Conference Session A146167

Disclaimer—This paper partially fulfills a writing requirement for first year (freshman) engineering students at the University of Pittsburgh Swanson School of Engineering. This paper is a student, not a professional, paper. This paper is based on publicly available information and may not provide complete analyses of all relevant data. If this paper is used for any purpose other than these authors’ partial fulfillment of a writing requirement for first year (freshman) engineering students at the University of Pittsburgh Swanson School of Engineering, the user does so at his or her own risk.

PREVENTING SYN FLOOD DOS ATTACKS

Brian Maher, bkm28@pitt.edu, Bursic 2:00, Thomas Bui, tmb100@pitt.edu, Lora 6:00

Abstract— Just about every piece of technology that can communicate with other electronics uses servers. Servers are the highways that enable the sharing of information between two computers, or other types of technologies. This communication makes these servers public, putting them at risk for hackers to attack. Computer systems or servers that provide services based on well-known Transmission Control Protocol (TCP) are susceptible to SYN flooding attack from external hosts on the network. External hosts continuously send massive requests to server in an attempt to exhaust server resources, resulting in server unresponsive to answering legitimate client request for connection. This paper discusses how SYN flooding works, several approaches for dealing with server exhaustion problems, and the advantages and disadvantages of each approach. This paper will examine the effects of a DoS attack on a server. We will describe the process of performing an attack as well as the various currently available methods there are to prevent and defend against them. We will expand upon these methods in addition to presenting our recommended type of defense. Key Words— ACK, client, DoS attack, server, spoof packet, SYN flooding, three-way handshake

TECHNOLOGY IN MODERN DAY

SOCIETY

America is an incredibly consumer driven society. This is one of the many factors that fuels the insatiable need for new and innovative technologies. Through these developments and innovations of devices like cellphones, computers, cars, and watches, the increase in devices that communicate with a server increase the ease of use for the consumer; however, they also make the consumer increasingly more vulnerable to hackers. Any device that connects to a server is vulnerable to be hacked as seen by the 20% increase of cyber-attacks from 2013 to 2014 [1]. The number of attacks is only going to increase as more technologies that depend on communication with servers are developed and purchased. In addition, there are a vast amount of methods to hacking,

only increasing the options to be hacked. With the methods and options to hacking only increasing the need for a viable method for preventing hackers’ attempts is necessary.

HACKING

There are many components to hacking. First, hacking can be defined as seeking and exploiting weaknesses in a computer system. This is a broad topic leaving the spectrum of what a hack is very wide. There are also many methods to hacking. The easiest being the fake wireless access point. This is when a user believes they have connected to free Wi-Fi in a public place such as a Starbucks, but in reality they have connected to the hackers’ server enabling them to steal information from the victim’s computer. Another method of hacking is file name tricks. This is when a hacker posts a link somewhere on the web such as “Current Sports Scores”, and while you believe you will be redirected to the scores, a malicious file is downloaded to your computer giving the hacker access to your data. For the purpose of this paper, we will be focusing on DoS Attacks. This is also a hack because it is exploiting the public servers of a computer. In just these few examples it can be seen that almost anyone can perform a hack. For some of the simplest forms of hacking all it takes is gaining a copy of a malicious file that is already on the web, and posting it where people will click on it. However, the most complicated hacks can only be performed by people with the most versatile knowledge of computers.

SUSTAINABILITY OF DOS ATTACKS Sustainability, to a company, can be defined as the chance to succeed in their given market and fulfilling the need of customers. For example, if Amazon, the online shopping mogul, were to be under a SYN Flood attack, it would lead to a slower network. Customers would be unable to purchase their products, therefore Amazon would lose millions of dollars, and their customer satisfaction rating would drop.

DENIAL OF SERVICE ATTACKS

University of Pittsburgh, Swanson School of Engineering (2016/02/12)

