Detecting SYN Flooding Agents Under Any Type of IP Spoofing
The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victims server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these fooding agents under any type of lP spoofing. In this paper, we propose such a scheme to detect theflooding agents by considering all the possible kinds of lP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack.numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the subnetwork into two streams, the first SYN/ACK packets (SYN/ACKf) and the retransmission S YN/A CK packets (SYN/A CKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of lP spoofing techniques,the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.
Dalia Nashat Xiaohong Jiang Susumu Horiguchi
Graduate School of Information Sciences Tohoku University Sendai, Japan, 980-8579
国际会议
AiR08,EM2108,SOAIC08,SIOKM08,BIMA08,DKEEE08(2008IEEE国际电子商务工程学术会议)
西安
英文
499-505
2008-10-22(万方平台首次上网日期,不代表论文的发表时间)