A Router-Agent-Based Distributed Flooding Detection System

TCP SYN flood is one of the most common and most important denial of service attacks. Research against SYN flood is of great value to network security. Traditional countermeasures such as stateful inspection firewalls and other server-based solutions have been proved limited and not very efficient. We present a novel approach based on the Flooding Detection System (FDS), which is installed at the leaf routers. Based on the protocol behavior of TCP SYN-FIN pairs, the FDS detects attacks by monitoring TCP control packets and analyzing the local statistical information. To protect large scale network, we first associate the agent-based distributed intrusion detection with detecting SYN flood attacks. A Simplified Flooding Detection System (SFDS) is then proposed and its algorithm is proved to be hardware-oriented. By integrating the SFDSs as detection agents into network interfaces of the routers, we propose a high-performance distributed flooding detection system and its global decision mechanism is illustrated.