1

Brian MaherThomas Bui

Definition of DoS Attack

Denial of Service (DoS) attacks are becoming more prominent in the world as we continue to usher in a new age of technology. Any piece of technology that relies on communication with a server can be at risk to an attack. With new fancy gadgets coming out every year such as Smart Watches, Tablets, and even Smart Cars, that all connect to servers, the risk of a DoS attack affecting people is only rising. DoS attacks can be used for a wide variety of things, such as freezing devices or taking down a company website. Anyone can be a victim, causing them to lose time, costumers, or money. A DoS attack is where “an attacker attempts to prevent legitimate users from accessing information or services” [2]. This means that a companies’ server, the way consumers can access their information, such as a website, are practically disabled. The attacker causes this by sending many fake signals to the companies’ server. The server will then be too busy with the fake signals that it is incapable of responding to the signals of legitimate users. Some of the most common motives for a DoS attack are to interfere with a person’s or a company’s website, or the extortion of money. With these being just a few of the reasons that hackers can cause attacks on private citizens, companies and government organization, it can be seen that everyone is capable of becoming a target. The implications of these attacks make them an effective and easy form of disabling a server. Additionally, DoS attacks are very tough to trace, and almost impossible to anticipate. This combined with the fact that attacks can be performed on every type of server from governments to local stores make everyone vulnerable as the target of an attack. DoS attacks encompass a wide variety of computer related hacking attacks. This is because of the various different ways that you can deny a service to servers. A few of the most common types of DoS attacks are Economic Denial of Service (EDoS), Telephony Denial of Service (TDoS), Advanced Persistent Denial of Service (APDoS), and Distributed Denial of Service (DDoS) as seen in Figure 1. All of these are effective methods for creating some kind of denial of service to the legitimate users. This makes them all very effective at their goal. For the purpose of this paper DDoS is the most important due to its prevalence in society.

Also, it is clearer, but it still needs edited for redundancy.

FIGURE 1DoS Flowchart

Definition of DDoS Attack

Distributed denial of service (DDoS) attacks are a special type of DoS attack. They are just like DoS attacks and are used to prevent users from accessing information or services. However, rather than using just one computer, a DDoS attack is where a multitude of systems are used to attack a single target. This makes the DDoS attack much more effective, due to its increased speed from using multiple computers to perform the hack. The faster the hack can be performed, the smaller the window for prevention. “Among all the network attacks, the DDoS attack is easier to carry out, more harmful, hard to be traced, and difficult to prevent, so its threat is more serious” [3]. All of these reasons contribute to making DDoS attacks one of the most dangerous threats to innocent device users in the computer hacking world.

FIGURE 2DDoS Attack

Within DDoS attacks there are many different effective methods to use to perform a successful attack. Of the wide variety of attacks, the most prevalent are ICMP Flood, GET Flood, DNS Attack, UDP Flood, and SYN Flood as seen in Figure 2. SYN Floods are the most important on this list because they account for a majority of all DDoS attacks and the versatile uses. This puts anyone in connection to a computer at risk of a SYN Flood attack, which is a major problem in a society that is increasingly more connected to technology year by year.

2

Brian MaherThomas Bui

FIGURE 3DDoS Flowchart

Risks of DDoS Attacks

The possibilities of what someone can do with a DDoS attack are seemingly endless. They can be used for everything from a trivial attack on a local company that the attacker does not like, to a political statement on a government server. This was seen in a spike of traffic to a florist’s websites just before Valentine’s Day. In a study on the Florist Companies’ websites more than 9 in 10 of the sites saw an increase in traffic of bot traffic, which are automated bots that visit websites to boost traffic. These bots are incapable of using a website such as the florists to purchase items, they merely are to boost traffic on the website. About 23% of websites that saw these spikes in traffic had problems with their websites due to the server being incapable of handling the amount of traffic [4]. This is detrimental to the companies because their server traffic is being filled up with bots, fake users, then there will be no room for a legitimate consumer to shop on their website. So although it may seem good that there is more traffic to their webpage, it is all fake users that have no intention of using the website to shop. This is indicative of a DDoS attack and more specifically a SYN Flood attack. These attacks were not random, the attackers must have put thought into this, taking into account the time of year and what sites would be receiving the most traffic. Using this they are able to cause the most harm by hurting what is supposed to be one of the most profitable time periods for a company. If no one can access the website to shop for flowers, then no one is going to purchase from these shops when they should be experiencing a temporary increase in sales. This would cause a drop in profits for these businesses by driving sales away to other competitors. Often the main goal of these types of attacks is the extortion of money. The hackers usually contact the target requesting their preferred form of payment in return for the conclusion of the attack, often in the form of Bitcoins. Bitcoins are a bit harder to trace than a simple bank account to bank account transfer of money, this is because of the private keys and walls that can prevent people from getting access to a Bitcoin owners balance and information. These types of attacks, in the grand scheme of things, are very minor in comparison to the damage that could be caused in the attack on a large corporation or government. A small amount of preparation, being the employment of a DDoS defense method could have saved these florists money and improved their customer experience. The fact that 23% of these florist companies had a problem means

that many hackers are familiar with DoS attacks and their effectiveness. As its prominence continues to grow it will affect an increasingly more amount of people and companies affecting a substantial amount of people. This is enough cause for computer engineers to invest in prevention and defense techniques. [4]. However, this is just the least of the damage that a DDoS attack can do. On the other end of the spectrum, in April of 2014 a hacktivist group launched a DDoS attack against Boston Children’s Hospital in an attempt to make a statement about the controversial custody case of a child who was being held as a ward of the state [5]. These attacks, if they were successful could have led to the damaging of the hospitals servers and computers, hindering their ability to provide the best medical care to its patients. This makes it clearly evident that DDoS attacks can become very serious when the attackers take on high profile victims such as a hospital. The variability in the severity of DDoS attacks are all the more reason to take these hackers and attacks very seriously. They can not only use their power to extort small local businesses, but they can also use it to affect the wellbeing of thousands of civilians.

