×

Method to detect SYN flood attack

  • US 7,865,954 B1
  • Filed: 08/24/2007
  • Issued: 01/04/2011
  • Est. Priority Date: 08/24/2007
  • Status: Expired due to Fees
First Claim
Patent Images

1. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:

  • (a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;

    (b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window;

    (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window;

    (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value;

    (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value;

    (f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window;

    (g) if a SYN flood attack is predicted, providing notification of such to a user.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×