Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically

Distributed denial-of-service attacks on public servers have recently become more serious. More are SYN flood attacks, since the malicious attackers can easily exploit the TCP specification to generate traffic making public servers unavailable. To assure that network services will not be interrupted, we need faster and more accurate defense mechanisms against malicious traffic, especially SYN floods. One of the problems in detecting SYN flood traffic is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of SYN flood attack. Moreover, since the rate of normal network traffic may vary, we cannot use an explicit threshold of SYN arrival rates to detect SYN flood traffic. In this paper we introduce a mechanism for detecting SYN flood traffic more accurately by taking into consideration the the time variation of arrival traffic. We first investigate the statistics of the arrival rates of both normal TCP SYN packets and SYN flood attack packets. We then describe our new detection mechanism based on the statistics of SYN arrival rates. Our analytical results show that the arrival rate of normal TCP SYN packets can be modeled by a normal distribution and that our proposed mechanism can detect SYN flood traffic quickly and accurately regardless of time variance of the traffic.