An Effective Approach to Detect DDos Attack

  • R. Manoj
  • C. Tripti
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 178)


TCP connection is a connection oriented, reliable service. It uses 3 way handshake process to establish the connection. Distributed Denial of Service (DDoS) has emerged as one of the major threats to network security as evident from a series of attacks that shutdown some of the most popular websites. This attack prevents legitimate users from accessing the regular internet services by exhausting the victim’s resources, and TCP SYN flooding attack is the most common type of DDoS attack. TCP SYN flooding exploits the TCP’s 3-way handshake mechanism and its limitation in maintaining half open connection. The SYN flooding attack is very hard to detect, because it is difficult to distinguish between legitimate SYN packets and attack SYN packets at the victim’s server. This paper concentrates on the different IP spoofing techniques like Random spoofed source address, Subnet spoofed source address, Fixed spoofed source address and the schemes to detect the DDoS attack. The different schemes are SYN-dog, SYN-cache, SYN-cookies. These schemes are effective only up to a particular extent. This paper concentrates more on a newly proposed scheme which is a router based scheme that uses Counting Bloom Filter algorithm and CUSUM algorithm. The new scheme is highly sensitive and always require a shorter time for the detection of both low intensity and high intensity attacks.


DDos Flooding 3 way handshake 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Nashat, D., Jiang, X., Horiguchi, S.: Detecting SYN flooding agents under any type of IP spoofing. In: IEEE International Conference on e-Business Engineering (2009)Google Scholar
  2. 2.
    CERT Coordinate Center, “Denial of Service Attacks”,
  3. 3.
    Al-Duwairi, B., Manimaran, G.: International dropping: A novel scheme for syn flooding mitigation. In: Proc. Conf. IEEE INFOCOM (April 2006)Google Scholar
  4. 4.
    Lemon, J.: Resisting SYN Flooding DOS Attacks with SYN Cache. In: Proc. Conf. USENIX BSD (February 2001)Google Scholar
  5. 5.
    Check Point software Technologies Ltd. SynDefender:
  6. 6.
    Netscreen 100 Firewall Appliance,
  7. 7.
    Wang, H., Zhang, D., Shin, K.: SYN-dog: Sniffing SYN flooding sources. In: Proc. Conf. IEEE ICDCS 2002 (July 2002)Google Scholar
  8. 8.
    Paxson, V., Allman, M.: RFC 2988 - Computing TCP’s Re-transmission Timer (November 2000),
  9. 9.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. In: Proc. Conf. ACM SIGCOMM Computer Communications Review (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Rajagiri College of Social SciencesErnakulamIndia

Personalised recommendations