Professional Documents
Culture Documents
Abstract—Distributed Denial-of-Service (DDoS) attacks pose a record more network information, only in this way, can we
serious threat to Internet security. While SYN flooding exploits reach an accurate detection effect. Certainly, recording more
the TCP three-way handshake process by sending many information means that it must consume some memory and
connection requests using spoofed source IP addresses to a victim calculative resources, but it is necessary to do that. Therefore,
server. DDoS attack keeps objective host from handling on the premise of accurate detection, we put forward an early
legitimate requests by causing it to populate its backlog queue detection method which be deployed on the edge router.
with forged TCP connection. In this paper, we propose a novel
defense mechanism that makes use of the edge routers that The SYN flooding attacker always choose unreachable
connect end hosts to the Internet to store and detect whether the addresses as the spoofed source addresses of the attacking
outgoing SYN, ACK or incoming SYN/ACK segment is valid. packets, which makes the compromised server cannot complete
This is accomplished by maintaining a mapping table of the the necessary connection work.
outgoing SYN segments and incoming SYN/ACK segments and
establishing the destination and source IP address database. The In order to detect SYN flooding attacks at its early stage, in
results of simulation show the approach can yield accurate DDoS this paper we have made the contributions as follows:
alarms at early stage. (1) The proposed approach adopts a novel mechanism to
ensure detection SYN flooding attack at its early stage. It is
Keywords-DDoS; SYN Flooding; Detecting Method; Early
Stage based on the fact that the number of SYN packets, SYN/ACK
packets and ACK packets which are forwarded by leaf router
are equal in normal network traffic. Further more, leaf router
I. INTRODUCTION connect end hosts to Internet, so it can quickly detect some
Distributed Denial-of-Service (DDoS) is that 1) attackers suspicious source address whether can be attained.
exploits the technology of client/server, and 2) combine with
(2) The proposed approach includes two parts: storage and
multiple computers that are used as an attack platform, and 3)
inspection. In order to send alarming information to victim
launch the attack of Denial-of-Service (DoS) for one or several
server, we have to store the destination and source address of
targets, and hence 4) it will increasingly amplify the power of
SYN packet and SYN/ACK packet. Therefore, we introduce a
the DoS attack and make the target consume much system
database instead of a memory data structure in our defense
resources, finally, 5) the goal can not work normally. It mainly
mechanism. Because it bears persistence and fault tolerance.
aims at larger site, such as commercial company, search engine
And if any malfunction occurs, when the system goes up again,
and government site, and many famous website, such as
all data are still there and normal functionality can be resumed
Yahoo, eBay, CNN, Amazon etc., all suffer from the DDoS
directly. The storage and inspection are mutual independent.
attack.
Inspection is an active process, and the approach doesn’t
At present, most traditional defense mechanisms of against depend on cooperation of other network devices.
DDoS attack are effective only in later stages when attacking
signatures are obvious. Therefore, there two disadvantages II. RELATED WORKS
exist. First, the aggregation of numerous malicious packets on
the victim server makes it difficult to launch an effective A variety of attack detection and defense mechanisms to
counterattack. Second, DDoS, at that time, has already brought SYN flooding exist. Most of current DDoS attack detection and
great damage to the target server and wasted a lot of resources. prevention schemes can be classified into four categories
Approaches deployed at the attack source-end, can mitigate the according to the location of the detector: at the victim server
damage caused by DDoS attacks as much as possible. After side, at the attack source side, between them, and at the
detecting the attack, it can filter vicious data timely, and avoid innocent host side.
waste of network resources. The most difficulty is that the Detecting DDoS at the victim server side is more concerned
number of malicious data is just a small part of whole data, and by researchers, because people pay more attention to protection
it is not easy to differentiate these from normal data. So it must at this side. Wang [1] detected the SYN flooding attacks at leaf
264
mutually independent. Let hash(i ) be the hash value of s bit of process detect whether there have some abnormal cases. If
destination address. Therefore, as for the address a , the total some suspicious incidents exist, the module will call detection
module to differentiate whether these abnormal events are
hash value can be computed by HASH a = ∑ i =1 hash(i ) .
k
caused by the SYN flooding attack.
