SYN-dog: Sniffing SYN flooding sources

被引:27
作者
Wang, HN [1 ]
Zhang, DL [1 ]
Shin, KG [1 ]
机构
[1] Univ Michigan, Dept Elect Engn & Comp Sci, Real Time Comp Lab, Ann Arbor, MI 48109 USA
来源
22ND INTERNATIONAL CONFERENCE ON DISTRIBUTED COMPUTING SYSTEMS, PROCEEDINGS | 2002年
关键词
D O I
10.1109/ICDCS.2002.1022280
中图分类号
TP301 [理论、方法];
学科分类号
081202 ;
摘要
This paper presents a simple and robust mechanism called SYN-dog to sniff SYN flooding sources. We install SYN-dog as a software agent at leaf routers that connect stub networks to the Internet. The statelessness and low computation overhead of SYN-dog make itself immune to any flooding attacks. The core mechanism of SYN-dog is based on the protocol behavior of TCP SYN-SYN/ACK pairs, and is an instance of the Sequential Change Detection [1]. To make SYN-dog insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) method [4] is applied, thus making SYN-dog much more generally applicable and its deployment much easier. Due to its proximity to the flooding sources, SYN-dog can trace the flooding sources without resorting to expensive IP traceback.
引用
收藏
页码:421 / 428
页数:8
相关论文
共 32 条
[1]  
[Anonymous], 1981, STD
[2]  
[Anonymous], 2000, ICMP TRACEBACK MESSA
[3]  
Basseville M, 1993, DETECTION ABRUPT CHA
[4]  
Bernstein D. J., LINUX KERNEL SYN COO
[5]  
Brodsky BE., 1993, Nonparametric Methods in Change Point Problems
[6]  
CACERES R, 1991, P ACM SIGCOMM 91 SEP
[7]  
*CHECK POINT SOFTW, SYND
[8]  
CLEVELAND WS, 2000, P ACM SIGMETRICS 200
[9]  
DARMOHRAY T, 2000, LOGIN, V25
[10]  
Dittrich D., DISTRIBUTED DENIAL S