Research Article
A Robust Scheme to Detect SYN Flooding Attacks
@INPROCEEDINGS{10.1109/CHINACOM.2007.4469411, author={Changhua Sun and Jindou Fan and Bin Liu}, title={A Robust Scheme to Detect SYN Flooding Attacks}, proceedings={2nd International ICST Conference on Communications and Networking in China}, publisher={IEEE}, proceedings_a={CHINACOM}, year={2010}, month={5}, keywords={Bandwidth Computer crime Computer science Cryptography Educational programs Floods Resource management Robustness Sun Web and internet services}, doi={10.1109/CHINACOM.2007.4469411} }
- Changhua Sun
Jindou Fan
Bin Liu
Year: 2010
A Robust Scheme to Detect SYN Flooding Attacks
CHINACOM
IEEE
DOI: 10.1109/CHINACOM.2007.4469411
Abstract
We propose a more robust scheme to detect SYN flooding attacks. Existing methods for detecting SYN flooding are based on the protocol behavior of TCP SYN–FIN (RST) or SYN–ACK pairs, as normally the number of SYN packets is equal to that of FIN (added with RST) packets, or ACK packets in the handshake.When SYN flood starts, there will be more SYN packets. However, the attacker can avoid the detection by sending the FIN or RST packets (ACK packets) in conjunction with the SYN packets. To make the detection scheme more robust, we record the flow information of SYN packets in a counting Bloom Filter, and count the FIN (RST) packets according to the Bloom Filter. In addition, the Change Point Detection method based on a non-parametric Cumulative Sum algorithm is applied to make the detection mechanism much more generally applicable. Through trace-driven simulations, we show our detection scheme is more efficient and robust in detecting various SYN flooding attacks. More importantly, our scheme can be easily deployed at ISP’s edge routers.