A poisoning-resilient TCP stack

Amit Mondal*, Aleksandar Kuzmanovic

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution


We treat the problem of large-scale TCP poisoning: an attacker, who is able to monitor TCP packet headers in the network, can deny service to all flows traversing the monitoring point simply by injecting a single spoofed data or control packet into each of the flows. One of the entities responsible for this severe vulnerability is certainly the TCP protocol itself: it behaves as a "dummy" state machine that can more-than-easily become desynchronized by an attacker. In this paper, we explore ways for upgrading TCP endpoints into viable DoS-resilient protocol entities, capable of mitigating large-scale poisoning attacks. We show, by means of analytical modeling, simulations, and Internet experiments, how small upgrades implemented by the endpoints can dramatically improve resilience to attacks. The key mechanisms unique to our approach are (i) deferred protocol reaction, used to accurately detect poisoning attacks; (ii) forward nonces, applied to distinguish among different traffic sources during the attack; and (iii) self-clocking-based correlation, utilized for successfully detecting legitimate packet streams. Our solution solely relies on the protocol design, it is incrementally deployable, and TCP friendly.

Original languageEnglish (US)
Title of host publicationProceedings - 15th IEEE International Conference on Network Protocols, ICNP 2007
Number of pages10
StatePublished - 2007
Event15th IEEE International Conference on Network Protocols, ICNP 2007 - Beijing, China
Duration: Oct 16 2007Oct 19 2007

Publication series

NameProceedings - International Conference on Network Protocols, ICNP
ISSN (Print)1092-1648


Other15th IEEE International Conference on Network Protocols, ICNP 2007

ASJC Scopus subject areas

  • Engineering(all)


Dive into the research topics of 'A poisoning-resilient TCP stack'. Together they form a unique fingerprint.

Cite this