Article: Supporting security against SYN flooding attacks in distributed denial-of-service via measuring internet protocol flow information export-based traffic Journal: International Journal of Electronic Security and Digital Forensics (IJESDF) 2009 Vol.2 No.1 pp.49 - 57 Abstract: Distributed denial-of-service (DDoS) attacks on public servers after 2000 have became a serious problem. In the DDoS attacks often seen recently, multiple distributed nodes concurrently attack a single server. To assure that essential network services will not be interrupted, faster and more effective defence mechanisms are needed to protect against malicious traffics, especially SYN floods. One of the problems in detecting SYN flood traffics is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of a SYN flood attack. Our method, FDFIX, relies on the use of monitoring and measurement techniques to evaluate the impact of denial-of-service (DoS) attacks. It uses flow-based measurements. Capturing flow information is very important for detecting DoS and other kinds of attacks. Flow monitoring allows detecting suspicious traffics, and in the next step can analyse attacking flows and the results can be used for defence methods. Our method provides required information for many mechanisms that use traffic measurement as its input. Inderscience Publishers - linking academia, business and industry through research

Title: Supporting security against SYN flooding attacks in distributed denial-of-service via measuring internet protocol flow information export-based traffic

Authors: H. Alipour, M. Esmaeili, Kashefi Kia

Addresses: Department of Electrical and Computer Engineering, Shahid Beheshti University, Tehran 15164, Iran. ' Department of Electrical and Computer Engineering, Shahid Beheshti University, Tehran 15164, Iran. ' Department of Computer Engineering, Payam Noor University, Tehran 15164, Iran

Abstract: Distributed denial-of-service (DDoS) attacks on public servers after 2000 have became a serious problem. In the DDoS attacks often seen recently, multiple distributed nodes concurrently attack a single server. To assure that essential network services will not be interrupted, faster and more effective defence mechanisms are needed to protect against malicious traffics, especially SYN floods. One of the problems in detecting SYN flood traffics is that server nodes or firewalls cannot distinguish the SYN packets of normal TCP connections from those of a SYN flood attack. Our method, FDFIX, relies on the use of monitoring and measurement techniques to evaluate the impact of denial-of-service (DoS) attacks. It uses flow-based measurements. Capturing flow information is very important for detecting DoS and other kinds of attacks. Flow monitoring allows detecting suspicious traffics, and in the next step can analyse attacking flows and the results can be used for defence methods. Our method provides required information for many mechanisms that use traffic measurement as its input.

Keywords: DDoS; distributed denial of service; IPFIX; internet protocol flow information; IP flow information export; SYN flood attacks; traffic monitoring; security; flow monitoring; public servers.

DOI: 10.1504/IJESDF.2009.023875

International Journal of Electronic Security and Digital Forensics, 2009 Vol.2 No.1, pp.49 - 57

Published online: 17 Mar 2009 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article

Title: Supporting security against SYN flooding attacks in distributed denial-of-service via measuring internet protocol flow information export-based traffic

Keep up-to-date