Method to detect SYN flood attack
First Claim
1. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
- (a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;
(b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window;
(c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window;
(d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value;
(e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value;
(f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window;
(g) if a SYN flood attack is predicted, providing notification of such to a user.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention is a method of predicting a SYN flooding attack on a server. The method tracks the number of SYN signals received (or SYN+ACK signals sent) over the communications port of the server in a specified time interval, the arrival estimation window. The invention then predicts the number of anticipated ACK signals to be received over the communication port within a predetermined time length prediction window. The prediction may be made at multiple points within the prediction window. The prediction window is offset in time from the arrival estimation window. The prediction of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in the arrival estimation window. In one embodiment, a polynomial is fit to the data in the Arrival estimation window and extrapolated to the prediction window. The predicted number of ACK signals is compared to the actual number received in the prediction window, and if the difference is in excess of a threshold value, and attack is indicated.
-
Citations
13 Claims
-
1. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
-
(a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window; (b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window; (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window; (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value; (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value; (f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window; (g) if a SYN flood attack is predicted, providing notification of such to a user. - View Dependent Claims (2)
-
-
3. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
-
(a) determining the number of ACK signals received over said communication port within a predetermined time length departure estimation window at predetermined time intervals within said departure estimation window; (b) predicting the number of SYN signals to be received or SYN+ACK signals to be sent over said communication port in a predetermined time length reconstruction window at predetermined time intervals within said reconstruction window, said reconstruction window being offset in time from said departure estimation window, where said prediction of the number of SYN signals or SYN+ACK signals is based upon the number of ACK signals received in said departure estimation window; (c) determining the number of SYN signals received or SYN+ACK signals sent over said port in said reconstruction window at predetermined time intervals within said reconstruction window; (d) comparing said predicted number of SYN or SYN+ACK signals at predetermined time intervals within said reconstruction window with said determined number of SYN or SYN+ACK signals at predetermined intervals within said reconstruction window to produce a compared value; (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value; (f) advancing in time said departure estimation window and said reconstruction window and repeat steps (a)-(e) with said advanced departure estimation window and advanced reconstruction window;
(g) if a SYN flood attack is predicted, providing notification of such to a user.
-
-
4. A method of detecting a SYN flooding attack at a server having a communication port comprising the steps of:
- (a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;
(b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window; (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window; (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction window to produce a compared first value; (e) determining the number of ACK signals received over said communication port within a predetermined time length departure estimation window at predetermined time intervals within said departure estimation window; (f) predicting the number of SYN signals to be received or SYN+ACK signals to be sent over said communication port in a predetermined time length reconstruction window at predetermined time intervals within said reconstruction window, said reconstruction window being offset in time from said departure estimation window, where said prediction of the number of SYN signals or SYN+ACK signals is based upon the number of ACK signals received in said departure estimation window; (g) determining the number of SYN signals received or SYN+ACK signals sent over said port in said reconstruction window at predetermined time intervals within said reconstruction window; (h) comparing said predicted number of SYN or SYN+ACK signals at predetermined time intervals within said reconstruction window with said determined number of SYN or SYN+ACK signals at predetermined intervals within said reconstruction window to produce a compared second value; (i) combining the compared first value with the compared second value; (j) predicting a SYN flood attack if said combined value from step (i) exceeds a predetermined threshold value; (k) advancing in time said departure estimation window, said arrival estimation window, said prediction window and said reconstruction window and repeat steps (a)-(j) with said advanced arrival estimation window, said advanced departure estimation window, said advanced reconstruction window and said advanced prediction window; (l) if a SYN flood attack is predicted, providing notification of such to a use. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 13)
- (a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window;
-
12. A computer readable non-transitory medium having encoded thereon a series of machine executable instructions for executing the steps of
(a) determining the number of SYN signals received or SYN+ACK signals sent over said communication port within a predetermined time length arrival estimation window at predetermined time intervals within said arrival estimation window; -
(b) predicting the number of ACK signals to be received over said communication port in a predetermined time length prediction window at predetermined time intervals within said prediction window, said prediction window being offset in time from said arrival estimation window, where said prediction of the number of ACK signals to be received is based upon the number of SYN signals received or SYN+ACK signals sent in said arrival estimation window; (c) determining the number of ACK signals received over said port in said prediction window at predetermined time intervals within said prediction window; (d) comparing said predicted number of ACK signals at predetermined time intervals within said prediction window with said determined number of ACK signals received at predetermined intervals within said prediction time window to produce a compared value; (e) predicting a SYN flood attack if said compared value exceeds a predetermined threshold value; (f) advancing in time said arrival estimation window and said prediction window and repeat steps (a)-(e) with said advanced arrival estimation window and advanced prediction window; (g) if a SYN flood attack is predicted, providing notification of such to a user.
-
Specification