We present an original approach to identify synchronize (SYN) flooding attacks from the victim's side, on the basis of a classification of the different forms that TCP handshakes can take during a connection set-up between a client and a server (e.g. for Web traffic). We first identify the unusual handshake sequences that result from an attack and show how such observations can be used for SYN flooding attack detection. We then introduce a data structure to monitor, in real time, the state of the TCP handshake and study its performance. In addition, we explain the management of the data structure for operations such as initialization, adding and removing flows. Finally, we analyse the effectiveness of our TCP handshake monitoring to identify the presence of SYN flooding attacks by applying it to real traffic traces. To allow quick protection and help guarantee a proper defence, the detection is done in real time. Our detection system uses a non-parametric cumulative sum algorithm (CUSUM), which has the benefit of not requiring a detailed model of the normal and attack traffic while achieving excellent detection levels.