However, the values computed by different hash functions are
On the one hand, let d1 be the difference which is the result
possible to be the same and their sums might be equal too.
Thus, this will lead to the hash value collision. In order to of the number of SYN packets subtracting the amount of ACK
improve this situation, we allocate different weight wi to packets. If d1 is larger than the threshold, we define this
sequential hash functions, because do thus can reflect the instance as abnormal action. Generally, we view getting ACK
difference among hash functions. This idea is similar to the packet as the accomplishment of three-way handshake. The
thought of the Attenuate Bloom Filter [15]. In attenuate Bloom detection module chooses source address which was recorded
filters, higher filter levels are attenuated with respect to earlier in database as the destination address of the sniffing packet,
filter level and it is a lossy distributed index. In fact, the and selects the IP address of leaf router as source address of the
advantage of out approach is that even if hash value encounters sniffing packet. And then this sniffing packet is sent to the
collision, inspection process of attack will have little influence. destination host. By this means, similar to a ‘ping’ operation, it
There are two main reasons. On the one hand, under normal knows whether objective host exists. If reply message returns,
condition, most three-way handshake can be finished in a very it will prove the host is living host and we can determine that
short period at the beginning phrase of the connection. The leaf the SYN flooding attack have not taken place. Otherwise, we
router can get a SYN/ACK packet from server soon. So, it can believe that the SYN flooding attack have taken place. The
avoid this condition about mistaking normal action for disposal module gets the source and destination addresses from
abnormal action. On the other hand, under attacking condition, database, and construct RST packet to release half-open
if some normal server address has same hash value with one connections maintained by the victim server, set 1 to E (attack
victim server, as long as the network works normally, we can mark) in the mapping table, and generate verification C.
only send alarming packet to victim, server. On the other hand, let d 2 be the difference which is the
Certainly, storage module needs two tables: mapping table result of the number of SYN/ACK packets subtracting the
(Table.1) and storing table (Table.2). The format for each table amount of ACK packets. If d 2 is larger than the threshold, the
is provided as follows. instance is abnormal. This phenomenon shows that we always
receive SYN/ACK packets from someone victim server. Then,
TABLE I. MAPPING TABLE STRUCTURE we can infer that in the area of leaf router, there has an innocent
host. The disposal module sends RST packet to release half-
hash counter counter counter explore attack
value (syn) (syn/ack) (ack) mark T mark E
open connections maintained by the victim server, and informs
server what has happened.
265
Generally, most attackers choose many unreachable Inspection( Input mapping table)
addresses as the spoofed source addresses. The leaf router can For (i =1; i<= m; i++) // m is the length of mapping table
{
not receive any SYN/ACK packet from the victim server. When
the inspection module finds that d1 is larger than the threshold. d1 =Ri.count(syn)- Ri.count(ack);
//Ri is record of mapping table
The detection module will be triggered to analyse what’s
happen. The detection module ascertains whether the addresses d 2 = Ri.counter(syn/ack)- Ri.counter(ack);
stored in database are true. If these addresses are living, it if( d1 > k1 && d 2 < k2 ) set T=1; // k1 , k2 are thresholds;
thinks that this phenomenon is caused by normal network if( d1 < k1 && d 2 > k2 ) set S=1;
actions. Otherwise, it can be inferred that attacker is living in
the area of the leaf router. It send a alarming packet, such as if( d1 > k1 && d 2 > k2 ) set T=1 and S=1;
RST packet, to release half-open connections maintained by the if( d1 < k1 && d 2 < k2 ) {
victim server, and inform the victim server what has happened, if (T= =1//E==1//E==2)
stops relay any TCP control packet to this victim server in a bit set T=0; E=0;
of time. Although it sacrifices benefits of some normal client, }
this is worthy to do because attacker will mistakenly think the }
network is congestion. Under the condition of jam network, Figure 3. Inspection algorithm
launching a SYN flooding attack is meaningless and it will
betray itself. So, attacker will stop attack action. Detection (Input mapping table )
for(i =1;i<=m;i++) // m is the length of mapping table
Under the other condition, leaf router always receives {
SYN/ACK packets from the same victim server. Because we if (T==1) { construct a sniffing packet;}
if host exist { E=2;
map the source addresses of these packet. We will find that generate verification C;}
d 2 is a threshold. This destination address can’t have relevant else {
source address in the database. So, we will get the destination E=1;
address from database and send an alarming packet to victim generate verification C; }
}
server.
