Throttling spoofed SYN flooding traffic at the source

Research paper by Wei Chen, Dit-Yan Yeung

Indexed on: 02 Nov '06Published on: 02 Nov '06Published in: Telecommunication Systems


TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such attacks. Among different IP spoofing techniques, which include random spoofing, subnet spoofing and fixed spoofing, subnet spoofing is the most difficult type to fight against. In this paper, we propose a simple and efficient method to detect and defend against TCP SYN flooding attacks under different IP spoofing types, including subnet spoofing. The method makes use of a storage-efficient data structure and a change-point detection method to distinguish complete three-way TCP handshakes from incomplete ones. This lightweight approach makes it relatively easy to deploy the scheme as its resource requirement is reasonably low. Simulation experiments consistently show that our method is both efficient and effective in defending against TCP-based flooding attacks under different IP spoofing types. Specifically, our method outperforms others in achieving a higher detection rate yet with lower storage and computation costs.