Managing Congestion In Mobile Devices By Combating TCP Based Attacks

The Transmission Control Protocol (TCP) based attacks is a Denial of Service attack to which every Transmission Control Protocol/Internet Protocol (TCP/IP) implementation is vulnerable to some degree. Each half open TCP connection made to a machine causes the server to add a record to the data structure that stores information describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially open connections. The half open connections data structure on the victim server system will eventually fill and the system will be unable to welcome new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half open connections will eventually expire and the victim server will recover. However, the attacking system can simply continue sending the IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections. In some cases the system may exhaust memory, crash or be rendered otherwise inoperative.The proposed mechanisms here are geared towards saving the resources of resource constrained mobile devices as well as verifying sources in order to detect invalid or spoofed acknowledgements (ACKs) and resets (RSTs).There are several existing solutions on congestion control in low bandwidth mobile devices and among them is the use of the firewall for verification. This dissertation proposes an improvement on the same by minimizing the delay as well as making sure there is no denial of service to legitimate clients. The firewall verifies the validity of a client before being allowed to connect to the network. A TCP client sends a synchronization (SYN) request to the TCP server through the firewall; the firewall sends a synchronization/acknowledgement (SYN/ACK) with a wrong sequence number to the client. The client then sends an RST which the firewall checks to see whether their sequence numbers match before forwarding the reconstructed SYN request to the server. The server returns a SYN/ACK to the client through the firewall. An ACK from the client is held by the firewall for verification. The firewall counterchecks the sequence numbers of the SYN request, RST and the ACK. If they match, the client is allowed to connect to the network otherwise the firewall uses the suggested Drop Invalid packets Mechanism (DIM) to ask the server, by sending an RST to the server, to release all the resources associated with this client. The firewall uses a timeout period in waiting for the RST and ACK and if the client exceeds this time, it is proved invalid and hence dropped before a connection is established. The results from the tools used to analyze this dissertation shows that the delay in performance (connection establishment) caused by this verification only takes micro seconds which means a great improvement from previous solutions. The dropping of spoofed packets in time also has greatly reduced congestion in the mobile devices network.