Figure 4. Detection algorithm
The algorithms for storage module, inspection module,
detection module and disposal module are defined respectively Disposal (Input mapping table)
in the Figure 2, 3, 4 and 5. for (i =1;i<=m;i++) // m is the length of mapping table
{
Storage_ Process (Input packet p) if (E==1) {
if p is a SYN packet { send an alarming packet to victim server;
h = hash(destination ip) filter packet of this address;}
if E= =1 or E= =2 { if (S==1){
if (hash(k)= =C) // k is the last hash function; send an alarming packet to victim server;
//C is a verification value of victim server. set S=0;
drop p and break; set E=1;
else generate C;
counter(syn)++; }
} }
else {
h write into the mapping table; Figure 5. Disposal algorithm
<h/source ip/destination ip> write into the storing table;
counter(syn)++;
}// end of if E= =1 or E= =2 IV. EXPERIMENTS
else if p is SYN/ACK packet { We develop a simulation system in a Linux software router
h = hash(source ip);
if already correlative destination ip in the database{
and test our methods against several DDoS attacks. We use the
count(syn/ack)++;} libpcap facility to capture information about every packet and
else { update the flow and connection statistics. A separate thread
set S=1; classifies connections and flows and determines the appropriate
count(syn/ack)++; rate limit. Information about good connections and the desired
} end of if p is a SYN packet
} // else if p is SYN/ACK packet
rate limit is inserted into the kernel module through system
else if p is ACK packet { calls. The module detects and forwards packets belonging to
h = hash(source ip); good connections from rate-limited flows and enforces the rate
if S=1 limit on the rest of the flow. At large packet rates, the libpcap
S=0; monitoring facility cannot capture all packets. More accurate
else { statistics are then obtained from the kernel module for rate-
set A=1; //A belongs to storing table
count(ack)++; limited flows and good connections. Attack traffic mixture
}//end of if S=1 (relative ratio of TCP SYN, ICMP ECHO and UDP packets),
}//end of if p is ACK packet packet size, attack rate, target ports, spoofing techniques and
Figure 2. Storage algorithm attack dynamics can be customized.
266
We determine the level of false positives by measuring the attacking packets finally. Our method detects abnormal packets
number of flow and connection misclassifications. We report at 15s. (As illustrated in figure 8)
this measure relative to the total number of flow and
connection classifications performed during the trace. Table 3
presents the results for several traces.
267
SYN/ACK and ACK is broken very quickly and d 2 is more [3] J. Lemon, “Resisting SYN flood DoS attacks with a SYN cache”,
Proceedings of the BSDCon 2002, San Francisco, CA , USA , 2002 , pp.
than k2 . The rate of the attack packets rises from 100 89-97.
packets/sec to 400 packets/sec, the attack lasts 300s. The [4] T. Peng, C. Leckie, and R. Kotagiri, “Protection from distributed denial
variety of d 2 is shown in Figure 9. In the simulation only a of service attack using history-based IP filtering”, Proceedings of IEEE
International Conference on Communications 2003(Anchorage, Alaska,
small part of packets were received by the victim server are USA, May 11-15 2003), pp. 482–486.
designed to the router which are deployed with defense [5] B. Xiao, W. Chen, Y.X. He, H.M. Edwin Sha, "An Active Detecting
mechanism, but it is enough to generate alarming packet to Method Against SYN Flooding Attack", Proceedings of the 11th
victim server. International Conference on Parallel and Distributed Systems
(ICPADS'05),( Fukuoka, Japan,20-22 July 2005), pp. 709-715.
