The large scaled TCP abnormal behavior, such as DDoS, scanning etc., can be detected by some metrics and their experimental values derived by the uniqueness of TCP connections. An algorithm named Bloom Filter Reproduction (BFR) is proposed to reconstruct the original parameters in large scaled TCP abnormal behaviors pithily by enhanced simple hash functions. Without maintaining the TCP information of 96bits’ 5-tuple, the BFR algorithm can reconstruct the abnormal parameters such as IP address or their aggregation timely during the detection process. The experiments show that BFR can disclose several abnormal behaviors mixed in network traffic at the same time with high precision and low overhead.