Detecting SYN Flooding Attacks


We propose a simple and robust mechanism for detecting SYN flooding attacks. Instead of monitoring the ongoing traffic at the front end (like firewall or proxy) or a victim server itself, we detect the SYN flooding attacks at leaf routers that connect end hosts to the Internet. The simplicity of our detection mechanism lies in its statelessness and low computation overhead, which make the detection mechanism itself immune to flooding attacks. Our detection mechanism is based on the protocol behavior of TCP SYN–FIN (RST) pairs, and is an instance of the Sequential Change Point Detection [1]. To make the detection mechanism insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) method [4] is applied, thus making the detection mechanism much more generally applicable and its deployment much easier. The efficacy of this detection mechanism is validated by trace-driven simulations. The evaluation results show that the detection mechanism has short detection latency and high detection accuracy. Moreover, due to its proximity to the flooding sources, our mechanism not only sets alarms upon detection of ongoing SYN flooding attacks, but also reveals the location of the flooding sources without resorting to expensive IP traceback.

DOI: 10.1109/INFCOM.2002.1019404

Extracted Key Phrases

10 Figures and Tables

Citations per Year

582 Citations

Semantic Scholar estimates that this publication has 582 citations based on the available data.

See our FAQ for additional information.

Cite this paper

@inproceedings{Wang2002DetectingSF, title={Detecting SYN Flooding Attacks}, author={Haining Wang and Danlu Zhang and Kang G. Shin}, booktitle={INFOCOM}, year={2002} }