Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Controlling high bandwidth aggregates in the network
ACM SIGCOMM Computer Communication Review
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Analysis of a Denial of Service Attack on TCP
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
D-ward: source-end defense against distributed denial-of-service attacks
D-ward: source-end defense against distributed denial-of-service attacks
Long-Range Dependence: Ten Years of Internet Traffic Modeling
IEEE Internet Computing
D-SAT: Detecting SYN Flooding Attack by Two-Stage Statistical Approach
SAINT '05 Proceedings of the The 2005 Symposium on Applications and the Internet
Statistical-Based SYN-Flooding Detection Using Programmable Network Processor
ICITA '05 Proceedings of the Third International Conference on Information Technology and Applications (ICITA'05) Volume 2 - Volume 02
An Active Detecting Method Against SYN Flooding Attack
ICPADS '05 Proceedings of the 11th International Conference on Parallel and Distributed Systems - Volume 01
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
MULTOPS: a data-structure for bandwidth attack detection
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Performance Estimation of TCP under SYN Flood Attacks
CISIS '07 Proceedings of the First International Conference on Complex, Intelligent and Software Intensive Systems
Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks
IEEE Transactions on Parallel and Distributed Systems
Survey and taxonomy of IP address lookup algorithms
IEEE Network: The Magazine of Global Internetworking
| Hi-index | 0.00 |
We present an original approach to identify synchronize (SYN) flooding attacks from the victim's side, on the basis of a classification of the different forms that TCP handshakes can take during a connection set-up between a client and a server (e.g. for Web traffic). We first identify the unusual handshake sequences that result from an attack and show how such observations can be used for SYN flooding attack detection. We then introduce a data structure to monitor, in real time, the state of the TCP handshake and study its performance. In addition, we explain the management of the data structure for operations such as initialization, adding and removing flows. Finally, we analyse the effectiveness of our TCP handshake monitoring to identify the presence of SYN flooding attacks by applying it to real traffic traces. To allow quick protection and help guarantee a proper defence, the detection is done in real time. Our detection system uses a non-parametric cumulative sum algorithm (CUSUM), which has the benefit of not requiring a detailed model of the normal and attack traffic while achieving excellent detection levels. Copyright © 2011 John Wiley & Sons, Ltd.