An Effective Intrusion Prevention System to Protect Multi-Services against TCP SYN Flooding DDoS Attacks

• Main Authors: Tzeng-Yu Chen, 陳宗右
• Other Authors: Hung-Min Sun
• Format: Others
• Language: en_US
• Published: 2006
• Online Access: http://ndltd.ncl.edu.tw/handle/36453050738828817765

碩士 === 國立清華大學 === 資訊工程學系 === 94 === In recent years, DDoS attacks occur frequently and cause a great deal of damage to enterprises that provide network services. With the growth of the network, almost every enterprise provides more and more services on the network, like Web service, Mail service, Ftp service, and so on. If these services suffer the DDoS attack, it will cause great losses to the enterprise. The famous type of the DDoS attack is TCP SYN flooding attack and it is based on the vulnerability of the TCP three-way handshake. The firewall and intrusion detection system are not effectively to defend this type of attack. There is still not a completed solution to defend this attack. In this thesis, we collect the legitimate IP addresses in the databases for each service and protect these services according to these databases. We also create a backlog queue for each service that we can detect the attack by checking it. When attack is detected, the packet filtering mechanism will be activated to protect the victim services. There are five characteristics in our system: (1) Protecting multi-service without knowing any information about these services. (2) Detecting the attack and activate the packet filter instantly. (3) The complexity of IP searching algorithm is only O (n), where n is the number of the under-attack service. It will reduce the delay of the legitimate users. (4) We can instantly find that the attacker uses the legitimate IP address to do the attack and then we filter out this IP address. (5) The system can be built in edge router, NAT server or the protected server. With our proposed mechanism, we can effectively defend the TCP SYN flooding attack and successfully provide the service for legitimate users. Finally, we will do the experiment to evaluate this mechanism and analyze the system performance, effectiveness and influence of the legitimate users. We will show that this mechanism is effectively to protect multi-service against TCP SYN flooding attack.