The TCP protocol provides a simple (and popular) method for denial of service attacks. The server has a finite number of connections that it can handle at a time, and will refuse connections when its table is full. Thus, if an attacker can fill the table with bogus connections, legitimate users will be locked out.
This attack relies on two fundamental flaws in the protocols. The
first is that the source IP address is never checked, and thus can be
''spoofed''
by putting an arbitrary
bit number in its place.
Second, the three-way handshake
requires the third (acknowledgment) packet, and the server will wait
several seconds before timing out a connection. With each requested
connection, the server allocates a space in its table and waits for
the final acknowledgment (or for the connection to time out). The
attacker can easily fill the table and keep it filled by sending
spoofed SYN packets to the server.
Thus, the attacker sends many SYN packets to the server, spoofed to appear to come from a large number of different hosts. The server responds with SYN/ACK packets to these hosts, and puts the connection in its table to await the final ACK, or a time-out (usually several seconds). Since the ACK packets are not forthcoming, the table quickly fills up, and stays full for as long as the attacker continues to send packets.
There are clever ways to mitigate this problem, which can keep the table from filling up. One, the ''SYN-cookie'' involves encoding the sequence number of the SYN/ACK in a way that allows the server to recognize legitimate ACK packets without needing to save a spot in the table for the connection. However, even these can be defeated through a sufficiently high volume attack.
These unsolicited SYN/ACK packets can be observed by any network sensor, and thus provide a method for estimating the number and severity of such attacks throughout the Internet. These unsolicited packets are referred to as backscatter. They may take other forms than SYN/ACK packets, depending on the type of packet sent in the attack. See ([24], [19], [17]) for more information.
Typically, the attacker first compromises a large number of computers, using special distributed attack software, and it is these computers that launch the attack. This makes it very difficult to block the attack, and essentially impossible to track down the attacker, at least through information available to the victim.
Backscatter packets provide several opportunities for statistical analysis. They allow the estimation of the number of attacks on the Internet in real time. One may be able to estimate the severity of the attacks and number of attackers. Finally, it may be possible to characterize different types of attacks or different attack tools and identify them from the pattern of the packets. Some initial work describing some of these ideas is found in ([12]).
A network sensor is a computer that captures packets (usually just the packet headers) as they traverse the network. These are usually placed either just before or just after a firewall to collect all the packets coming into a network. Through such a system, one can observe all the unsolicited SYN/ACK packets addressed to one of the IP addresses owned by the network.
Note that this means that only a fraction of the backscatter packets
resulting from the attack are seen by any sensor. If we assume that
the sensor is monitoring a class B network (an address space of
IP addresses), then we observe a random sample of
of the packets, assuming the attack selects
randomly from all 
possible IP addresses. This points to
several areas of interest to statisticians: we observe a subset of the
packets sent to a subset of the victims, and wish to estimate the
number of victims, the number of packets sent to any given victim, and
the number of attackers for any given victim.