Syn Flood Attack Detection and Type Distinguishing Mechanism Based on Counting Bloom Filter

  • Tomáš Halagan
  • Tomáš Kováčik
  • Peter Trúchly
  • Andrej Binder
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9357)


Presented work focuses onto proposal, implementation and evaluation of the new method for detection and type identification of SYN flood (DoS) attacks. The method allows distinguishing type of detected SYN flood attacks – random, subnet or fixed. Based on Counting Bloom filter, the attack detection and identification algorithm is proposed, implemented and evaluated in KaTaLyzer network traffic monitoring tool. Proof of correctness of the approach for TCP SYN flood attack detection and type identification is provided – both in practical and theoretical manners. In practice, new module for KaTaLyzer is implemented and TCP attacks are detected, identified and network administrator is notified about them in real-time.


DoS detection DoS identification Counting Bloom Filter TCP SYN Flood attack Network security 



This work is a result of the Research and Development Operational Program for the projects Support of Center of Excellence for Smart Technologies, Systems and Services, ITMS 26240120005 and for the projects Support of Center of Excellence for Smart Technologies, Systems and Services II, ITMS 26240120029, co-funded by ERDF. It is also a part of APVV-0258-12, VEGA 1/0708/13 and KEGA 047STU-4/2013. It is also part of Katalyzer project and initiative


  1. 1.
    Kotuliak, I., Rybár, P., Trúchly, P.: Performance comparison of IPsec and TLS based VPN technologies. In: ICETA 2011: 9th IEEE International Conference on Emerging eLearning Technologies and Applications, October 27–28, 2011, Stará Lesná, The High Tatras, Slovakia, pp. 217–221. IEEE, Piscataway (2011). ISBN 978-1-4577-0050-7Google Scholar
  2. 2.
    Fan, L., et al.: Summary cache: A scalable wide-area web cache sharing protocol. IEEE/ACM Trans. Netw. 8(3), 281–293 (2000)CrossRefGoogle Scholar
  3. 3.
    Kambhampati, V. et al.: A taxonomy of capabilities based DDoS defense architectures. In: 9th IEEE/ACS International Conference on Computer Systems and Applications (AICCSA), pp. 157–164 (2011)Google Scholar
  4. 4.
    Rejimol Robinson, R.R, Thomas, C.: Evaluation of mitigation methods for distributed denial of service attacks. In: 7th IEEE Conference on Industrial Electronics and Applications (ICIEA), pp. 713–718 (2012)Google Scholar
  5. 5.
    Habib, A., Roy, D.: Steps to defend against DoS attacks. In: 12th International Conference on Computers and Information Technology, ICCIT 2009, pp. 614–619 (2009)Google Scholar
  6. 6.
    Network monitoring tool Katalyzer.
  7. 7.
    CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks, September 1996.
  8. 8.
    IETF RFC 793.: Transmission control protocol, September 1981.
  9. 9.
    CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks [CA-96.21] CERT, September 1996.
  10. 10.
    Bloom, Burton H.: Space/Time trade-offs in hash coding with allowable errors. Commun. ACM 13(7), 422–426 (1970)CrossRefzbMATHGoogle Scholar
  11. 11.
    Tabataba, F.S., Hashemi, M.R.: Improving false positive in Bloom filter. In: 19th Iranian Conference on Electrical Engineering (ICEE), p. 1. IEEE (2011)Google Scholar
  12. 12.
    Nagy, M., Kotuliak, I.: Enhancing security in mobile data networks through end user and core network cooperation. In: MoMM 2013: The 11th International Conference on Advances in Mobile Computing and Multimedia, Vienna, Austria, pp. 253–259. ACM, New York (2013). ISBN: 978-1-4503-2106-8Google Scholar
  13. 13.
    Yeung, D., Chen, W.: Throttling spoofed syn flooding traffic at the source. Telecommunication Systems 33(3), 47–65 (2006)Google Scholar
  14. 14.
    Cardinal, S.: Use offense to inform defense. Find flaws before the bad guys do. SANS Institute 2000 – 2012, 31 August 2014.
  15. 15.
    Hping – Active Network Security Tool, 31 August 2014.
  16. 16.
    Acri, E.: Complemento Howto (2011).
  17. 17.
    Ev1Syn - A SYN Flood with Random Spoofed Source Address. Accessed 31 August 2014
  18. 18.
    Brouer, J.: Mitigate TCP SYN Flood Attacks with Red Hat Enterprise Linux 7 Beta, 11 April 2014.
  19. 19.
    Davis, P.T.: Securing and Controling CISCO Routers. CRC Press, Boca Raton (2002)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Tomáš Halagan
    • 1
  • Tomáš Kováčik
    • 1
  • Peter Trúchly
    • 1
  • Andrej Binder
    • 1
  1. 1.Faculty of Informatics and Information TechnologiesSlovak University of Technology in BratislavaBratislavaSlovakia

Personalised recommendations