More Accurate and Fast SYN Flood Detection

Abstract—SYN flood attacks still dominate Distributed Denial of Service attacks. It is a great challenge to accurately detect the SYN flood attacks in high speed networks. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to pretend to be benign. Keeping perflow or per-connection state could eliminate such a spoofing, but meanwhile, it also consumes extremely huge resources. We propose a more accurate and fast SYN flood detection method, named SACK 2, which could detect all kinds of SYN flood attacks with limited implementation costs. SACK 2 exploits the behavior of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. We utilize the space efficient data structure, counting Bloom filter, to recognize the CliACK packet. Comprehensive experiments demonstrate that, SACK 2 is the fastest and most accurate detection method compared with related methods which also leverage the packet pair’s behavior. The memory cost of SACK 2 for a 10Gbps link is 364KB and can be easily accommodated in modern routers. I