• DocumentCode
    3322745
  • Title

    More Accurate and Fast SYN Flood Detection

  • Author

    Sun, Changhua ; Hu, Chengchen ; Tang, Yi ; Liu, Bin

  • Author_Institution
    Dept. of Comput. Sci. & Technol., Tsinghua Univ., Beijing, China
  • fYear
    2009
  • fDate
    3-6 Aug. 2009
  • Firstpage
    1
  • Lastpage
    6
  • Abstract
    SYN flood attacks still dominate distributed denial of service attacks. It is a great challenge to accurately detect the SYN flood attacks in high speed networks. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to pretend to be benign. Keeping per-flow or per-connection state could eliminate such a spoofing, but meanwhile, it also consumes extremely huge resources. We propose a more accurate and fast SYN flood detection method, named SACK2, which could detect all kinds of SYN flood attacks with limited implementation costs. SACK2 exploits the behavior of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. We utilize the space efficient data structure, counting Bloom filter, to recognize the CliACK packet. Comprehensive experiments demonstrate that, SACK2 is the fastest and most accurate detection method compared with related methods which also leverage the packet pair´s behavior. The memory cost of SACK2 for a 10 Gbps link is 364 KB and can be easily accommodated in modern routers.
  • Keywords
    data structures; security of data; transport protocols; Bloom filter; SACK2; SYN flood attack detection; SYN/ACK-CliACK; TCP port; distributed denial of service attacks; public detection methods; routers; space efficient data structure; three-way handshake; victim server; Computer crime; Computer science; Costs; Data structures; Floods; High-speed networks; Network servers; Protocols; Sun; Web and internet services;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Communications and Networks, 2009. ICCCN 2009. Proceedings of 18th Internatonal Conference on
  • Conference_Location
    San Francisco, CA
  • ISSN
    1095-2055
  • Print_ISBN
    978-1-4244-4581-3
  • Electronic_ISBN
    1095-2055
  • Type

    conf

  • DOI
    10.1109/ICCCN.2009.5235270
  • Filename
    5235270