SACK2: effective SYN flood detection against skillful spoofs

SYN flood attacks still dominate distributed denial of service attacks. It is a great challenge to accurately detect the SYN flood attacks which utilise skillful spoofs to evade traditional detection methods. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to appear benign. Keeping per-flow or per-connection state could eliminate such a spoofing, but meanwhile, it is very difficult to be implemented in practice. A more accurate and fast SYN flood detection method, named SACK², is proposed to deal with all kinds of SYN flood attacks with limited implementation costs. SACK² exploits the behaviour of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. It also utilises the space efficient data structure, counting Bloom filter, to recognise the CliACK packet. The memory cost of SACK² for a 10 Gbps link is 364 KB and can be easily accommodated in modern routers. SACK² can report the start of the attack in less than one detection period, and the end of the attack less than two detection periods. It is also demonstrated that SACK² is the most accurate detection method through comprehensive experiments.