Abstract: This paper gave a new method to detect the SynFlood attack by analyzing the relationship between Syn segment, Fin segment and Rst segment in TCP protocol. Firstly, the relationship between Syn segment, Fin segment and Rst segment is mapped to Space Geometry; the relationship in a given time frame is mapped to one point in Space Geometry while that when no attack behavior exists is mapped to a line in Space Geometry. The distance between the point to the line can hence be used to detect and determine the SynFlood attack. Furthermore, the efficiency and accuracy are improved by using moving average technology which can anti abasing the distance discribed above. The experimental result shows that the method can detect the direct SynFlood attack and the reflect SynFlood attack accurately and have low rate of false alarm. Also the method can be deployed to mid-large scale networks because of its high performance for processing data packets.

Key words: SynFlood attack, Distance in space geometry, Deviation, Moving average, Attack discriminant