SYN FLOODING CAN EFFECT EVERYONE

It is important to understand that, as of right now, SYN flooding attacks are impossible to stop. Furthermore, over the years, DoS attacks have gotten much more frequent and dangerous. According to a survey by Neustar, “60 percent of companies were impacted by a DDoS attack in 2013 and 87 percent were hit more than once” [10]. Since 2012, multiple financial institutions in the United States were targeted by “cyber fighters of Izz Ad-Din Al Qassam” [10]. Approximately 65 gigabytes per second of traffic were generated disrupting many banks such as J.P Morgan Chase, Bank of America, Wells Fargo, and even the New York Stock Exchange. These attacks crashed servers and halted business matters for days with outages reported by the customers. Not only do SYN flood attacks affect the customers, they also affect the companies. For example, even if the company websites were not taken down, they would still have to pay money for bandwidth, extra maintenance, and operation costs. In certain cases, some systems may completely “exhaust memory, crash, or be rendered otherwise inoperative” [11]. Because SYN flood attacks have a negative impact to big companies and small users alike, we need a better understanding of how SYN flood works, how to protect systems from SYN flood attacks, and develop a comprehensive protection strategy.

SYN FLOODING

3

Brian MaherThomas Bui

Definition of SYN Flooding

SYN flood, a specific form of denial-of-service attack (DoS), exploits part of the Transmission Control Protocol (TCP) three-way handshake. It attempts to consume resources on the server and network and thus rendering it unresponsive to serve legitimate client requests. The normal TCP three-way handshake exchange includes three stages. The first stage begins with the client sending a SYN, or synchronize, message to the server requesting a connection. Second, the server acknowledges the received SYN by sending back a synchronize-acknowledgment, or SYN-ACK message, to the client. Lastly, the client responds with an acknowledgement, or ACK, packet which will allow for a connection to be created between the host and the server. In a SYN flood attack, the attacker repeatedly sends SYN message to server, often using fake or spoofed IP address. Each time, the server sends a SYN-ACK back to the originating client IP address, expecting to receive an ACK back from the client. The client intentionally never send ACK back thus leave server with an increasingly large number of half-open connections.  Eventually, the server runs out of connection to serve legitimate clients and may crash. This leaves minimal space for the legitimate users of the victim server. The longer the half open connections last the longer the server will be rendered useless and the less legitimate access people will have to the victim server. This give the attacker an incredible amount of variability when choosing how to accomplish their goal.

FIGURE 4 [7]TCP Example

The process of accessing a server is rather simple. When the user (shown in purple in Figure 3) finds the server they wish to communicate with, they will send a SYN request to the server. The server, in turn, will respond with a SYN-ACK message, where ACK is the acknowledgement of the

user. Finally, the user can send the ACK package back to the server. This results in the user being connected to the server with no problems.

FIGURE 5 [7]SYN Flood Attack Example

When a SYN Flood attack happens it inhibits the sending of an ACK message back to the original user (shown in purple in Figure 4). This is caused by the client (shown in green in Figure 4) sending a relentless amount of SYN messages to the server. This files the cache of the server, therefore not allowing it to make any new connections. This results in the legitimate user being blocked from using the server.

SUCCESSFUL SYN FLOOD ATTACKS

In order to have a successful SYN flood attack, the hacker needs to have three important parameters. Firstly, there must be a great barrage size meaning that the “barrage must be made large enough to reach the backlog” [8]. For example, if hacking a server, there would need to be a high volume of traffic in order for the attack to be successful. Secondly, there must be a certain barrage frequency. To remain effective. SYN flooding attack needs to send new barrages of bogus connection requests as soon as the TCBs

4

Brian MaherThomas Bui

from the previous barrage begin to be reclaimed [8]. For example, say a timer is set to a 30 second limit from the first SYN-ACK sent. In order for this connection to stay open, the frequency of the packets must be within the time interval otherwise the connection will be dropped. However, if the frequency of the barrage is too great, the attack will draw attention and the connection could possibly be dropped. Furthermore, if the frequency is to low, they “will allow windows of time where legitimate connections can be established” [8]. Lastly, the hacker must choose an IP address. As mentioned earlier, hackers generally use spoofed IP address that are “unresponsive to the SYN-ACK segments that the victim will generate” [8]. Spoofed IP addresses, which are extremely crucial to SYN flooding, will allow the hacker to hide their true location. Having many lists of unresponsive and unrelated addresses will lead to a much stronger, successful attack.

