Detection and Defense Method against Distributed SYN Flood Attacks

Distributed denial-of-service attacks on public servers have recently become a serious problem. To assure that network services will not be interrupted, we need faster and more effective defense mechanisms to protect against malicious traffic, especially SYN floods. One problem in detecting SYN flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of a SYN flood attack. Another problem is single-point deffenses (e.g. firewalls) lack the scalability needed to handle an increase in the attack traffic. In this research, we have developed a new mechanism to detect and block SYN flood attacks. First, we introduce a mechanism for detecting SYN flood traffic more accurately by taking into consideration the time variation of arrival traffic. We investigate the statistics regarding the arrival rates of both normal TCP SYN packets and SYN flood attack packets. We then describe a new detection mechanism based on these statistics. Our analytical results show that the arrival rate of normal TCP SYN packets can be modeled by a normal distribution and that our proposed mechanism can detect SYN flood traffic quickly and accurately regardless of time variance of the traffic. As a post-detection method, we develop a distributed defense mechanism which uses overlay networks. In this mechanism, alert messages are sent via the overlay networks. Defense nodes which receive the alert messages can identify legitimate traffic and block malicious traffic by delegating SYN/ACK packets. Legitimate traffic is protected via the overlay networks. Our simulation results show that attacker-side defense can protect legitimate packets from higher-rate attacks than victim-side defense and that our proposed method can effectively block malicious traffic and protect legitimate traffic.