Research On Detection Method Of SYN Flood Based On Bloom Filter

With the rapid development of network technology, the network gradually penetrates into all aspects of life and work, and network security issues become increasingly serious. Hack attacks have become more and more common, and DDoS attack is one of the usual convenient and effective methods to make an attack for hacks, which is one of the most destructive attacks in the Internet. Statistics show that over 90% of DDoS attacks using TCP and SYN Flood attacks on the target server by using TCP's vulnerability is a commmon type of DDoS. Therefore, there has practical significance for Internet security to effectively detect SYN Flood and reduce the damage caused by SYN Flood attack.First of all, the paper makes some discussions and analyses to the existing detection and prevention methods of SYN Flood. Through analysis the mainly difference between network traffic congestion and attack traffic is whether the source ip address of the TCP Datagram has been appeared once. Then, the paper proposes a detection method based on Bloom Filter, under the situation of fully understand the principle of SYN Flood and the characteristics of the existing attack tools.In the paper, two counting Bloom filter with the same structure are used to statistics the total number of forged source ip address and record the real source ip address which has successfully established TCP connection with the server computer. There will make a better distinction between network traffic congestion and attack traffic. The intial statistical series can be got after using an information extraction algorithm become qualified to be the input of CUSUM by smoothing and offset constant which can be chalked up by using Chebyshev Inequality. The results are judged by the non-parametric CUSUM to make sure weather the input is keeping consistent. Threshold dynamically changes according to the normal flow and can be adapt to the network and better be able to reduce the probility of occurrence of the false negative and alarm rate and then improve detection rate. Once the attack is detected, MULTOPS can determine the target of the attack in a short of time, combining with the statistics of the number of SYN datagram, ascertain the intensity of attack. The result, which has been turned out by many simulated attack shows that using Bloom Filter for information extraction and non-parametric CUSUM for statistics can timely detect abnormal trafiic and correctly determine the abnormal. This method can make a good distinction between surged network traffic and attack traffic, and has the lower false negative rate and false alarm rate. To some extent, the method propsed in this paper has higher detection rate than some traditional detection methods.