IP Address Spoofing

All DoS attacks have Internet Protocol, or IP, address spoofing. IP spoofing is where IP packets are created with a fake IP address in order to conceal the true identity and IP of the sender or hacker. First, the hacker must choose a host such as a computer. After trust is achieved by both hacker and host, the host’s TCP sequence numbers are sampled. Lastly, the host “is impersonated, the sequence numbers guessed, and connection attempt is made to a service that only requires address-based authentication” [9]. If done correctly, the hacker is able to create a backdoor allowing the hacker to bypass normal authentication in a server. A sequence number is a number that is attached to any packet that is sent and it contains a code for how much information is in the packet. With this, a hacker is able to impersonate another computer IP address and send packets from that IP address and ask their own. Because a hacker impersonates an IP address, the server will not be able to find the origin of the hacker which can lead to identity theft and many other crimes.

TCP Exploitation

As mentioned earlier, SYN flooding exploits the TCP three-way handshake. The server first fills up a table known as the Transmission Control Block, or TCB which contains all important information about any connection. The hacker must first send out a SYN packet to the server “telling the server that it wants a connection” [9]. Afterwards, the server sends back a SYN-ACK packet which creates an entry in the TCB. During this time, the connection is on a time wait status. This means that the local endpoint of the server has closed the connection. Lastly, the hacker is supposed to send back an ACK, or acknowledgment, package.

However, the hacker will never send this last packet out. Because of this, the server will keep sending SYN-ACK packets out waiting for a response. Even if a server closes a session after thirty seconds or so, a hacker can still send thousands of gigabytes of data to the server during this time interval. Due to the massive amounts of data, the TCB is quickly overloaded and the stack does not accept any new connection and existing ones are dropped.

SYN Floods Simplified

The concept of SYN Floods can be a complicated and confusing one. To simplify this concept, imagine a computer server as a cell phone. If someone were to perform a DDoS attack on this phone, they would first send messages to multiple other people telling them they would like to perform the attack and that they should begin to rapidly send messages to the target phone. This freezes the phone so much so that anyone who attempts to use the phone can’t. This is due to the rapid reception of messages on the target phone causing it to slow down and continuously buzz. This renders the phone seemingly useless for the duration of the attack, just as a server is useless during a SYN Flood attack.

Amazons SYN Flood Attack

A successful SYN Flood attack on Amazon would be incredibly detrimental to their business. They are one of the most recognized companies in the online shopping business, and have an incredible amount of daily traffic that their servers must handle. When a SYN Flood attack is launched on Amazon their servers would become overwhelmed and unable to handle all the traffic. This would lead to legitimate customers being blocked from accessing the products as well as their website being down. Due to this Amazon would immediately loose million from sales, and in the long run lose customers to competing businesses. The longer the duration of the attack the more it could cost Amazon, as well as tarnish their reputation. For a company with sales in the hundreds of billions of dollars yearly a SYN Flood attack may not be enough to completely put it out of business, as long as it is not too severe. However, for a smaller company that may rely solely on their reputation to help boost their sales this could put it out of business. This makes a company that is attacked with a SYN Flood almost completely unsustainable.

HOW TO PROTECT SYSTEMS FROM SYN FLOOD ATTACKS

There are several methods system administrator can implement to protect their server from SYN flooding attacks. These include: Particle Swarm Optimization, network filtering, increasing backlog, decreasing receiver time-out, SYN cache, SYN cookies, firewall and proxy. System

5

Brian MaherThomas Bui

administrator can use all or a combination of protection methods against SYN flooding, depending on different factors such as the availability of resource, complexity and cost.  

