Indian Journal of Science and Technology, Vol 7(10), 1618–1624, October 2014
ISSN (Print) : 0974-6846
ISSN (Online) : 0974-5645
Defense against SYN-flooding Attacks
by using Game Theory
Sara Abbasvand1, Seyyed Nasser Seyyed Hashemi2* and Shahram Jamali3
Department of Computer Engineering, Tabriz Branch, Islamic Azad University, Tabriz, Iran
2
Young Researchers Club, Ardabil Branch, Islamic Azad University, Ardabil, Iran;
[email protected]
3
Department of Computer Engineering, Mohaghegh Ardabili University, Ardabil, Iran
1
Abstract
Connection Management phase of TCP is susceptible to a classic attack that is called SYN-flooding. In this attack, source
sends many SYN packets to the victim computer, but does not complete three-way handshaking algorithms. This quickly
consumes the resources allocated for communication in the under attack system and hence prevents it from serving other
connection requests. This attack causes the victim host to populate its backlog queue with forged TCP connections. In other
words it increases the number of legal connections rejected due to limited buffer space. In this paper, the under attack
system are modeled by using queuing theory and then a game theoretic approach is employed to defend against SYNflooding attacks. The simulation results show that the proposed defense mechanism improves performance of the under
attack system in terms of the ration of blocked connections and the buffer space occupied by attack requests.
Keywords: DoS, Game Theory, SYN-flooding Attacks, TCP
1. Introduction
Internet Security is of a great concern as most of our activities are connected to the internet technology. Accordingly,
there has been a spur in communication network
research1,2,19. One of the security breaches is Denial-ofService (DoS) attack. In this the attackers try to prevent
legal users from gaining a normal network service4,25,29. In
22
, an overview of Distributed Denial-of-Service (DDoS)
problem and Inherent vulnerabilities in the Internet
architecture are provided. Recent evaluations11,12 show
that DoS attacks ranks at the fourth place in the list of the
most important attack classes for information systems.
More than 90% of Distributed Denial-of-Service attacks
exploit a system’s Transmission Control Protocol (TCP)28.
A well-known DoS attack is SYN-flooding attack. A TCP
connection is established in what is known as a 3-way
handshake. When a client attempts to establish a TCP
*Author for correspondence
connection to a server, first, the client requests a connection by sending a SYN packet to the server. Then, the
server returns a SYN-ACK, to the client. Finally, the client
acknowledges the SYN-ACK with an ACK, at this point
the connection is established and data transfer starts23,31.
In a SYN-flooding attack, attackers use this protocol to
their benefit. The attacker sends many SYN packets to the
server. Each of these packets has to be handled like a connection request by the server, so the server must answer
with a SYN-ACK. The attacker does not answer to the
SYN-ACK, which will cause the server to be awaited for a
reply from a large quantity of connections. There are a few
connections that a server can handle. Once all of these
are in use, server cannot serve to any other connection
requests. In the following, we briefly review some proposed defenses for this kind of attack. Sallhammar in 24,
unlike our approach, have used a probability game to calculate the behavior of the attacker. Alpcan in 3, proposed a
Sara Abbasvand, Seyyed Nasser Seyyed Hashemi and Shahram Jamali
two-person zero-sum Markov games for capturing interactions between attackers and an IDS. Khirwadkar in 14
has used a repetitive game to model interactions between
attackers. Chang6 mentioned a simple queuing model for
the SYN-flooding attack. Long15 proposed two queuing
models to get the probability of packet loss. Gligor in 9
and 32 observed that the time is serious in defining denial
of service. He suggested that the Maximum Waiting Time
(MWT) should be allocated to each service provided by
the computer system. Wang also in 29 to evaluate DoS
attacks on computer networks used a queuing model.
Crosby in 8 presents an example of a bandwidth attack,
but it does not present a general mechanism for detecting
attacks and to prevent DoS attacks, suggests an algorithm
with low vulnerability. Warrende and Forrest in 30 have
presented a model that can detect DoS attacks. In this
method, if a program may use more than one source,
other programs wait until that program leave the system
and free the allocated resources.
