| Presentation | 2004/2/6 Detecting Distributed Denial of Service Attacks by utilizing statistical analysis of TCP SYN packets Yuichi OHSITA, Shingo ATA, Masayuki MURATA, |
|---|---|
| PDF Download Page | PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Recently DDoS (Distributed Denial of Service) attacks to public servers become more serious. SYN Flood attacks which misuse the specification of TCP (Transmission Control Protocol) are used most frequently since the malicious attackers can easily generate attacking traffic to make public servers unavailable. More quick and accurate defence mechanisms against DDoS traffic (especially SYN Flood) are more important to keep survive of services. One of difficult problems of detecting SYN Flood traffic is that server nodes or firewalls cannot distinguish SYN packets of normal TCP connections from SYN Flood attacked packets. Moreover since the rate of traffic may vary by tune, we cannot use an explicit threshold of SYN arrival rates to detect the SYN Flood traffic. In this paper we introduce more accurate detection mechanism of SYN Flood traffic by taking time variance of arrival traffic into consideration. We first investigate the statistics of arrival rates of both normal TCP SYN packets and SYN Flood attack packets. We then propose a new detection mechanism based on the statistics of SYN arrival rates. Our results have shown that we can model the arrival rate of normal TCP SYN packets to the normal distribution. By using our analytical results we show that our proposed mechanism can detect SYN Flood traffic more quickly and accurately regardless of time variance of the traffic. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Distributed Denial of Service (DDoS) / SYN Flood / Statistical Analysis / Normal Distribution / Traffic Monitoring |
| Paper # | IN2003-201 |
| Date of Issue |
| Conference Information | |
| Committee | IN |
|---|---|
| Conference Date | 2004/2/6(1days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | |
| Chair | |
| Vice Chair | |
| Secretary | |
| Assistant | |
| Paper Information | |
| Registration To | Information Networks (IN) |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | Detecting Distributed Denial of Service Attacks by utilizing statistical analysis of TCP SYN packets |
| Sub Title (in English) | |
| Keyword(1) | Distributed Denial of Service (DDoS) |
| Keyword(2) | SYN Flood |
| Keyword(3) | Statistical Analysis |
| Keyword(4) | Normal Distribution |
| Keyword(5) | Traffic Monitoring |
| 1st Author's Name | Yuichi OHSITA |
| 1st Author's Affiliation | Graduate School of Information Science and Technology, Osaka University() |
| 2nd Author's Name | Shingo ATA |
| 2nd Author's Affiliation | Graduate School of Engeneering, Osaka City University |
| 3rd Author's Name | Masayuki MURATA |
| 3rd Author's Affiliation | Cyber Media Center, Osaka University |
| Date | 2004/2/6 |
| Paper # | IN2003-201 |
| Volume (vol) | vol.103 |
| Number (no) | 651 |
| Page | pp.pp.- |
| #Pages | 6 |
| Date of Issue | |