PSO Approach

The PSO, or Particle Swarm Optimization, approach is an algorithm that deals with the length of time that a half-open connection remains attached to the server and the number of half-open connections currently active. The algorithm uses the length of time and the number of open connections as its parameters for predicting whether SYN messages are legitimate or an attack. To start this process a connection request must be sent from the user to the server. When the user does this they receive a space of the queue in the buffer of the server, if available. If there are too many connection requests active the user would be blocked from access to the server. Think of the server as a restaurant. At the restaurant there are a limited amount of seats, only allowing them to service a certain amount of customers. The “attacker” would be calling in reservations they do not intend to show up for, blocking legitimate customers from dining at the restaurant. As the attacker keeps sending more and more requests the buffer will begin to fill up and block more and more legitimate users from using the server. As the hacker continues to call in reservations, eventually the restaurant will have no open seats left for real customers to sit and eat. These connections, where the attacker does not respond to the servers SYN-ACK message, are known as a half-open connection. This algorithm is programed to only hold half-open connections for a set amount of time, H seconds. Potentially allowing for the space to be filled by legitimate users. Which, in the restaurants case, would be allowing customers to be seated if no one shows up for 10 minutes after the reservation time. Also, it limits the amount of active half-open connections to M at one time. For example, only allowing a certain amount of reservations to be made for one given time. Through the adjustment of these two parameters, H and M, the algorithm is able to select the values that allow for a normal amount of connection traffic while also constantly calculating the probability of an attack for each request. “The victim server doesn't have any information to determine the type of arriving requests. It accepts all arriving requests and then applies PSO-SYN algorithm explain. The rule behind PSO-SYN algorithm is that, after h seconds in PSO-SYN half open connection is closed this is considered as an attack” [12]. The victim server has no information to determine if an incoming request is an attack or a legitimate request, it instead calculates the probability that a request is an attack from the information on the other currently active requests. This makes the PSO approach very accurate and reliable when it comes to defense against SYN Flood attacks.

Increasing Backlog

Listening servers typically have a limit numbers of “listen”, also known as backlog. When the backlog is reached, the server ignores the incoming connection request from legitimate clients. That is exactly what the attacker wants to happen. By increasing the backlog limit may allow the server to offer more connections, but it would eventually reach the limit under heavy attack. Though increasing backlog can be useful, it should be implemented with other strategies in order to make full use of it.

Reducing SYN-Received timers

Another way to reduce the possibility of the backlog getting full is to reduce the timeout between the time the server receives the SYN and the client sends back the ACK. When the server does not receive the ACK back from the client after the connection, the server will delete the SYN-received entry from the backlog. For example, a typical system variable SYN-timeout by default is set to sixty seconds, but a user can reduce that value to twenty seconds by changing the variable SYN-timeout. A “shorter timer will keep bogus connection attempts from persisting for as long in the backlog and thus free up space for legitimate connections sooner” [8]. However, this method is not very effective because under a heavy attack, the backlog will run out of memory.

Implementing SYN Cookies

When the server receives a SYN from the client, it typically creates an entry in the transmission control board, or TCB. However, in the SYN cookie technique, the server does not create a record in the TCB when it receives a SYN from the client. Instead, the server will compress all of the important data supposedly in the TCB’s entry into a 32-bit cookie. The 32-bit cookie will be embedded into a 32-bit sequence number of the TCP header [13] and sent back to the client as a part of the SYN-ACK packet. When the client receives the SYN-ACK packet, it sends the ACK containing the embedded information in the sequence number back to the server. The server then extracts the information in the sequence number field and regenerates the supposed TCB information. If the sequence number is incorrect, the server will drop the connection request from the client for good. If the information is correct, the server will create an entry in the TCB and establish a connection with the client.

6

Brian MaherThomas Bui

FIGURE 5 [13]TCP Header

The SYN cookie technique can be effective even when a server is under heavy attack because it does not create any TCB records when a SYN packet it received. Therefore, the TCB will not be overloaded. However, the disadvantage of the cookie technique is that it may not be able to compress all of the data into the 32-bit sequence number field. Because of this, some high performance TCP options will be unavailable or disabled. Furthermore, the SYN-ACK cannot be retransmitted thus altering the TCP synchronization procedure” [14]. However, retransmission issue will not cause a big problem because the client can always restart the three-way handshake.

Implementing SYN Cache

The goal of SYN cache implementation is to put off recording the SYN-Received into the TCP table until verifying that the connection is coming from a legitimate client. SYN cache establishes a hash table to store the SYN-Received entries. The cache has a maximum limit that when reached, will have the oldest entry be dropped or removed from the hash table to make room for the new entry. When an ACK is received, the entry in the hash table will be deleted and moved to the full TCB as an established connection. Therefore, the backlog table will not be filled up with half-open connections. When under attack, “SYN cache was able to establish legitimate connections with only about a 15-percent increase in latency” [14]. So not only will SYN Cache help mitigate SYN flood attacks, it also improves the speed of a server when not under attack.