We believe that to face SYN-flooding, there is a need
for algorithm which is independent and is aware of the
dynamic traffic of the network and changes the defense
parameters of the system according to network traffic
conditions. The parameters noted in this paper are the
maximum number of half-open connections (m) and the
hold time (h) of these connections whereby the optimized
values of these parameters are determined based on the
network conditions by game theory strategies.
The rest of the paper organized as follow. We will present a brief overview of the various applications of game
theory in computer networks in section 2. Our proposed
strategies to defend against SYN-flooding attacks are discussed in section 3. The simulation experiments results
are demonstrated in section 4, and finally conclusion
remarks are available in section 5.
2. Game Theory
One of the applications of game theory in computer networks is used in wireless networks. Game theory in the
wireless network to develop a stable application perception point for the networks create of the selfish nodes,
nodes are introduced as players. Cooperative game theory,
have many applications in wireless networks. Coalitional
game theory deals with the cooperative behavior. In the
coalitional game, the important thing is the structure
of cooperative nodes. Coalitions between several players, their utilities function will lead to be improved.
Vol 7 (10) | October 2014 | www.indjst.org
Game theory is a powerful tool for modeling cooperative
behavior of wireless networks such as the cognitive radio
networks7,20. Also, game theory has many applications in
Ad-Hoc networks18,26,27,5.
Another application of game theory in computer
networks is the application of network security. In the
topic of network security, the presented works are classified into six main categories: security of the physical
and MAC layers, application layer security in mobile
networks, intrusion-detection systems, anonymity and
privacy, economics of network security and cryptography. In each category, players and game models have been
defining and the main results of selected works, such as
equilibrium analysis and security mechanism designs are
summarized17,21,33.
Game theory can be used in congestion control. An
integrated algorithm is included these specifications:
Distributed, Iterative, Selfishness, Fairness, Provide
an integrated solution for routing and flow control,
Based mathematical model to analyze algorithms and
Matching technological capabilities with the algorithms
(TCP). Game theory has the potential to analyze the
situation10,13,16.
The parameters m and h are the two main parameters
in TCP that used by the attackers. In TCP protocol, these
values are fixed quantities that do not change over time.
In the network platform environment which is constantly
changing, there is need to change these parameters values
dynamically over time according to the network status.
In this way, server can detect and prevent its resources
against attacks. For this purpose, we use game theory to
employ a variety of strategies for m and h to reach good
performance.
2.1 SFDM Game
This paper provides a mechanism for defense against
SYN-flooding attacks. For this purpose, it is proposed
a zero-sum game between the regular users and attackers. In the proposed game that we are identified with
the name of the SFDM game, regular users and attackers are players and rules of the game are designed by four
types of strategies. In this game, regular players are playing cooperative game with each other and their purpose
is avoiding the under control server buffer occupancy,
to improve the efficiency of the whole network. Regular
players and attackers are playing a zero-sum game with
together. Figure 1 shows the network topology of the proposed game.
Indian Journal of Science and Technology
1619
Defense against SYN-flooding Attacks by using Game Theory
Table 1. The game strategies
Half-open connections Hold time
number (m)
(h)
Figure 1. The network topology.
As said, as the requests with SYN packets enter the
server, the TCP protocol places them in the backup buffer,
and allocates needed resources from the backup buffer for
the establishment of a complete connection. This state is
called the half-open state.
On the other hand, the number of half-open connection that a server can create is limited and have a
maximum value. In the SFDM game, buffer length equal
to maximum number of half-open connection is called
m and half-open connection for attack packets are held
with h time. Regular and attack requests enter the system
and if buffer has free space, the new half-open connections are placed in the buffer. But if the buffer is full,
arrived requests will be blocked. In this game, behavior
of the system is simulated based on four strategies for
different m, h (Table 1) and obtained parameters such as
loss probability (Ploss), regular request buffer occupancy
percentage (Pr) and attack request buffer occupancy percentage (Pa). Explanations for these three parameters are
in the follow.
A new arrived packet is blocked when the server’s
buffer is full and cannot respond to a received request to
create a connection. So, we define the Ploss as the ratio of
the total number blocked packets to the total numbers of
packets that have entered the server.
The average ratio of the number of half-open connection created by regular requests to the total requests into
the server is called regular request buffer occupancy percentage (Pr).
