Abstract—SYN flood attacks still dominate Distributed Denial of Service attacks. It is a great challenge to accurately detect the SYN flood attacks in high speed networks. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to pretend to be benign. Keeping perflow or per-connection state could eliminate such a spoofing, but meanwhile, it also consumes extremely huge resources. We propose a more accurate and fast SYN flood detection method, named SACK 2, which could detect all kinds of SYN flood attacks with limited implementation costs. SACK 2 exploits the behavior of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. We utilize the space efficient data structure, counting Bloom filter, to recognize the CliACK packet. Comprehensive experiments demonstrate that, SACK 2 is the fastest and most accurate detection method compared with related methods which also leverage the packet pair’s behavior. The memory cost of SACK 2 for a 10Gbps link is 364KB and can be easily accommodated in modern routers. I.

Threats have become a big problem since the past few years as computer viruses are widely recognized as a significant computer threat. However, the role of Information Technology security must be revisit again since it is too often. IT security managers find themselves in the hopeless situation of trying to uphold a maximum of security as requested from management. At the same time they are considered an obstacle in the way of developing and introducing new applications into business and government network environments. This paper will focus on Transmission Control Protocol Synchronize Flooding attack detections using the Internet Protocol header as a platform to detect threats, especially in the IP protocol and TCP protocol, and check packets using anomaly detection system which has many advantages, and applied it under the open source Linux. The problem is to detect TCP SYN Flood attack through internet security. This paper also focusing on detecting threats in the local network by monitoring all the packets that goes through the networks. The results show that the proposed detection method can detect TCP SYN Flooding in both normal and attacked network and alert the user about the attack after sending the report to the administrator. As a conclusion, TCP SYN Flood and other attacks can be detected through the traffic monitoring tools if the abnormal behaviors of the packets are recognized such as incomplete TCP three-way handshake application and IP header length.