Detecting SYN Flooding Attacks
Outline
Introduction
Related Issues
Attack Detection
Performance Evaluation
Future Work
Conclusion
Introduction
Attacks on popular sites
Most of them are DoS using TCP
SYN Flooding exploits TCP 3-way hand-shake
Syn Cache, Syn cookies, SynDefender, Syn Proxying and SynKill
Installed on firewall or victim server
Introduction (cont)
Specialized firewalls become worthless with 14000 packets per sec.
FDS – Flooding Detection System
Installed on leaf routers (First-mile or Last-mile routers)
FDS uses key feature of TCP SYN-FIN pairs behavior.
Introduction (cont)
TCP packet classification is done at leaf router
SYN (beginning) FIN (END) for each TCP connection
No means to distinguish active FIN and passive FIN
RST violates the SYN-FIN pairs
Three new variables introduced to count SYN,FIN, and RST
Related Issues
Packet Classification
Placement of Detection Mechanism
Discrepancy between SYN’s and FIN’s
Packet classification
Packet Classification is done at the leaf router
First two steps confirm that it is a TCP packet
Code Bits in IP packet equals the sum of the length of IP header and offset of code BIT’s in TCP
Placement of Detection Mechanism
FDS is installed at the first-mile and last mile router
First-mile is more likely to catch flooding detection due to proximity to sources.
Last-mile quickly detects the flooding but cant provide hint about flooding sources
FDS is not installed at core due to a) it is close to neither flooding sources not the victim b) packets of the same flow could traverse different paths
Discrepancy btw SYN’s and FIN’s
Single RST packet can terminate a TCP session
Passive RST transmitted in response to close the port
Active RST transmitted in response to abort a TCP connection and associated with a SYN
Normal behavior of TCPSYN,FIN), (SYN/ACK,FIN) and (SYN,RSTactive)
FDS cannot differentiate between active and passive RST