The average ratio of the number of half-open connection created by attack requests to the total requests into
the server is called attack request buffer occupancy percentage (Pa).
1620 Vol 7 (10) | October 2014 | www.indjst.org
Strategy 1
Increase
Increase
Strategy 2
Increase
Decrease
Strategy 3
Decrease
Increase
Strategy 4
Decrease
Decrease
In order to increase the capability of a server to providing services, the value of Ploss must be enough small.
Also in order that a server provides more services to the
normal requests, the value of buffer ownership by normal
requests must be enough big, and the time of ownership
of buffer be the attack requests must be enough small.
Thus objectives of this paper are:
1. Reducing the value of request blockage.
2. Increase of percent and time of occupancy of buffer by
regular requests
3. Reduction of percent and time of buffer occupancy by
attack requests
We use this information and define the purposed
function for SFDM game as Equation 1 and maximizing
this function’s value is objective. So, the more maximize of
the function’s value, the more ability to service to regular
requests.
F(t) = Pr / (Pa × Ploss)
(1)
2.2 Defense mechanism to SFDM game
In SFDM game, the method is such that the server at first
using the initial parameters m and h (default on Linux)
starts the service. In this game, strategies of m, h are as
in Table 1.
In order that defender player can be select the next
move of existing strategies, we have to consider weight
for each motion. We show the weight of each motion with
W[i] and values for i are1, 2, 3 and 4.
The value of Pr, Pa and Ploss are estimated in the
short period of time. At the end of each period, objective
function F(t) is calculated. If the new objective value is
improved in comparison with the objective function value
in the previous period, the weight value of the selected
strategy in the last period increases and vice versa. For the
next period, the best strategy is selected according to best
values in the W.
Indian Journal of Science and Technology
Sara Abbasvand, Seyyed Nasser Seyyed Hashemi and Shahram Jamali
Figure 2. Flowchart of the strategy selection
3. Result and Simulation
In order to evaluation of our proposed defense scheme,
we conducted extensive packet-level simulation by
well-known NS-2 simulator. As shown in Figure 1, we
supposed a victim server that sufficient number of regular and attack connections were trying to occupy the
server’s buffer. As we explained in subsection 3.1, there
important parameters are our fundamental criteria to
evaluation of defense mechanism which they were Ploss,
Pa and Pr. The two last parameters implicitly denote the
amount of buffers that occupied by attack and regular
connections respectively. So, the comparison of them in
two could reveal the amount of improvement in term of
buffer utilization. Moreover, to evaluate the effectiveness
of the proposed defense mechanism, we selected the wellknown Linux operation system as a comparison platform
and we compared SFDM results with the TCP results that
employed on Linux. In Linux, m and h are constant values and we can claim that there is no defense scheme in
order to counter with this kind of attacks, but in SFDM
m and h change according to the different strategies of
the game. In the TCP on the Linux, maximum number of
half-connections which are allowed to be hold is 120 and
half-connection duration is 2 minutes. We selected these
Linux values as the default values for SFDM, too.
Vol 7 (10) | October 2014 | www.indjst.org
In the presented scenario, the other important parameters are as follows:
Bandwidth between links is equal to 50mbps, link
delay is 1ms, maximum buffer length is 1000 and total
simulation time is 50s.
As mentioned in the previous section, Ploss represents
the ratio of blocked connections because of the fullness of
the server buffer. It is apparent that reduction of this ratio
is so crucial. Hence, we begin with comparison of Ploss
ratio in Figure 3. As demonstrated in this Figure, our proposed defense mechanism could extremely reduce Ploss
ratio in comparison with Linux with no defense scheme.
So, significant percentage of the incoming connections
will be processed. As result, our proposed defense mechanism improves availability of the server for users. As seen
in this Figure, the blocked requests in Linux without
defense remains almost constant but the amount in the
SFDM decreases over time.
As mentioned before, Attack connections tend to
occupy server buffer and remain there as much as possible. So there will be no more space on buffer to store
and respond to regular connection. Figure 4 demonstrate the buffer occupancy status by attack and
regular connections without defense mechanism just
like Linux. You can see that after a while, virtually the
buffer entirely has occupied by attack connections and
Indian Journal of Science and Technology
1621
Defense against SYN-flooding Attacks by using Game Theory
Figure 3. Loss ratio of requests.