Implementing Firewalls and Proxies

Firewalls are setup in order to allow or deny specific protocols, ports, or IP addresses. Proxies are used to intercept and inspect incoming traffics and then either drop suspicious requests or pass the legitimate ones to the server. The major advantage of implementing firewall and proxy is that both are extremely effective and require no modification or configuration of the host operating system and software. However, a disadvantage to implementing firewalls and proxies is that they require expensive equipment and professionals to manage and maintain. This means that only big companies with a lot of money can afford to put up firewalls and proxies.

PROTECTION RECOMMENDATIONS

Considering all of the types of SYN flood defenses that we mentioned, we believe that the SYN Cache and SYN

Cookies method should be implemented to protect servers from these SYN flood attacks. These methods are extremely effective and available in servers running relatively new operating systems. For companies that have enough resources, they should implement firewalls and proxies.

INNOVATIVE COMPANIES

There are some companies that already realize the importance of the defense against DDoS attacks. One of the companies at the forefront is Google. Google has launched a new project to help small sites on the internet avoid these attacks that are so detrimental to their servers. This plan is known as Project Shield and allows small sites to reroute the traffic going to their site through Google’s site. This is a site capable of handling much more traffic so the chances of a successful DDoS attack are much smaller. At first when Project Shield was launched it “was used by about 100 sites focused on hot-button topics like human rights, election monitoring and independent political news. But now any "independent" news site (a site that isn't sponsored by the government or a political party) can use Project Shield to help avoid DDoS attacks. While big news sites are welcome to join, Google's continuing to focus its efforts on smaller sites that don't necessarily have the infrastructure needed to fight off such an attack.” [15]. The first hundred sites were hot-button topic sites because Google knew that these sites are the most likely to be subject to an attack. This is because there are many people with contrasting viewpoints that would like these sites shut down. However, now that Google has opened up this project to any independent site, it is a great step into overcoming the dangers of DDoS attacks. Google is providing the small, less efficient companies with the best means to continuously provide the best to its users. The way in which Google protects these sites from the malicious traffic is kept a secret as to not give hackers an idea of how to bypass the system. We believe that the Google secret may be similar to the PSO Approach, due to its simplicity, effectiveness and would be easier to implement. Google will generate a lot of interest in their defense due to the fact that they are a big name company and willing to lend a hand to help other smaller businesses’ that most likely cannot establish their own defense methods. This being said Google would most likely want to keep the defense method simple but effective so they could distribute it to those who are interested, without a large amount of work required for each individual business. This would not provide the most advanced and effective defense for these companies; however, it would aid them in establishing some form of defense. Arguably one of the best parts about this project is Google’s purpose for doing it. “As for what's in this for Google, it's not about revenue -- it's to continue furthering the company's mission to serve up information to people

7

Brian MaherThomas Bui

when they want it. Part of that comes from its search results, but Project Shield is meant to make sure that the information people are searching for is available and online when they want it” [15]. Google is pioneering the DDoS prevention space. They are able to acknowledge the damages that these attacks can cause to sites and people that are unfit to combat these attacks and they choose to do something about it. Google is continuing to advance their service to their own users while also making sure that others who are not as powerful are able to afford the same rights to their own users. We need more companies like Google to step up and continue to fight DDoS attacks and ensure that these attacks cannot continue to disrupt those who can’t protect themselves.

ELIMINATING DDOS SYN FLOODS

SYN Floods are a very clever way to abuse the wide options we have currently with our technology and all of the servers we have access to with desktops, laptops and even phones. They are able to take a standard procedure and make it into an attack on practically everyone connected to a server. By doing this they can cause a wide variety of outcomes from simply making a statement and disabling a server for a while, to a prolonged attack leading to the extorting of money. This makes these attacks incredibly dangerous, yet there aren’t too many effective ways of preventing or protecting a server from them. As more and more people begin to realize the disastrous potential of these attacks, hopefully more and more effort will be made into finding a permanent solution. Altogether, with the current methods available for defense against SYN Floods, completely stopping them is not possible. The most complicated part about defending against these attacks is that it is almost impossible to tell that the server is under attack due to the fact that every SYN request looks legitimate until there are multiple half open requests. This makes the protection of servers very difficult; however, there are still some very effective ways to get good results. In time, as more people begin to realize the dangers of SYN Floods and that everyone is capable of being attacked, more methods may be developed in an attempt to defend against one of the most common server hacks currently used. This would not help protect a server from all forms of hacks; however, the effectiveness of one of the most common hacks would be greatly reduced. Companies like Google are taking the correct steps in getting this process going, and more are likely soon to follow. This will eventually, and hopefully lead to an ultimate solution to the problem. However, for now that seems a bit of a ways off.