[6] J. Mirkovic and G. Prier, “Attacking DDoS at the source”, Proceedings
V. CONCLUSIONS of the 10th IEEE International Conference on Network Protocols, Paris,
France, 2002, pp. 312-321.
This paper presents a response to SYN flooding attacks at
early stage. The defense mechanism is deployed at leaf router, [7] P. Ferguson and D. Senie, “Network ingress filtering: Defeating denial
of service attacks which employ IP source address spoofing”, Internet
which can catch the character of TCP control packet easily. best current practice RFC 2827, May 2000.
Using parameter d1 , we can determine whether the SYN [8] S. Branigan, H. Burch, B. Cheswick, and F. Wojcik, “What can you do
flooding attack has happened. The advantage of our method is with Tracerouter?”, IEEE Internet Computing, Vol.5, Issue 5, 2001, pp.
guarantee that each packet sent by client is valid as much as 96.
possible and can response to SYN flooding attacks at early [9] J. Ioannidis and S.M. Bellovin, “Implementing pushback: Routerbased
defense against DDoS attacks”, Proceedings of the Network and
stage. We can image that if every leaf router deploys this Distributed System Security Symposium (NDSS’02), (San Diego,
defense mechanism, the influence of SYN flooding attack will California, USA, 6-8 February 2002), The Internet Society, 2002.
dramatically be weaken. [10] B. Xiao, W. Chen, Y.X. He, "A Novel Technique for Detecting DDoS
Attacks at the Early Stage", Journal of Supercomputing, Vol. 36, 2006,
pp. 235-248.
ACKNOWLEDGMENT
[11] Y.X. He, W. Chen and B. Xiao, "Detecting SYN Flooding Attacks Near
This work was supported in part by the National Natural Innocent Side", Proceedings of the International Conference on Mobile
Science Foundation of China under Grants 60673179, Science Ad-hoc and Sensor Networks (MSN 2005), 2005, pp. 443-452.
Foundation of Zhejiang Province under Grant number [12] B. Xiao, W. Chen, and Y.X. He, "An Autonomous Defense against SYN
Z106727, Grand Science Project of Zhejiang Province of China Flooding Attacks: Detect and Throttle Attacks at the Victim Side",
Journal of Parallel and Distributed Computing (JPDC - Elsevier), Vol.
under Grant number 2007C13068, and Science Fund for 68, Issue 4, 2008, pp. 456-470.
Distinguished Young Scholars of Zhejiang Gongshang
[13] M. Kalantari, K. Gallicchio, and M. Shayman, “Using transient behavior
University under Grant numbers Q07-03. of TCP in mitigation of distributed denial of service attacks”,
Proceedings of the 41st IEEE Conference on Decision and Control, 10-
13 Dec. 2002, pp. 1422–1427.
REFERENCES
[14] H. Wang, D. Zhang, and G. Shin, “SYN-dog: sniffing SYN flooding
[1] H. Wang, D. Zhang, K.G. Shin, “Detecting SYN flooding attacks”, source”, Proceedings of the 22nd International Conference on
Proceedings of t he Annual Joint Conference of the IEEE Computer Distributed Computing Systems (ICDCS’02), July 2002, pp. 421-429.
Society and Communications Society ( INFOCOM’02), New York,
USA, 2002, pp. 1530-1539. [15] S.C. Rhea and J. Kubiatowicz, “Probabilistic location and routing”,
Proceedings of the IEEE INFOCOM 2002, 2002, pp. 1248-1257.
[2] C. Jin, H.N. Wang, K.G. Shin, “Hop-count filtering: An effective
defense against spoofed DDoS traffic”, Proceedings of the 10th ACM [16] A. Yaar, A. Perrig, D. Song, “SIFF: A stateless internet flow filter to
Conference on Computer and Communication Security (CCS’03). mitigate DDoS flooding attacks”, Proceedings of the IEEE Symposium
Washington, DC, USA, 2003, pp. 30-41. on Security and Privacy, (Silver Spring, MD, 2004), IEEE Computer
Society, 2004, pp. 130–143.
268