Figure 5. Sink buffer occupancy (with defense).
Figure 4. Sink buffer occupancy (without defense).
it is catastrophic to server, because in such situation,
the server becomes unavailable to users. Figure 5 shows
the Sink buffer occupancy using the proposed defense
mechanism. With incoming a new connections, SFDM
expels some half-connections which they seems are not
regular connection. So some space becomes available
for new connections. As seen in the Figure 5, Sink buffer occupancy percentage by attack requests has reduced
significantly, in contrast, Sink buffer occupancy percentage by regular requests have increased significantly.
This shows the success and positive impact defensive of
strategies in the SFDM game. Since the amount of the
attack requests is always greater than the amount of the
regular requests, hence the percentage of attack connections occupancy is greater than the percentage of regular
requests occupancy in the buffer. In order to better illustration of the amount of improvement in term of buffer
occupancy, we compared buffer occupancy ratio in the
case of the defense mechanism existence and without
defense mechanism separately for regular connections
and attack connections.
Figure 6 demonstrates the percentage of regular connections occupancy in the buffer for both cases of SFDM
1622 Vol 7 (10) | October 2014 | www.indjst.org
Figure 6. Sink buffer occupancy with regular requests.
which employ defense mechanism and Linux which
employ no defense mechanism. It is obvious that the
contribution of regular connections has increased significantly in the buffer.
Similar to Figure 6, one can observe the percentages
of attack connections occupancy in the Figure 7. The percentage of attack connection occupancy has diminished
tremendously in the case of defense mechanism employment. This result achieved because the SFDM prevented
the attack connections to be hold in buffer for long time.
The results confirm that our defensive method has
reduced the bad effects of SYN-flooding attack on the
server. Though improving the responsiveness of the
server, SFDM has succeeded in providing more service
to regular users.
The last interesting behavior of the SFDM is the
dynamics of the half-connection hold time and server
buffer length over the simulation time which they can
seen in the Figure 8 and Figure 9, respectively.
Indian Journal of Science and Technology
Sara Abbasvand, Seyyed Nasser Seyyed Hashemi and Shahram Jamali
a defense mechanism, we use a variety of strategies for
players in this framework; we provide intelligent defense
mechanism which adjusts the parameters of the system
under attack dynamically. The simulation results which
conducted by NS-2 environment confirmed the improvement of our proposed method in terms of efficient buffer
occupancy by connections and specially responsiveness
and availability of the under attack server.
5. References
Figure 7. Sink buffer occupancy with attackers.
Figure 8. Half connection time.
Figure 9. Sink buffer length.
4. Conclusion
This paper represented a novel approach for defense
against SYN-flooding attacks. In order to defend against
SYN-flooding attacks, we modeled the system under
attack by using game theory and defending against these
attacks to have defined a zero-sum game. Then, to provide
Vol 7 (10) | October 2014 | www.indjst.org
1.Alam M. A fine-grained and user-centric permission delegation framework for web services. Int J Physical Sciences.
2011; 6(6):2060–71.
2.Al-Bakri S. Securing peer-to-peer mobile communications
using public key cryptography: New security strategy. Int J
Physical Sciences. 2011; 9:930–8.
3.Alpcan T, Basar T. An intrusion detection game with limited
observations. 12th International Symposium on Dynamic
Games and Applications; 2006; Sophia Antipolis, France.
4.Bicakci K, Tavli B. Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks. Computer
Standards & Interfaces. 2009;31(5):931–41.
5.Bisnik N. Applying game theory to study communication
networks. ECSE Department RPI, Troy, NY.
6.
Chang R. Defending against flooding-based distributed
denial-of-service attacks: a tutorial. IEEE Communications
Magazine. 2002; 40(10):42–51.
7.Charilas D, Panagopoulos A. A survey on game theory
applications in wireless networks. Comput Networks. 2010;
54(18):3421–30.
8.Crosby A, Wallach D. Denial of Service via Algorithmic
Complexity Attacks. Proceeding of the 12th USENIX
Security Symposium. 2003; 29–44.
9.Gligor V. A note on the denial-of-service problem. IEEE
Symposium on Security and Privacy. 1983; 139–49.
