Throttling spoofed SYN flooding traffic at the source

3 Abstract TCP-based flooding attacks are a common form of Distributed Denial-of-Service 4 (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. 5 Incorporating IP spoofing makes it even more difficult to defend against such attacks. Among 6 different IP spoofing techniques, which include random spoofing, subnet spoofing and fixed 7 spoofing, subnet spoofing is the most difficult type to fight against. In this paper, we propose 8 a simple and efficient method to detect and defend against TCP SYN flooding attacks under 9 different IP spoofing types, including subnet spoofing. The method makes use of a storage-10 efficient data structure and a change-point detection method to distinguish complete three-way 11 TCP handshakes from incomplete ones. This lightweight approach makes it relatively easy 12 to deploy the scheme as its resource requirement is reasonably low. Simulation experiments 13 consistently show that our method is both efficient and effective in defending against TCP-based 14 flooding attacks under different IP spoofing types. Specifically, our method outperforms others 15 in achieving a higher detection rate yet with lower storage and computation costs.