An Active Defense Mechanism for TCP SYN flooding attacks
This addresses the issue of network service interruptions from DDoS attacks for public servers, but it appears incremental as it builds on existing detection methods by incorporating traffic statistics.
The paper tackles the problem of detecting TCP SYN flooding attacks by designing a new defense mechanism that uses time variation of arrival traffic statistics to more accurately distinguish normal from malicious SYN packets, enabling defense nodes to block attack traffic while allowing legitimate connections.
Distributed denial-of-service attacks on public servers have recently become a serious problem. To assure that network services will not be interrupted and more effective defense mechanisms to protect against malicious traffic, especially SYN floods. One problem in detecting SYN flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of a SYN flood attack. Another problem is single-point defenses (e.g. firewalls) lack the scalability needed to handle an increase in the attack traffic. We have designed a new defense mechanism to detect the SYN flood attacks. First, we introduce a mechanism for detecting SYN flood traffic more accurately by taking into consideration the time variation of arrival traffic. We investigate the statistics regarding the arrival rates of both normal TCP SYN packets and SYN flood attack packets. We then describe a new detection mechanism based on these statistics. Through the trace driven approach defense nodes which receive the alert messages can identify legitimate traffic and block malicious traffic by delegating SYN/ACK packets.