JIS  Vol.2 No.3 , July 2011
Effectiveness of Built-in Security Protection of Microsoft’s Windows Server 2003 against TCP SYN Based DDoS Attacks
ABSTRACT
Recent DDoS attacks against several web sites operated by SONY Playstation caused wide spread outage for several days, and loss of user account information. DDoS attacks by WikiLeaks supporters against VISA, MasterCard, and Paypal servers made headline news globally. These DDoS attack floods are known to crash, or reduce the performance of web based applications, and reduce the number of legitimate client connections/sec. TCP SYN flood is one of the common DDoS attack, and latest operating systems have some form of protection against this attack to prevent the attack in reducing the performance of web applications, and user connections. In this paper, we evaluated the performance of the TCP-SYN attack protection provided in Microsoft’s windows server 2003. It is found that the SYN attack protection provided by the server is effective in preventing attacks only at lower loads of SYN attack traffic, however this built-in protection is found to be not effective against high intensity of SYN attack traffic. Measurement results in this paper can help network operators understand the effectiveness of built-in protection mechanism that exists in millions of Windows server 2003 against one of the most popular DDoS attacks, namely the TCP SYN attack, and help enhance security of their network by additional means.

Cite this paper
nullH. Vellalacheruvu and S. Kumar, "Effectiveness of Built-in Security Protection of Microsoft’s Windows Server 2003 against TCP SYN Based DDoS Attacks," Journal of Information Security, Vol. 2 No. 3, 2011, pp. 131-138. doi: 10.4236/jis.2011.23013.
References
[1]   “Transmission Control Protocol” RFC 793, Information Science Institute, University of Southern California, Los Angeles, September 1981. http://tools.ietf.org/html/rfc793

[2]   Microsoft Corporation, “Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723),” Microsoft Security Bulletin MS09-048-Critical, 8 September 2009. http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx

[3]   W. M. Eddy, “TCP SYN Flooding Attacks and Common Mitigations,” RFC 4987, August 2007. http://tools.ietf.org/html/rfc4987

[4]   V. Cerf, Y. Dalal and C. Sunshine, “Specification of Internet Transmission Control Program,” RFC 675, 1974. http://tools.ietf.org/html/rfc675#section-4.2.2

[5]   Microsoft Corporation, “Transmission Control Protocol/Internet Protocol (TCP/IP)”,Windows Server TechNet Library, 2003. http://technet.microsoft.com/en-us/library/cc759700(WS.10).aspx

[6]   S. Shin, K. Kim and J. Jang, “D-SAT: Detecting SYN Flooding Attack by Two-Stage Statistical Approach,” The 2005 Symposium on Applications and the Internet, 31 January-4 February 2005, pp. 430-436.

[7]   B. Lim and M. S. Uddin, “Statistical-Based SYN-Flood- ing Detection Using Programmable Network Processor,” 3rd International Conference on Information Technology and Applications, ICITA 2005, Vol. 2, 4-7 July 2005, pp. 465-470.

[8]   R. R. Kompella, S. Singh and G. Varghese, “On Scalable Attack Detection in the Network,” Integrated Marketing Communications, IMC’04, University of California, San diego, 25-27 October 2004.

[9]   Y. Ohsita, S. Ata and M. Murata, “Detecting Distributed Denial-of-Service Attacks by analyzing TCP SYN Packets Statistically,” Global Telecommunications Conference, 2004, GLOBECOM’04, Vol. 4, 29 November-3 December, 2004, pp. 2043-2049.

[10]   D. M. Divakaran, H. A. Murthy and T. A. Gonsalves, “Detection of SYN Flooding Attacks Using Linear Prediction Analysis,” 14th IEEE International Conference on Networks, ICON’06, Vol. 1, September 2006, pp. 1-6.

[11]   B. Xiao, W. Chen, Y. He and E. H.-M. Sha, “An Active Detecting Method against SYN Flooding Attack,” 11th International Conference on Parallel and Distributed Systems, Vol. 1, 20-22 July 2005, pp. 709-715.

[12]   S. Kumar and E. Petana, “Mitigation of TCP-SYN Attack with Microsoft’s Windows XP Service Pack3 (SP2) Software,” Proceedings of the 7th International Conference on Networking, 2008, pp. 238-242.

[13]   H. N. Wang, D. L. Zhang and K. G. Shin, “SYN-Dog: Sniffing SYN Flooding Sources,” Proceedings of the 22nd International Conference on Distributed Computing Systems, Vienna, 2-5 July, 2002.

[14]   M. Sung and J. Xu, “IP Traceback-Based Intelligent Packet Filtering: A Novel Technique for Defending against Internet DDoS Attacks,” Proceedings of the 10th IEEE International Conference on Network Protocols, Paris, 12-15 November, 2002, pp.302-311.

[15]   W. Chen and D. Yeung, “Defending against TCP SYN Flooding Attacks under Different Types of IP Spoofing,” Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, ICN/ICONS/MCL 2006, 23-29 April 2006, pp. 38-38.

[16]   U. K. Tupakula, V. Varadharajan and A. K. Gajam, “Counteracting TCP SYN DDoS Attacks Using Automated Model,” Global Telecommunications Conference, 2004, GLOBECOM’04, Vol. 4, 29 November-3 December 2004, pp. 2240-2244.

[17]   B. AI-Dwmiri and G. Manimaran, “Intentional Dropping: A Novel Scheme for SYN Flooding Mitigation,” 25th IEEE International Conference on Computer Communications, Barcelona, 23-29 April 2006, pp. 1-5.

[18]   Q. Xiaofeng, H. Jihong and C. Ming, “A Mechanism to Defend SYN Flooding Attack Based on Network Measurement System,” 2nd International Conference on Information Technology: Research and Education, ITRE 2004, London, 28 June-1 July 2004, pp. 208-212.

[19]   H. Safa, M. Chouman, H. Artail and M. Karam, “A Collaborative Defense Mechanism against SYN Flooding Attacks in IP Networks,” Journal of Network and Computer Applications, Vol. 31, No. 4, 2008, pp. 509-534.

[20]   Y. P. Swami and H. Tschofenig, “Protecting Mobile Devices from TCP Flooding Attacks,” Proceedings of 1st ACM/IEEE International Workshop on Mobility in the Evolving Internet Architecture, San Francisco, 1 December 2006.

[21]   F. Kargl, J. Maier and M. Weber, “Protecting Web Servers from Distributed Denial of Service Attacks,” ACM, May 2001.

[22]   L. Jonathan, “Resisting SYN Flood Attacks with SYN Cache,” Proceedings of the BSDCon Conference on File and Storage Technologies, February 2002. http://people.freebsd.org/~jlemon/papers/syncache.pdf

[23]   Microsoft Corporation, “Microsoft Windows Server 2003 TCP/IP Implementation Details,” March 2006.

[24]   A. Zuquete, “Improving the Functionality of SYN Cookies,” 6th IFIP Communications and Multimedia Security Conference, September 2002.

 
 
Top