) | Medium to High | Good | Low | When reverse bandwidth is sufficient | Accurate spoof detection; simple mechanism | Requires reverse bandwidth; slightly more complex | +| **SYN Cookie** | Encodes connection info in SYN/ACK sequence number (cookie) | Very Low (stateless until ACK arrives) | High | Good | Low to medium | High-volume attacks without reverse bandwidth | Stateless; scalable under high load | Limited TCP options; some legitimate options lost | +| **SYN Retransmission Verification** | Drops initial SYN, waits for retransmitted SYNs to confirm legitimacy | Low to Medium | Low to Medium | Moderate | Medium (waits for retransmissions) | Low volume attacks or environments with retransmission | Simple; leverages TCP behavior | Not suitable for high volume; delay in connection setup | +| **TCP SYN Cache** | Stores hashed SYN info, allocates full connection only after ACK | Low to Medium | Medium to High | Good | Low | General purpose, moderate attack volume | Reduces memory use; allows full handshake later | Cache overflow risk; may drop connections under heavy load | +| **TCP SYN Proxy** | Completes handshake on behalf of server, forwards only verified connections | Low on server (proxy handles load) | High | Excellent | Medium (proxy delay) | High-volume attacks, critical servers | Strong spoof protection; protects server resources | Adds latency; complexity in setup; may break TCP options | +| **TCP Window Scaling Verification** | Validates window scaling option to filter invalid SYNs | Minimal | Low to Medium | Moderate | Negligible | Environments where spoofed packets misuse window scaling | Lightweight verification | Limited filtering power; may block some legit clients | +| **Three-Way Handshake Completion Verification** | Allocates resources only after full handshake | Low | Medium to High | Good | Low | Standard defense for most TCP servers | Prevents early resource exhaustion | May delay connection establishment slightly | +| **TCP Timestamp Validation** | Checks TCP timestamp option in SYN packets | Minimal | Low to Medium | Moderate | Negligible | Supplementary verification | Simple heuristic check | Attackers may mimic timestamps; limited alone | +| **Selective SYN ACK Retransmission** | Sends SYN/ACK only to clients meeting heuristics | Low | Medium | Moderate | Low to Medium | Environments with good profiling of client behavior | Reduces unnecessary SYN/ACKs; reduces load | Risk of false positives; complex heuristics required | +| **IP Traceback and Validation** | Verifies source IP authenticity using network-level checks | Low | Medium to High | Excellent | Negligible | When combined with edge network devices | Strong spoof detection; early packet filtering | Requires infrastructure support; not standalone defense | \ No newline at end of file