An Improved Algorithm for Detecting SYN Flooding Attacks Based on Network Processor

Yuli Fu Yune Lai School of Electronics and Information Engineering

South China University of Technology Guangzhou 510640, China

fuyuli@scut.edu.cn

Abstract — This paper presents an improved algorithm for detecting the SYN flooding attacks. The algorithm is based on the characteristics of the network processor IXP2850’s hardware and software framework. It improves the typical method that is based on checking the received SYN segments twice from the same source. The improved algorithm will label the segments first, and then verify them to determine whether an attack happens. By this algorithm, the false alarm rate will decrease and the valid defense measures will be done at the right moment.

Keywords-IXP2850; SYN flooding Attacks; same source SYN pagements

I. INTRODUCTION

With the increasing development of the network technology, the means of network attacks have become diverse. So the network security is facing a great threat. Currently one of the most popular means is the Distributed Denial of Service (DDoS) [1]. The characteristic of this kind of attack is that the attacker sends large number of packets with different sources to the victim system in a short time and the result is that the victim system will run out of its storage resources and cannot respond to other normal clients’ service requests, that is, the denial of service happens. The difficulty on defending DDoS is that the attack sites are numerous and distributed. Even through every site sends a small quantity of abnormal packets to the victim system, the victim can also receive large number of packets in a short time which will make the victim corrupted. If the abnormal packets are with forged source MAC address or IP address, the defending will become significantly difficult.

There are many ways of DDoS, such as UDP flooding attacks [6], Smurf attacks [7] and SYN flooding attacks [10, 11] and so on. And the SYN flooding attack is one of the most widely used ways. Using the inherent defect of the TCP/IP protocol, it is concealed and destructive but simple to use.

In order to detect the SYN flooding attacks, many methods have been proposed. SYN cookie method [8] is based on the TCP sever. It enhances the three-way handshake protocol by calculating a cookie according to the SYN segment, when the sever sends back the SYN/ACK segment. This is in fact to verify legality of the ACK segment. This mechanism can remove the backlog queue in original TCP, but the complex

process of calculating and verifying may become another disadvantage against high-rated traffic. SYN cache method [9] provides a global hash table to keep half-open connections in the sever node. However, it can not solve the problem fundamentally.

A method based on receiving SYN packets of the same source twice is proposed in [2]. It can differentiate the normal connection requests out and records these normal half-open connections in the system’s buffer. The buffer overflow can be avoided effectively. But its offset is the consuming of machine time. In order to detect the attacks correctly, it should receive all the SYN segments twice regardless of the client is legal or not. The result is that all the TCP applications will be delayed for an additional period of time except for the natural latency. Generally, the additional period of time is equal to the system’s retransmission interval, for example, two seconds.

In order to improve those methods, this paper proposes an improved algorithm based on the hardware and software features of the Network Processor (NP) IXP2850 for detecting the SYN flooding attacks. It is the improvement of the typical method based on receiving the SYN segments twice from the same source during a reasonable period of time. Comparing with general processors, the NP is faster and more efficient to be suitable for the different kinds of applications on network nodes with heavy traffic flow. Intel’s IXP2850 has a superior performance. Our improved algorithm is based on this NP hardware and can plays better performance then previous algorithms for detecting SYN flooding attacks. The rest of this paper is organized as follows. Section introduces the principle of the SYN flooding attack. Section introduces brief features of NP. Section gives the improved detecting algorithm. Section presents the analysis of the algorithm. And section is our conclusion..

II. SYN FLOODING ATTACK

The SYN flooding attack is based on the inherent defect of TCP/IP protocol. The defect exists in the TCP application’s three-way handshake mechanism and the half-open connection. Fig. 1 shows the TCP connecting process. The TCP/IP protocol aims at establishing reliable connections. The three steps are recalled as follows [5]:

This work is supported partially by NSFC-Guangdong Natural Science Foundation, Grant: U0835003, and the National Educational Ministry’s Key Project of Technology Innovation, Grant: 707047.

37

_____________________________________ 978-1-4244-6734-1/10/$26.00 ©2010 IEEE

Figure 1. TCP three_way handshake

1) SYN segment: The client sends a SYN segment specifying the server port number that itself intends to connect and including an initial serial number (ISN = J).

