Detection And Protection Against The SYN Flood Attack On Dual Stack Based Firewall

The extensive use of Internet technology has brought great convenience tomodern society, however, more and more severe problems regarding on networksecurity have also emerged at the same time. Especially the DDoS attacks,represented by SYN Flood, pose massive threats to the network security.This paper analyzes the rationale of existing DDoS attack in detail,summerizing all the available detection algorithms.Subsequently this paper proposes two algorithms which could detect SYNFlood attack quickly under large scale network: the adaptive threshold algorithmand the algorithm based on sliding window entropy. By conducting thecomparison in theory and experiment between the two algorithms, this papersuggests that the adaptive threshold algorithm could fulfill the efficiencyrequirements better.In the next, this paper introduces two popular SYN Flood protectionmethods: SYN Cookie and SYN Proxy, and proposes solutions regarding on theirdefects. Because both methods cannot meet the requirements of efficiency andsecurity, a new algorithm based on sampling in window is introduced, which isknown as the victim IP decision algorithm. This algorithm can detect the victims’IP address quickly, so the firewall can discard the attack flows using the results.Meanwhile, this paper proposed a fast recovery mechanism on basis of adaptivethreshold algorithm to reduce negative effects caused by dropped packets, whichcould recover the firewall from drop packet state to normal state.At last, this paper implements the attack detection and protection algorithmsin dual-stack firewall, and tests the validity and performance respectively. Thevalidity, which is measured by five indicators, is detected in active test. Thesystem performance improvement, which is measured by two indicators: memoryusage and CPU utilization, is detected in passive test. The results indicate that themethods of detection and protection against SYN Flood proposed by this papercan improve the system efficiency substantially when firewall is attacked, whileconsuming only a small amount of extra memory.