Detecting SYN flooding attacks

We propose a simple and robust mechanism for detecting SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end (like firewall or proxy) or a victim server itself, we detect the SYN flooding attacks at leaf routers that connect end hosts to the Internet. The simplicity of our detection mechanism lies in its statelessness and low computation overhead, which make the detection mechanism itself immune to flooding attacks. Our detection mechanism is based on the protocol behavior of TCP SYN-FIN (RST) pairs, and is an instance of the Seqnential Change Point Detection [l]. To make the detection mecbanism insensitive to site and access pattern, a non-parametric Cnmnlative Sum (CUSUM) method [4] is applied, thus making the detection mechanism much more generally applicable and its deployment much easier. The efficacy of this detection mechanism is validated by trace-driven simulations. The evaluation results show that the detection mechanism has short detection latency and high detection accuracy. Moreover, due to its proximity to the flooding sources, our mechanism not only sets alarms upon detection of ongoing SYN flooding attacks, but also reveals the location of the flooding sources without resorting to expensive IP traceback.