More Accurate and Fast SYN Flood Detection

SYN flood attacks still dominate Distributed Denial of Service attacks. It is a great challenge to accurately detect the SYN flood attacks in high speed networks. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to pretend to be benign. Keeping per- flow or per-connection state could eliminate such a spoofing, but meanwhile, it also consumes extremely huge resources. We propose a more accurate and fast SYN flood detection method, named SACK 2 , which could detect all kinds of SYN flood attacks with limited implementation costs. SACK 2 exploits the behavior of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. We utilize the space efficient data structure, counting Bloom filter, to recognize the CliACK packet. Comprehensive experiments demonstrate that, SACK 2 is

[1]  Bin Liu,et al.  A Robust Scheme to Detect SYN Flooding Attacks , 2007, 2007 Second International Conference on Communications and Networking in China.

[2]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[3]  M. Beaumont-Gay,et al.  A Comparison of SYN Flood Detection Algorithms , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[4]  Hao Jiang,et al.  Passive estimation of TCP round-trip times , 2002, CCRV.

[5]  Alefiya Hussain,et al.  Effect of Malicious Traffic on the Network , 2003 .

[6]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[7]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[8]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[9]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[10]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[11]  George Varghese,et al.  On Scalable Attack Detection in the Network , 2004, IEEE/ACM Transactions on Networking.

[12]  Vrizlynn L. L. Thing,et al.  A Survey of Bots Used for Distributed Denial of Service Attacks , 2007, SEC.

[13]  Wei Chen,et al.  Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[14]  M. V. Ramakrishna,et al.  Efficient Hardware Hashing Functions for High Performance Computers , 1997, IEEE Trans. Computers.

[15]  Sonia Fahmy,et al.  DDoS Benchmarks and Experimenter's Workbench for the DETER Testbed , 2007, 2007 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities.

[16]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[17]  Bin Liu,et al.  A More Accurate Scheme to Detect SYN Flood Attacks , 2009, IEEE INFOCOM Workshops 2009.

[18]  Bin Liu,et al.  A Novel Router-based Scheme to Mitigate SYN Flooding DDoS Attacks , 2007 .