2) SYN/ACK segment: The server sends a segment containing its ISN (SYN = K) back to the client as a response. At the same time, the confirm number is set to be 1 larger than the client’s ISN (ACK = J + 1).

3) ACK segment: After the client receives the server’s response segment, it should send back a segment whose confirmed number is 1 larger than the server’s ISN (ACK = K+ 1).

When these three segments are sent and received successfully, a normal connection established. This process is called three-way handshake.

In normal circumstances, after the server sends back the response segment, it will save the information of this connection for a period time until the client’s ACK segment is received or timeout. Those connections which are waiting for the third handshake are known as half-open connections. If the half-open connections’ information fully occupied the server’s storage space, the server will be not able to respond to the clients. If the SYN segment is forged, the victim server cannot receive the client’s confirming segment at all and the connection’s information will not be deleted till time out. In this case, the server’s storage space will be run out by way of forging numerous SYN request packets in a short time. And this is called SYN flooding attack. Because the Internet’s routing mechanism is stateless and based on the destination address, the forged source packets cannot be distinguished from the normal ones when the SYN flooding attack happens. If the attack succeeds, the DoS will happen.

III. NETWORK PROCESSOR

The International Network Processor Conference defines Network Processor like this: Network Processor is a kind of programmable device and it is specifically applied to deal with many communication cases, such as packet processing, protocol analysis, routing lookup [11], firewall [12], QoS and so on. Therefore, it is an appropriate solution to detecting the network attacks via NP hardware. Here, the Intel’s second generation NP, IXP2850 [3], is used. Compared with the devices of the first generation, it takes more full account of the statistical characteristics of the network traffic, employs hardware acceleration devices and software technology to solve complex network problems. The major constitution of IXP2850 includes [4]:

� Intel XScale core: The Intel XScale core is a processor embedded with a 32-bit reduced instruction set and its clock frequency is 700MHz. It is responsible for dealing with tasks in control plane. These tasks include the system chip’s initialization configuration, the system control/management, the routing protocol stack’s running, the routing tables’ updating and the exceptional packets’ processing.

Client Sever

SYN J

SYN K ACK J+1

ACK K+1

Segment 1

Segment 2

Segment 3

� Microengines: There are sixteen 32-bit programmable engines with the clock frequency of 1400MHz. They are core parts and mainly responsible for the packets’ processing in data plane.

� Other units: Four separate SRAM controllers used for controlling the SRAM which mainly stores control information; Three separate DRAM controllers used for controlling the Rambus DRAM that mainly stores packets’ data; 16KB Scratchpad Memory used for the communication between microengines and buffering important internal data.

These hardware features make IXP2850 own a significant feature, high speed. Because the microengines’ core frequency is 1400MHz, they can process million instructions per second.

IV. DETECTING ALGORITHM

In this part, the improved detecting algorithm will be presented. And two key conceptions should be interpreted first. The same source SYN segments are segments that are with the same source IP address and port number. A reasonable period of time is the time period between the maximum retransmission interval (generally twice the system’s retransmission interval) and the minimum retransmission interval.

1) Packets’ classification: The first thing to do is classificating the incoming packets of IXP2850 on the basis of their IP and TCP headers. The classification process is shown in Fig. 2. Fisrt of all, initializing the hardware and software system. Then, the NP begins to receive packets. Those incoming packets will be extracted their TCP and IP headers. And further processing will do with these headers’ information.

The algorithm only takes consideration of TCP packets, so those non-TCP packets will be transmitted without processing. For TCP ones, their SYN/FIN/RST flags should be read to know whether they are set or not. If not set, they are normal data packets and without further processing. Otherwise, go to step 2).

2) Recording: Each Packet’s source IP (Src_IP), destination IP (Dest_IP), source port number (Src_PN), destination port number (Dest_PN) and SYN/FIN/RST flag should be extracted from the packet’s information and recorded in a hash table. The hash structure is showed in Fig. 3.

In the hash operation, packets’ quadruples, including Src_IP, Dest_IP, Src_PN and Dest_PN, are treated as keywords.

