Traceback-Based Bloomfilter IPS in Defending SYN Flooding Attack

Recently, the key of network security is turning from passive detection to active defense. However, most works focused on how fast it can detect the DDoS attack and start defence, and existing methods for differentiating DDoS attack packets, especially SYN flooding attacks, are too time-expensive. When SYN flooding started, victim servers have to call for a lot of memory, usually more than 500 MB, to store the attack packets. To make the differentiating scheme more robust, we record the TCP session statistics (IP-TTL) of SYN packets in a traceback-based bloom filter (TBF), and as the attacks start, we match the SYN packets and IP-TTL statistics to differentiate the attacks packets. In addition, we introduce the trace-back strategy to filter the frequently attacked TBF´s IP. In comparison with current methods, the proposed approach can both hold back large-scale fake IP and defend IP spoofing. Experiments verify that once applied the proposed method in Snort_inline, the hold back precision is 98.65% and the semi-join queue is almost empty, otherwise, the precision is near to zero and the semi-join queue is full.