Statistical-Based SYN-Flooding Detection Using Programmable Network Processor

With the growing use of broadband Internet, the demand for hardware-based intrusion detection system (IDS) is exploding. Network processor is poised to be the future platform for hardware-based IDS and firewall due to its programmability and capability to process packets at wire speed. In this paper, we explore the practical implementation of statistical-based SYN-flooding detection system in a network processor-based router. An embedded architecture, called synmon is proposed. We employ an instance of change-point detection, non-parametric Cumulative Sum (CUSUM) algorithm, for SYN-flooding detection. It performs per-flow attack detection based on SYN and ACK packets exchanged in TCP friendly flow. A prototype of synmon embedded forwarder is developed and the performance of synmon under different attack patterns, network loads, sampling interval and tuning parameters is investigated. We demonstrate that the synmon architecture seamlessly integrates with common forwarding tasks while providing cost-effective service for SYN-flooding detection on network processor platform

[1]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[2]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[3]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[4]  Hong Zhu,et al.  NetBouncer: client-legitimacy-based high-performance DDoS filtering , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[5]  Los Angeles,et al.  D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks , 2003 .

[6]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[7]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[8]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[9]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[10]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[11]  Kotagiri Ramamohanarao,et al.  Detecting Distributed Denial of Service Attacks by Sharing Distributed Beliefs , 2003, ACISP.