T-RAP: (TCP Reply Acknowledgement Packet) a Resilient Filtering Model for DDoS Attack with Spoofed IP Address

A Distributed Denial-of-Service (DDoS) attack is a strenuous attack to defend, mainly due to a server's inability to control the amount and the origin of requests. It is easily performed by utilizing the weakness of the network protocol. DDoS attack is considered to be a major threat among security problems in today's Internet. TCP/IP protocol suite is the most widely used protocol suite for data communication. While SYN flooding exploits the TCP three-way handshake process by sending many connection requests using spoofed source IP addresses to a victim server. The IP protocol specifies no method for validating the authenticity of the packet's source. This implies that an attacker can forge the source address to their desire. These kinds of attack are potentially severe. They bring down business of company drastically. DDoS attack can easily exhaust the computing and communication resources of its victim within a short period of time. This paper deals on attacks that consume all the bandwidth available to the victim machine. The TCP SYN flood works by exhausting the TCP connection queue of the host and thus denying legitimate connection requests. There are various methods used to detect and prevent this attack, one of which is to block the packet based on SYN flag count from the same IP address. This kind of prevention methods becomes unsuitable when the attackers use the Spoofed IP address. For the prevention of this kind of attacks, the TCP specific probing is used in the proposed scheme where the client is requested to change the windows size/ cause packet retransmission while sending the ACK in the three way hand shake. We also use the DHCP to statically assign the IP address based on the MAC address in a private environment. This is very useful to find the Spoofed IP Packets/TCP SYN flood and preventing them.