SYN flooding attack detection by TCP handshake anomalies
Security and Communication Networks
| Hi-index | 0.00 |
The SYN flood attack is a DoS(Denial of Service) method affecting hosts to retain the half-open state and causing to exhaust it's memory resources. This attack is hardly filtered by the router in such a case that the source IP address is spoofed. In this paper, we present the performance estimation of TCP under SYN flood attacks and propose a detective method at an early stage. We implement a attacking program, and observe response packets from the server on different OS's. Our performance estimation explores the metric to detect a condition caused by SYN flood attacks. Firstly, the observation of response packets leads to find the most sensitive metric and it's threshold. Secondly, the packet loss rate is adopted as the metric to identify whether the server is attacked or not. Finally, we detect the slight variations of response packet if the value exceeds the pre-determined threshold value, then the detective host sends the RST packet to release the half-open state on TCP.