A Distributed Denial of Service (DDoS) attack is a malicious attempt to take down a target server by overwhelming its resources. The attacker uses compromised machines as botnets or zombies to launch the attack simultaneously from multiple sources. DDoS attacks are difficult to detect and prevent as they appear as normal traffic coming from multiple sources and blocking a single source wouldn’t prevent it. These attacks will impact the performance and result in unavailability of services for legitimate users.
One of the most common types of DDoS attack is the Network Layer Attacks. These are DDoS assaults set up to clog the ‘pipelines’ connecting the network. These includes UDP flood, SYN flood, NTP amplification, and more. The largest network layer assaults can exceed 200 Gbps; however, 20 to 40 Gbps is enough to completely shut down most network infrastructures.
SYN Flood attack is classified as a semantic attack as it exploits the three-way handshake feature of Transmission Control Protocol (TCP). When a client wants to establish a connection with the server, the client does so by using the TCP three-way handshake. The three-way handshake includes three steps – (i) Client requests connection by sending SYN (synchronize) message to the server. (ii) Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client. (iii) The client responds with an ACK (acknowledge) message, and then the connection is established.
To launch a TCP SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server. The server responds to each attempt with a SYN-ACK packet from each open port. The malicious client does not send the expected ACK. The server under attack will wait for acknowledgement of its SYN-ACK packet for some time. During this time, the server cannot close down the connection by sending an RST packet. The server keeps a backlog queue in its system memory to maintain all half-open connections till the connections time out. Before the connection can time out, the attacker sends another SYN packet. Once the backlog queue limit is reached, all future SYN requests will be dropped.
In the proposed method, Machine Learning Classifiers are used to identify ‘safe’ and ‘unsafe’ packets. Statistical features extracted from batches of incoming packets are used to train the model. The model could detect simple SYN Flood attacks as well as spoofed SYN attacks using multiple random source IPs with almost 100% accuracy. All the ‘safe’ packets are forwarded and ‘unsafe’ packets are dropped once an attack has been detected.