38

Figure 2. Process of packets’ classification

Figure 3. The hash structure

The hash function is:

� � 65535 mod �� �H ,

where � is the sum of the quadruples. Each hash node records the quadruples, i.e., SYN (SYN/ACK) counter (CNT1) and FIN (RST) counter (CNT2). The hash table with a total of 65,536 lines is created in DRAM. As described in section ,DRAM is used for data buffering and its 3 Giga Byte memory space can meet the request.

3) Judgment. The Intel XScale core will traverse the hash table every 300 milliseconds and compare CNT1 with CNT2. If the value of CNT1 minus CNT2 is larger than the threshold T, the according destination side is viewed as to be attacked by SYN flooding possibly and mark this kind of records for further judgments. If records are not marked, they are confirmed to be normal applications and will be deleted after being traversed. For those mared ones, if the same source packets are reiceived later, the method that is called receiving the same source SYN packets will run to verify whether attacks really happen rather than the NP forwards those packets immediately. If the same SYN pagements are received in a reasonal period of time, for example, the retransmission interval, we can say the according records are

normal and the packets can be forwarded. Then, these marked records can be deleted. On the other hand, if the same SYN packets are not received within twice the retranmission interval, we confirm that the marked records’ source sides are forged and SYN flooding attacks happen! Then the packets with the same Src_IP will be dropt to protect the victims from the attacks. Protocol is TCP?

non-TCP packets

Offset is 0

TCP header is empty. Get the length of IP header and the offset of flag.

SYN/FIN/RST is set

TCP data packets SYN/FIN/RST packets

No

Yes

Yes

No

No Yes

Initialization

Receiving packets

Extracting TCP and IP headers

Forwarding Recording

The three steps compose our improved algorithm. It is worth noting that comparing with the original algorithm the improved one has the classification and recording steps, extra. When the original algorithm is applied in the server, although it can accurately detect the SYN Flooding attacks to a large extent, the cost is also high. While the method presented in this paper gets a lot of improvement.

V. ANALYSIS AND RESULT

A. Analysis In the stage of packets’ classification, there is a

specialized module, Rx microblock, for receiving treatment and classification. It can encapsulate packets, i.e., removing the MAC headers and then directly extracts the IP headers and TCP/UDP headers. Besides, one of the sixteen microengines is assigned to this microblock and there are eight threads for implementation. As long as these threads are organized reasonably, the processing can be at linear speed. And the packets can be classified rapidly and go to next stage.

The recording stage is carried out by Ipv4 Forwarder microblock. This module uses four microengines and has 32 threads. The data structure Metadata is designed for recording packets’ information. There are the packet’s size and the buffer offset in it. According to the content, parameters required in the algorithm can easily be got. Then these parameters will be written into the hash table in DRAM. Although the DRAM is external memory and a read-write takes 400 clock cycles, the total time cost is only 0.3 microseconds (400/1400,000,000). Therefore, this stage is also fast and efficient for IXP2850.

The Intel XScale core takes the main role in the judgment stage. The threshold T is a key parameter to fix. The value of Tis directly related to the level of sensitivity (LOS), the false positive alarm rate (FPR) and the false negative alarm rate (FNR). The greater T is, the lower LOS and FNR are, and the smaller T is, the higher LOS and FPR are. Therefore, the setting of T should be based on the system’s requirement for LOS and the false alarm rate. When the threshold is exceeded, the alarms will not be given immediately, but the record will be marked first and then identified. If marked records are legal ones, the according connections will establish in normal way except for a period of delay time. For illegal records, alarms will be given and the according packets will be dropped. In this way, the initial defense can be finished in addition to detecting the attacks.

B. Result The experimental platform is a LAN system whose core

device is the network processor IXP2850. Other main devices are a Spirent test center, an optical switch and 4 PC. Where the Spirent test center can not only simulate the actual network

39

traffic behavior but also analyze the traffic systematically. The optical switch connects those devices within a LAN. And the 4 PC can communicate with each other and simulate the attack environment. So, the experiment on this platform is representative. The improved algorithm and the original one are implemented respectively in our project recently. Fig. 4 shows the performance of the two algorithms in normal circumstances. And Fig. 4 compares the performances of detecting SYN flooding attacks between the original and improved algorithms.

