MODIFICATION OF TCP SYN FLOOD (DOS) ATTACK DETECTION ALGORITHM

. This work focuses onto proposal and implementation of modification of SYN flood (DoS) attack detection algorithm. Based on Counting Bloom filter, the attack detection algorithm is proposed and implemented into KaTaLyzer network traffic monitoring tool. TCP attacks can be detected and network administrator can be notified in real-time about ongoing attack by using different notification methods.


Introduction
Computer network security and privacy is currently on very high level due to various detection algorithms or protection mechanisms implemented on various network layers, network devices and directly in operating systems. Despite of all these, the most important factor remains in information about currently ongoing attack which administrators need to have in adequate time. Hence, this area is a space to create new effective solutions to detect and provide such information.
In this work we focus on proposal of modification of SYN flood attack detection algorithm and its implementation into KaTaLyzer network traffic monitoring tool which has been developed at STUBA [1]. Based on Counting Bloom Filter (CBF) mechanism, our contribution is in modification and usage of the CBF of its tables which are used for storing counters of half-open connections (TCP). After detecting ongoing attack, network administrator is notified by chosen notification methods.
It is assumed familiarity with the issue of DoS SYN flood attack. In case you are not familiar with DoS SYN flood attack, you can find more information at this link [2].

Bloom Filter algorithm
Mathematics behind the Bloom Filter data structure is following: consider a set of m elements, in our case a set of m IP addresses, IP ={ ip 1 ; ip 2 ; ip 3 ; …ip m }. The set will be described by a vector V which is n bits long, it is initially set to n zeros. Next, consider k independent hash functions which are used by the Bloom filter to generate k hash values from each of elements of the IP set. The hash functions output values are from range {1, …, n} and represent index in the vector V. If i th hash function h i (), 1≤i≤k, applied to members of IP, ip j IP, 1≤j≤m results in value K, i.e. K= h i (ip j ), K th bit of the V vector is set to 1. For each element ip i IP, 1≤i≤k, K th bit of V vector is set to 1, while K=h i (ip j ), for each 1≤j≤m, 1≤i≤k.
According to relations among the hash functions and overlapping of their results, bits in V vector can be set to 1 multiple times. However, only the first setting of K th bit to 1 changes the value of the bit.

Counting Bloom Filter
Assume a situation in which the elements of IP set change periodically and thus they are being inserted to and deleted from the data structure. Inserting elements is a simple process which we described above. When we want to delete an element from Bloom filter data structure, we need to set the corresponding bits to zero.
However, it is possible that this operation will affect bits which were set to 1 by hash function for different element of IP set. In this situation the Bloom filter no longer provides correct representation of the elements of the IP set.
This problem was solved in work [2] which outlined new data structure called Counting Bloom Filter (CBF). In the CBF data structure, bits in vector V are replaced by integers which are used as counters. If we want to save a track of element ip x in the data structure, each counter corresponding value of independent hash functions will be incremented. During deletion of an element appropriate counters are decremented.

Modified CBF
Simplification of the CBF structure is one of our contributions. The solution consists of one table of counters used for inbound and one table of counters used for outbound TCP connections. Such simplification can be done as in defined short time interval the tables of counters are re-initialized to 0. Increment and decrement of the counters are designed to fit the proposed solutions to detect SYN flood attack and these will be described in later section S-Orthros detection algorithm.

Independent Hash Functions
Finding well designed set of hash functions is as important for the correct storage and distribution of elements in the CBF data structure as well as for the performance of hash functions. In a comparative study performed by Chen and Yeung in paper [1], there are independent hashes functions designed which have low probability of collision. 32-bit IP address is used as a key for the hash functions.
The hash functions are defined as follows: hi(IP ) = (IP + IP mod pi) mod n, 1≤i≤k, where mod denotes the modulus operation, n is the row length of the hash table, and pi is a prime number less than n.
Following table shows comparison of the proposed hash function with other known hash functions.
Our examination resulted in setting variables as follows: n=1024, k=4.

Detection algorithm S-Orthros
As mentioned above, the algorithm for detecting SYN Flood attack uses CBF data structure which is modified for our attack detection purposes. Modification of the data structure has yielded to simplification and clarification of the solution and also the algorithm itself. The intention is therefore the evaluation of the conditions and thus attack detection for a given constant time interval.
Consider the case where the detection algorithm cooperates with a measuring tool which is used to capture and analyze network traffic in real time. At the beginning, the network administrator starts the process of capturing network traffic which runs as the main program. Other processes are invoked and run as separate threads. At the end of the main process of capturing network traffic also other running threads are closed.
After a defined time, another process is run to analyze the measured network traffic information. In this process, the data which are important for the detection algorithm S-Orthros are being stored. In this case, the relevant data are source and destination IP addresses and these are saved through the independent hash functions to the modified CBF. The modified CBF consists of two tables containing N counters.
The first table is used to store information about the source IP address while the second table provides space to store destination IP addresses. During the analysis, the detection algorithm S-Orthros collects information about initiated connection, i.e. SYN packet and information of confirmation of the connection, i.e. ACK packet. If analysis detects SYN packet, the data structure is incremented -both tables of counters are modified. In case of ACK packet confirming SYN packet, data structures in both tables are decremented. If there is no flood attack, the handshake is correct, and data structures remain empty -a pair of IP addresses in the first SYN packet is stored, and after confirming ACK packet they are cleared.
In case of flood attack, values in CBF structure are very rising. Threshold of acceptable half-open connections has been empirically set to 50. Verification process compares this threshold value with the measured SYN-SENT value and according to the result either starts or does not starts the process of creating an alert message.

Evaluating proposed solution
Through Modified CBF we are able to distinguish different variations of SYN flood attacks. We have identified the following possible TCP SYN attacks:  Random SYN floodgenerating a random source spoofed IP address for each packet  Subnet SYN floodgenerating source spoofed IP address from specific subnet for each packet  Fixed SYN flood -several IP addresses from which the attack is launched Each one of these attacks can be identified thanks to the typical arrangement of IP addresses stored in the used data structure. This arrangement of IP addresses has been verified by table editor on sample of 250.000 IP addresses and the results are shown in the following figure 1 shown below.
We can clearly see that the system is being attacked as the values are much higher than 0 level which describes usual traffic.

Conclusion
We proposed and implemented detection module S-Orthros based on modified Counting Bloom filter, which provides information about currently ongoing TCP SYN attack to network administrator. Detection module has been tested for several TCP SYN attacks and its functionality has been verified and evaluated. Within the detection module has been proposed and implemented various methods for the timely sending of information about the ongoing attack. For its extensiveness they have not been described in this paper.