论文信息 - Adaptive Timer-Based Countermeasures against TCP SYN Flood Attacks

Adaptive Timer-Based Countermeasures against TCP SYN Flood Attacks

SUMMARY As a result of the rapid development of the Internet in recent years, network security has become an urgent issue. Distributed denial of service (DDoS) attacks are one of the most serious security issues. In particular, 60 percent of the DDoS attacks found on the Internet are TCP attacks, including SYN flood attacks. In this paper, we propose adaptive timer-based countermeasures against SYN flood attacks. Our proposal utilizes the concept of soft-state protocols that are widely used for resource management on the Internet. In order to avoid deadlock, a server releases resources using a time-out mechanism without any explicit requests from its clients. If we change the value of the timer in accordance with the network conditions, we can add more flexibility to the soft-state protocols. The timer is used to manage the resources assigned to half-open connections in a TCP 3-way handshake mechanism, and its value is determined adaptively according to the network conditions. In addition, we report our simulation results to show the effectiveness of our approach.

Masayuki Murata | Masaki Aida | Makoto Imase | Masao Tanabe | Hirofumi Akaike

[1] Rocky K. C. Chang,et al. Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[2] J. Little. A Proof for the Queuing Formula: L = λW , 1961 .

[3] Wei Zou,et al. Characterizing the IRC-based Botnet Phenomenon , 2007 .

[4] Masayuki Murata,et al. Deployable overlay network for defense against distributed SYN flood attacks , 2005, ICCCN.

[5] Paul Ferguson,et al. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[6] Tada Harumasa,et al. Evaluation of Robustness of Soft State for Data Management in Distributed Environment , 2005 .

[7] Deborah Estrin,et al. Scalable timers for soft state protocols , 1997, Proceedings of INFOCOM '97.

[8] André Zúquete,et al. Improving the functionality of syn cookies , 2002, Communications and Multimedia Security.

[9] Don Towsley,et al. A Comparison of Hard-State and Soft-State Signaling Protocols , 2007, IEEE/ACM Transactions on Networking.

[10] Vishal Misra,et al. On the robustness of soft state protocols , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[11] Shang Zhi,et al. A proof of the queueing formula: L=λW , 2001 .

[12] Peter Reiher,et al. A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.