Research On Early Detection And Traceback Scheme For Flooding Attack

The DDoS attackes (for example, the SyncFlood attack) is often a big impact to the normal operation of a network. The current emphasis of the SynFlood attack detection technology is to protect the important entity, such as host or server, rather than to protect the network itself. The early research work on the SynFlood attacks detection and traceback derives from the classical SynFlood attack detection technology, telling from the start point and the way to handle the attacks. Therefore, exploring an effective method to detect and trace back the SynFlood attacks in their early phase is important to network trace and forensics, and to prevent network crime.According to the quantitative relationship between SYN segment, FIN segment and RST segment in Transmission Control Protocol(TCP), this paper builds a proper discriminant tuple and a deviation degree criterion, and explains how to measure the departure degree of the quantitative relationship between these three segments in actual TCP network and an ideal TCP network by using Euclidean distance in the Euclidean space Rn. This paper hence gives a TCP flow abnormity early detection method based on the Euclidean distance. It also considers the heterogeneous distribution of these three segments in actual TCP network and the continuity features of SynFlood attack. In order to increase the accuracy rate and to decrease the false alarm and the missing report rate, the method uses moving average technology smooth process continuous several deviation degrees.Starting from the packets integrality when establishing and disconnecting TCP connections, this paper advances a SynFlood attack type distinguishing method based on the correlation coefficient computation by using the quantitative correlation between different types of packets in TCP flows. This method gets the related coefficient between segments in the attack detection cycle to build proper detection tuple and distinguishs the types of SynFlood attack in the TCP flow without having to maintain the detailed information of each TCP connection.According to the Three-handshake mechanism used to build TCP connections and the SynFlood attack principle, this paper proposes a concept named TCP Flow Abnormal Behavior Graph and explains how to describe the attack data flow in the TCP network by using TCP Flow Abnormal Behavior Graph. This paper then advances a SynFlood attack trackback method based on TCP Flow Abnormal Behavior Graph. The method can get the information of victims and related suspicious attack source hosts set by evaluating the attack behavior in TCP Flow Abnormal Behavior Graph, so the attack can be traced back. In addition, in order to make the attack blocking rules, this paper formulates three rules to poly the IP address of the attack source host to several network segments and proposes corresponding address polymerization method. This method can be referred to by the SynFlood attack early blocking.Finally, this paper gives a comprehensive analysis, and discusses the deterministic ways and the facts that should be considered for the parameters used in the method described above.By researching this SynFlood attack early detection and trace-back method, we got series of academic achievements, which would help a lot to increase the network security and prevent network crime.