Performance Evaluation for Linux under SYN Flooding Attacks

The SYN flooding attack is a DoS(denial of service) method affecting hosts to retain the half-open state and causing to exhaust it´s memory resources. This attack is hardly filtered by routers in such a case that the source IP address is spoofed. In this paper, we present a performance evaluation for Linux FC5 platform under SYN flooding attacks and propose a detective method at an early stage. We implement a attacking program, and observe response packets from the server. Our method explores two features for Linux FC5. Firstly, the syncookie operates merely the initial SYN+ACK response even if SYN requests exceed the backlog value. Secondly, retransmission packets tend to be lost over a smaller sequential SYN requests than 100. We adopt packet loss rate for retransmission as a metric and extract the threshold value as 60% to identify whether the server is attacked or not and set the threshold values for each metric. We have consequently detect the slight variations of response packet if the value exceeds the pre-determined threshold value, then the detective host sends the RST packet to release the half-open state on TCP.