From the Fig. 4, we can see that the normal response latencies of the two algorithms are distinguished different. The smallest response latency of the original one is no less than 1 second, while the largest response latency of the improved one is no more than 1 second. So, the performance of normal response delay is improved a lot.

In Fig. 5, the blue curve indicates the network traffic which includes SYN flooding attacks. The sampling interval is 300 milliseconds and the three wave crests show that SYN flooding attacks occur. The green curve shows the detecting condition of the original algorithm and the meaning of the points is the number of packets that have been detected at every sample point. The red one stands for the situation of the improved algorithm proposed in this paper and the points on the curve represent the value of CNT1 – CNT2. It can be noted that the peaks of the green curve appear at 2 seconds later than that of the blue curve, while the delay time of the red peaks is only 300 milliseconds.

Obviously, compared with the original algorithm, the improved algorithm has better performance when it’s applied in NP.

Now, let us discuss the level of sensitivity. According to Fig. 5, if the threshold T is set to be 180, three times attacks will be detected accurately. If T is set to be more than 200, only twice attacks can be detected and the middle one will be missed. And if T is less than 100, at least four times attacks will be detected, that is, a false positive alarm happens. Therefore, the value of T should be set according to the specific network traffic. And in our project, it is set to 180.

0 2000 4000 6000 8000 10000 12000 140000

100

200

300

400

500

600

700

Time (MSec)

Pac

kets

Num

ber

Traffic FlowModified Algorithm Detect ResultRaw Algorithm Detect Result

Figure 5. The peformance of detecting attacks

VI. CONCLUSION

This paper proposed an algorithm to improve the method of receiving the same source SYN segments twice. Our mechanism suggests that the records are marked first and then identified. The two steps can be operated in NP IXP2850 easily and fast. Our method can decrease the false alarm rate. Also, it will reduce the level of sensitivity.

REFERENCES

[1] L.Garver, “Denial of service attack rip the Internet,” Computer, pp.57-66, 2000.

[2] Xiaochun Jian, Zhenqiang Wu, and Chengyi Huo, “Method of definding SYN floodinging attack by receiving two same source SYN packets,” Computer Engineering and Design, 29(4), pp. 1440-1442, 2008.

[3] Hongke Zhang, Wei Su, and Yong Wu, “The theory and technology of Network Processor,” Beijing University of Posts and Telecommunications, pp.14-17, 2004.

[4] Intel Corporation, Intel IXP2850 Network Processor Hardware Reference Manual, pp. 7-22, 2004.

[5] Stevens, and W. Richard, “TCP/IP illustrated, Vol(1),” Machinery Industry, pp. 174-190, 2005.

[6] Juniper Networks, “Denial of service and attack protection,” white paper, Juniper Networks 2006.

[7] Zargar, G.R., and Kabiri, P., “Identification of effective network features to detect Smurf attacks,” Research and Development(SCOReD), 2009 IEEE Student Conference, pp. 49-52.

0 200 400 600 800 1000 12000

500

1000

1500

2000

2500

Packets Number

Nor

mal

Res

pons

e D

elay

Tim

e (M

Sec

)

Modified AlgorithmRaw Algorithm

[8] A. Zuquete, “Improving the functionality of SYN cookies,” Proceedings of 6th IFIP Communications and Multimedia Security Conference, pp.57-77, 2002.

[9] J. Lemon, “Resisting SYN flooding DoS attacks with a SYN cache,” Proceedings of USENIX BSDCon’2002, pp.89–98, 2002.

[10] Haining Wang, Danlu Zhang, and Kang G. Shin, “Detecting SYN flooding attacks,” IEEE INFOCOM 2002, vol. 3, pp. 1530-1539.

[11] Yuli FU, Hongquan Liang, and Zhenyu Liu, “An effective IP routing lookup algorithm based on Network Processor,” Proceeding of the 11th IEEE International Conference on Communication Systems 2008, Guangzhou, pp. 1716-1720.

[12] Yuli FU, and Xiaohong Wang, “ICMP processing module embedded in NP based firewall,” Proceeding of the 2nd IEEE International Conference on Anti-Counterfeiting, Security, and Identification, Guiyang, pp. 310-313, 2008.

Figure 4. The response of normal applications

40