Detecting SYN flooding attacks
Proceedings - IEEE INFOCOM - Tập 3 - Trang 1530-1539
Tóm tắt
We propose a simple and robust mechanism for detecting SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end (like firewall or proxy) or a victim server itself, we detect the SYN flooding attacks at leaf routers that connect end hosts to the Internet. The simplicity of our detection mechanism lies in its statelessness and low computation overhead, which make the detection mechanism itself immune to flooding attacks. Our detection mechanism is based on the protocol behavior of TCP SYN-FIN (RST) pairs, and is an instance of the Seqnential Change Point Detection [l]. To make the detection mecbanism insensitive to site and access pattern, a non-parametric Cnmnlative Sum (CUSUM) method [4] is applied, thus making the detection mechanism much more generally applicable and its deployment much easier. The efficacy of this detection mechanism is validated by trace-driven simulations. The evaluation results show that the detection mechanism has short detection latency and high detection accuracy. Moreover, due to its proximity to the flooding sources, our mechanism not only sets alarms upon detection of ongoing SYN flooding attacks, but also reveals the location of the flooding sources without resorting to expensive IP traceback.
Từ khóa
#Floods #Web server #Network servers #Web and internet services #Computer crime #Robustness #Monitoring #Access protocols #Delay #IP networksTài liệu tham khảo
10.1145/1132026.1132027
zhang, 0, A multi-layer IPsec protocol, 9th USENIX Security Symposium August 2000
lemon, 0, Resisting SYN flooding DoS attacks with a SYN cache, Proceedings of USENIX BSDCon'2002 February 2002
mccreary, 0, Trends in wide area IP traffic patterns - a view from ames internet exchange, Proceedings of ITC'2000 September 2000
wang, 2001, Layer-4 service differentiation and isolation
gil, 0, MULTOPS: A data-structure for bandwidth attack detection, 2001 USENIX Security Symposium August 2001
wu, 2001, Intention-driven ICMP traceback
lakshman, 0, High speed policy-based packet forwarding using efficient multi-dimensional range matching, Proceedings of ACM SIGCOMM September 1998
gribble, 0, System design issues for internet middleware services: Deductions from a large client trace, USENIX Proceedings of the Symposium on Internet Technologies and Systems 99 December 1997
gupta, 0, Packet classification on multiple fields, Proc ACM SIGCOMM September 1999
ferguson, 1998, Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing, RFC 2267
10.1109/MC.2000.839316
park, 0, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack, Proc of IEEE INFOCOM'2001 March 2001
0
10.1145/383059.383061
10.1109/90.392383
postel, 1981, Transmission control protocol, request for comments 793
savage, 0, Practical network support for IP traceback, Proceedings of ACM SIGCOMM'2000 August 2000
10.1109/SECPRI.1997.601338
10.1145/378420.378789
song, 0, Advanced and authenticated marking schemes for IP traceback, Proc of IEEE INFOCOM'2001 March 2001
10.1145/383059.383060
bernstein, 0, Linux kernel SYN cookies firewall project
bellovin, 2000, ICMP traceback messages
10.1002/047120644X.ch15
basseville, 1993, Detection of Abrupt Changes Theory and Application
srinivasan, 0, Fast and scalable layer four switching, Proceedings of ACM SIGCOMM September 1998
10.1145/339331.339413
0, SynDefender
10.1109/65.642356
10.1145/115992.116003
stevens, 1994, TCP/IP Illustrated, 1
10.1007/978-94-015-8163-9
dittrich, 0, Distributed denial of service (DDoS) attacks/tools page
darmohray, 2000, Hot spares for DoS attacks, login, 25