REFERENCES

[1](March 2014). “The Growing Cost of Cyber Crime” Hewlett-Packard Development Company (Online Presentation)http://www.slideshare.net/HPESoftwareSolutions/costs-of-cybercrimeponemon2013the-growing-cost-of-cyber-crime-highlights-from-the-4th-annual-ponemon-institute-survey-2013-costs-of-cyber-crime[2] M. Bogdanoski (2013). “Analysis of the SYN Flood DoS Attack” Modern Education and Computer Science Press (Online Article) http://www.mecs-press.org/ijcnis/ijcnis-v5-n8/IJCNIS-V5-N8-1.pdf[3]J. Cheng (June 2009). “DDoS Attack Detection Algorithm Using IP Address Features”. Springer Link (Online Book) http://link.springer.com/chapter/10.1007/978-3-642-02270-8_22#page-1[4] (Feb. 2016) “Valentine’s Day Inspires DDoS Attacks Against Online Florists” DoS Attacks (Online Article) http://www.ddosattacks.net/valentines-day-inspires-ddos-attacks-against-online-florists/[5] (Feb. 2016) “FBI arrests Massachusetts man for Anonymous 2014 cyber attack on Boston Children’s Hospital” DoS Attacks (Online Article)http://www.ddosattacks.net/fbi-arrests-massachusetts-man-for-anonymous-2014-cyberattack-on-boston-childrens-hospital/[6]S. Jamali. (Aug. 2014). “Defense Against SYN Flooding Attacks: A Particle Swarm Optimization Approach” (Online Textbook) http://www.sciencedirect.com/science/article/pii/S0045790614001591[7] D.Deepthi (Oct. 2013) “TCP SYN Flood Attack Detection And Prevention” (Online Article) http://ijcttjournal.org/Volume4/issue-10/IJCTT-V4I10P107.pdf[8]W. Eddy.(2007). “TCP SYN Flooding Attacks and Common Mitigations”. The IETF Trust (online article) https://tools.ietf.org/html/rfc4987#section-2[9]R. Bidou. (2008). “Denial of Service Attacks”. Radware (online article) http://www.iv2-technologies.com/DOSAttacks.pdf[10]C. Wueest (2014). “The continued rise of DDoS attacks”. Symantec (online article) http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf[11] (1996). “TCP SYN Flooding and IP Spoofing Attacks”. CERT (online article) https://www.cert.org/historical/advisories/CA-1996-21.cfm?[12]S. Mercyshalinie (Dec. 2014). “Defense Against DoS Attack: PSO Approach In Virtualization” (Online Article) http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7229709#.VpXAv3BDEFs.link[13] P. Ferguson. (2000). “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP

8

Brian MaherThomas Bui

Source Address Spoofing”. The Internet Society (online article) https://www.ietf.org/rfc/rfc2827.txt[14] O. Jacobsen. (2006). “The Internet Protocol Journal”. Cisco (online article) http://www.cisco.com/c/dam/en_us/about/ac123/ac147/archived_issues/ipj_9-4/ipj_9-4.pdf[15]N.Ingram (Feb 2016) “Google’s Project Sheild helps any news site beat DDoS attacks” Engadget (Online Article) http://www.engadget.com/2016/02/24/google-project-shield-battling-ddos-attacks/

ADDITIONAL SORCES

D. Boteanu (Oct. 2013). “A Comprehensive Study of Queue Management as a DoS Counter-Measure” (Online Article) http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=90290396&site=ehost-live K. Geetha (2014). “SYN Flooding Attack – Identification and Analysis” InternationalConference on Information Communication & Embedded Systems (Online Article) http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=7033828#.VpW_iFvqtLU.link

S. Kerner. (Jul. 2015). “DDoS Attacks Overwhelm Targets With Ever Rising Data Floods” (Online Arcticle) http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=109363719&site=ehost-live

ACKNOWLEDGEMENTS

We would like to thank our co-chair and chair, James Clarke and Greg Wunderly, for their advice, guidance, and support. In addition, we would like to thank Beth Newborg for providing us with everything we needed to write a successful paper. Finally, we would like to thank Rachel Mcternan for her helpful comments throughout the process of writing this paper.

