Source Detection of SYN Flooding Attacks

We present an original approach to detect sources that participate in a SYN flooding attacks by monitoring unusual handshake sequences. To protect the victim, it is better to detect the attacker early and as closely to the source as possible. Such a solution prevents waste of resources by restricting harmful- and useless-traffic across the network. Our source detection system uses an entropy measure to detect changes in the balance of TCP handshakes. Experimental results show that our method can indeed detect the sources of SYN flooding attacks in timely fashion.

[1]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[2]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[3]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[4]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[7]  Jelena Mirkovic,et al.  Source-end DDoS defense , 2003, Second IEEE International Symposium on Network Computing and Applications, 2003. NCA 2003..

[8]  Kang G. Shin,et al.  Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[9]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[10]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[11]  Nils Gruschka,et al.  The Impact of Flooding Attacks on Network-based Services , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[12]  Wei Chen,et al.  An active detecting method against SYN flooding attack , 2005, 11th International Conference on Parallel and Distributed Systems (ICPADS'05).

[13]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[14]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM 2001.

[15]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.