Multi-Phase Detection of Spoofed SYN Flooding Attacks

  • Namkyun Baik
  • Namhi Kang


This paper proposes a method of establishing an effective network-based countermeasure against distributed denial-of-service (DDoS) attacks utilizing spoofed SYN flooding. In the proposed method, determination of forged traffics involved in an attack is considered as the most important factor, and forged packets are detected through the comparison with normal packets. To eliminate the limitation of conventional countermeasures that normal SYN packets are blocked indiscriminately, comparison of traffic load with sessions was set to be the first step in detection function. To lighten the burden of controlling network nodes and the entire internet, the function of identifying and removing abnormal traffics was proposed based on the investigation of sequence number redundancy and the comparison of time-to-live (TTL) field values, which may be easily realized using a single network-based security device. The multi-phase detection method proposed and tested in the present study greatly increased the web service availability experienced by normal users. Therefore, the method proposed in this paper may significantly contribute to the detection and handling of spoofed SYN Flooding DDoS attacks.