Abstract:
The research work effectively produces a functional algorithm for detecting anomalous traffic
data in network Transport Control Protocols (TCP). This research work proposed
‘Synchronize’ Synchronization Packet Flood Distributed Denial of Service (SYN Flood
DDoS) attacks detection algorithm on network Transport Control Protocols (TCP), in order to
analyze and examine network traffic traces and see how this affect detecting anomalies in
distributed attacks. This anomaly detection algorithm was developed using Object-Oriented
Software Engineering (OOSE) methodology, which is compliant to Model-Driven
Architecture (MDA) in the development processes. The algorithm deploys Entity Relationship model in organizing the main information object. Java programing language was
chosen for the implementation of the proposed algorithm. Finally, Detection of SYN Flood
Distributed Denial of Service attacks were performed on network packet traces (datasets)
captured from 15th through 24th November, 2017 to determine how well anomalies are
detected on TCP network protocols. The results obtained while testing the proposed
algorithm summarizes SYS Flood DDoS attacks detected in each of the network packet
traces. It can be observed that the attacks were detected in only four datasets, which are
network packet traces, captured on 15th, 16th, 22nd and 24th November 2017, while other six
datasets were attack free. All the attacks detected occurred in less than 1 minute. The result
obtained in this experiment using the proposed JLP(Java Logical Program) SYN Floods
DDoS attack detection algorithm, shows that SYN floods attack inundate a host server with
[SYN] segment containing forged (spoofed) IP source addresses with non-existent or
unreachable addresses. Host server responds with [SYN, ACK] segments to these addresses
and then waits for responding acknowledgement [ACK] segments. Host server will not
receive any acknowledgment [ACK] response and eventually time out. This is because the
response was sent to non-existent or unreachable IP addresses. JLP algorithm continues to
detect those attacks flooding a host with incomplete TCP connection ([SYN] and [SYN,
ACK] without an [ACK]), the detection algorithm result shows that the attacker eventually
attempts filling the memory buffer of the victim. Because once this buffer is full, the host can
no longer process new TCP connection requests