10.
Golestani S, Bhattacharyya S. A Class of End-to-End
Congestion Control Algorithms for the Internet. IEEE/
ACM Transactions on Networking. 1999.
11.Gordon A, et al. 10th annual CSI/FBI computer crime and
security survey. Computer Security Institute. 2005; 1–26.
12.Hamdi M, Boudriga N. Detecting Denial-of-Service attacks
using the wavelet transform. Computer Communication.
2007; 30(16):3203–13.
13.Kelly F, Maulloo A, Tan D. Rate control for communication
networks: shadow prices, proportional fairness and stability. J Oper Res. 1998; 49:237–252.
14.Khirwadkar T. Defense against network attacks using game
theory [Master’s thesis]. University of Illinois at UrbanaChampaign, Urbana, Illinois, 2011.
Indian Journal of Science and Technology
1623
Defense against SYN-flooding Attacks by using Game Theory
15.Long M, Wu C, Hung J. Denial of service attacks on network-based control systems: impact and mitigation. IEEE
Transactions on Industrial Informatics. 2005; 1(2):85–96.
16.
Low S, Lapsley D. Optimization Flow Control-I: Basic
Algorithm and Convergence. IEEE/ACM Transactions on
Networking. 1999; 7(6):1–16.
17.Manshaei M, et al. Game Theory Meets Network Security
and Privacy. Technical report. EPFL, Lausanne; 2010.
18.Naserian M, Tepe K. Game theoretic approach in routing
protocol for wireless ad hoc networks. Ad Hoc Networks.
2009; 7(3):569–78.
19.Nejati F, Khoshbin H. A novel secure and energy-efficient
protocol for authentication in wireless sensor networks. Int
J Physical Sciences. 2010; 5(10):1558–66.
20.Niyato D, Hossain E. Radio resource management games
in wireless networks: an approach to bandwidth allocation and
admission control for polling service in IEEE 802.16. IEEE
Wireless Communications. 2007; 14(1):27–35.
21.Roy S, et al. A Survey of Game Theory as Applied to
Network Security. Hawaii International Conference on
System Sciences; 2010 Jan 4–7; USA.
22.Sachdeva M, et al. DDos incidents and their impact: a
review. Int Arab J Inform Tech. 2010; 7(1):14–20.
23.Safa H. et al. A collaborative defense mechanism against
SYN flooding attacks in IP networks. J Netw Comput Appl.
2008; 31(4):509–34.
24.Sallhammar K, Helvik B, Knapskog S. On stochastic modeling for integrated security and dependability evaluation.
Journal of Networks. 2006; 1(5):31–42.
1624 Vol 7 (10) | October 2014 | www.indjst.org
25.
Siris V, Papagalou F. Application of anomaly detection
algorithms for detecting SYN flooding attacks. Computer
Communication. 2006; 29(9):1433–42.
26.Srivastava V, et al. Using game theory to analyze wireless
ad hoc networks. IEEE Communications surveys. 2006;
7(4):46–56.
27.Tembine H, et al. Multiple access game in Ad-Hoc network.
Proceeding of Game Comm; 2007; Nantes, France.
28.Wang H, Zhang D, Shin K. Detecting SYN flooding attacks.
Proceedings of IEEE INFOCOM. 2002; 1530–9.
29.Wang Y, et al. A queuing analysis for the denial of service
(DoS) attacks in computer network. Computer Networks.
2007; 51:3564–73.
30.Warrender B, Forrest S. Detecting intrusions using system calls: Alternative data models. IEEE Symposium on
Security and Privacy. 1999.
31.Xiao B, Chen W, He Y. An autonomous defense against SYN
flooding attacks: Detect and throttle attacks at the victim
side independently. J Parallel and Distributed Computing.
2008; 68(4):456–70.
32.Yu C, Gligor V. A formal specification and verification
method for the prevention of denial of service. IEEE
Symposium on Security and Privacy Proceedings. 1988.
33.You ZX, Shiyong Z. A Kind of network security behavior
model Based on game theory. Proceedings of the Fourth
International Conference on Parallel and Distributed
Computing Applications and Technologies. 2003.
Indian Journal of Science and Technology