Detecting SYN Flooding Agents under Any Type of IP Spoofing

The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

[1]  Christine E. Jones,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[2]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[3]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[4]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[5]  G. Manimaran,et al.  Intentional Dropping: A Novel Scheme for SYN Flooding Mitigation , 2005, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[6]  Bin Liu,et al.  A Novel Router-based Scheme to Mitigate SYN Flooding DDoS Attacks , 2007 .

[7]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[8]  C. F. Chong,et al.  IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks , 2004, 7th International Symposium on Parallel Architectures, Algorithms and Networks, 2004. Proceedings..

[9]  Vern Paxson,et al.  Computing TCP's Retransmission Timer , 2000, RFC.

[10]  G. Manimaran,et al.  Internet infrastructure security: a taxonomy , 2002, IEEE Netw..

[11]  Christopher Leckie,et al.  An efficient filter for denial-of-service bandwidth attacks , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[12]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).