An active detecting method against SYN flooding attack

Author

Xiao, Bin ; Chen, Wei ; He, Yanxiang ; Sha, Edwin H M

Author_Institution

Dept. of Comput., Hong Kong Polytech. Univ., China

Volume

1

fYear

2005

fDate

20-22 July 2005

Firstpage

709

Abstract

SYN flooding attacks are a common type of distributed denial-of-service (DDoS) attack. Early detection is desirable but traditional passive detection methods are inaccurate in the early stages due to their reliance on passively sniffing an attacking signature. The method presented in this paper captures attacking signatures using an active probing scheme that ensures the efficient early detection. The active probing scheme - DARB obtains the delay of routers by sending packets containing special time-to-live set at the IP headers. The results of the probe are used to perform SYN flooding detection, which is reliable and with little overhead. This approach is more independent than other methods that require cooperation from network devices. Experiments show that this delay-probing approach distinguishes half-open connections caused by SYN flooding attacks from those arising from other causes accurately and at an early stage.

Keywords

IP networks; delays; security of data; telecommunication network routing; telecommunication security; DARB; DDoS; IP headers; SYN flooding attack; active detecting method; active probing scheme; delay-probing approach; distributed denial-of-service attack; network device; signature attack; time-to-live set; Computer crime; Computer science; Delay estimation; Distributed computing; Filtering; Floods; Helium; Probes; Protection; Time of arrival estimation;

fLanguage

English

Publisher

ieee

Conference_Titel

Parallel and Distributed Systems, 2005. Proceedings. 11th International Conference on

ISSN

1521-9097

Print_ISBN

0-7695-2281-5

Type

conf

DOI

10.1109/ICPADS.2005.67

Filename

1531201