9

Brian MaherThomas Bui

ENGINEERING 0012 • CONFERENCE PAPER EVALUATION • SPRING, 2016

Authors, Paper #:Writing Instructor:

Excellent Proficient Adequate Substandard FailingConference Paper demonstrates careful, ongoing attention to

Writing Instructor’s comments throughout all steps of the Conf. Paper process; careful attention to in-class instruction; careful attention to the assignment and related materials

X

Conference Paper Abstract paper topic is clearly stated early in the Abstract Abstract provides an accurate, effective, professional preview/summary of Conf. Paper

X PLEASE work on this

Within the Conference Paper: the science and engineering of all key technologies are fully, clearly, and accurately detailed and explained language of explanation and level of detail are appropriate to an audience of engineers (engineers who specialize in the paper’s field and engineers who do not ) and other professionals

X explain MANY, MANY ideas/ terms more

Within the Conference Paper: applications of topic-related engineering, science, technologies are clearly depicted and fully explained (e.g.: authors explain how an innovative road resurfacing material can or will be used; authors explain the kinds of roads/environments/settings for which this material is appropriate; authors explain, in detail, why this material best for this application) If needed for maximum clarity and authority, an example or examples (actual and/or hypothetical) of the application (s) are included in the paper are concrete and fully described/detailed (e.g.: authors

X need to Connect the technology to the APPLICATION

10

Brian MaherThomas Bui

describe and evaluate an actual road that has been resurfaced with the innovative material, or, if the material is still in the research stages, authors clearly explain how the material will work on a particular kind of road under particular circumstances)Within the Conference paper: all topic-related technologies (and related products, outcomes, and applications) are clearly and responsibly contextualized and evaluated; importance to society-at-large, to engineering, and, possibly, to particular individuals is clearly explained evaluations of processes and outcomes are supported by appropriate quantitative detail (e.g.: specific cost comparisons; specific numbers of patients using a prosthetic; specific span of time a material or device will optimally perform; specific units of energy or elements—for example, KWHs, BTUs, CO2) evaluations of processes and outcomes are supported by appropriate explanation (e.g.: if a prosthetic hand is evaluated as optimal or successful, authors fully depict and explain the attributes that make this prosthetic “optimal” or “successful”)

X who?

X missing completely

Every section of the paper is fully developed (including the Introduction and Conclusion); every section includes all clarifying descriptions and explanations, and, where relevant, clarifying examples and/or responsible evaluation

X YOU need to work on the beginning sections MORE. LAY out the ideas. Provide a detailed explanation of this entire process. You give about 15% of what is needed.

Connections/Correlations are clearly established and maintained within and among sections; information throughout the paper is specifically reconnected to the paper’s stated focus; processes/technologies are specifically connected to applications and examples; evaluations and outcomes are specifically connected to supporting details; etc.

X YOU need to spend LOTS of time here. I predict that if you FIX this, you can improve the effectiveness of your paper immensely.

11

Brian MaherThomas Bui

Research/source information (quotations, paraphrases, summaries, data, pictures, diagrams tables, charts, graphs) is effectively used throughout the Conf. Paper to maximize clarity and impact of descriptions, explanations, examples, and evaluations authors clearly identify the origin/authority of research information; research information is effectively integrated, and contextualized: authors clarify how/why source information is important within sections and to the paper topic as-a-whole authors use citation/referencing effectively within the paper to designate where source material (quotations, paraphrases, and summaries) begins and ends

X some good, some need work

ALL References are included for all material quoted, paraphrased and summarized from sources (including pictures, data, diagrams, charts, tables, and equations)

ALL References are correctly numbered in-text;

all in-text numbers correctly correspond to numbers in the References section; all bibliographic information is accurate and correctly formatted

X

X

Title, headings, subheadings preview and reinforce topic, content, and connections

X rephrase

ALL format specifications have been met

X be careful, guys. You don’t want to lose points in this category!!!

Correct and Proofread grammar and punctuation are

correct; sentence structure is correct and effective; paragraphs are effectively delineated; vocabulary/wc is correct/accurate/appropriate

paper has been proofread

X please proofread See some of my corrections/suggestions…I did not correct every error, so look for others, ok…

Grade: 65 (guys!!! You have made progress, BUT look how many points you lose for proofreading and formatting… PLEASE be careful. Don’t waste points on these categories…I have spent quite a bit of time reading and thinking about your paper. You HAVE done work and you HAVE made progress, but we are still not where we need to be yet. FIRST, revise your abstract. SEND it to me, so I can see it and help you, ok? NEXT, look at where I mention you must INTRODUCE your idea. This is very important that you slow down and BRIDGE the reader into your world/topic. Let me know if you need me

12

Brian MaherThomas Bui

to explain this more. You did not email me before, as I asked you to. PLEASE, look over my comments and email me right away. I want to know that you understand what I am showing you . . . ok?

13

Brian MaherThomas Bui

100, 99/A+ 98-93/A 92-90/A- 89-87/B+ 86-81/B 80-78/B- 77-75/C+ 74-69/C 68-66/C- 65/D 64 and below/F

14