Detecting TCP SYN Flood Attack Based on Anomaly Detection

Transmission Control Protocol (TCP) Synchronized (SYN) Flood has become a problem to the network management to defend the network server from being attacked by the malicious attackers. The malicious attackers can easily exploit the TCP three-way handshake by making the server exhausted and unavailable. The main problem in this paper is how to detect TCP SYN flood through network. This paper used anomaly detection to detect TCP SYN flood attack based on payload and unusable area. The results show that the proposed detection method can detect TCP SYN Flood in the network through the payload.

[1]  Masayuki Murata,et al.  Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[2]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[3]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[4]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[5]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[6]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[7]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[8]  tcpdump Tcpdump/Libpcap public repository , 2010 .