AEGIS: Detection and Mitigation of TCP SYN Flood on SDN Controller

Software-Defined Network (SDN) segregates the control plane and the data plane to bring about a programmable network. The controller at the control plane runs network modules and sets rules for forwarding the packets in the switches that resides at the data plane. Though advantageous in several ways, SDN can fail when the controller is saturated by a flood of TCP SYN packets. SYN flood can be created using malicious spoofing of IP or MAC addresses or flash crowd. The existing solutions to mitigate SYN flood against the controller does not adequately handle MAC spoofing based SYN flood, and these are unable to distinguish between flash crowd and malicious traffic. To overcome some limitations in existing solutions, we propose a novel mechanism called AEGIS, which detect and mitigate SYN flood against the controller in SDN. AEGIS runs in the controller, and it regularly checks if there is a performance lag in the controller due to an ongoing SYN flood. If a performance degradation is detected, then AEGIS takes it an indication of SYN flood and it identifies whether it is due to spoofed addresses or flash crowd. Once the reason is found, the appropriate mitigation procedure is triggered. We evaluate AEGIS in testbed and emulator settings, and we compare the results of the evaluation with state-of-the-art solutions. The performance evaluation of AEGIS shows that it identifies the malicious SYN at an accuracy of 97.78%. Moreover, when there is no SYN flood, AEGIS takes 0.0637s to set up a successful TCP connection, which is 53.81% less than the time taken by the state-of-the-art solution, thus, it proves that AEGIS is lightweight.

[1]  DongHyuk Kim,et al.  An Effective Defense Against SYN Flooding Attack in SDN , 2019, 2019 International Conference on Information and Communication Technology Convergence (ICTC).

[2]  Aung Htein Maw,et al.  Effective Detection and Mitigation of SYN Flooding Attack in SDN , 2019, 2019 19th International Symposium on Communications and Information Technologies (ISCIT).

[3]  Mauro Conti,et al.  SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking , 2019, Int. J. Commun. Syst..

[4]  Mauro Conti,et al.  Lightweight solutions to counter DDoS attacks in software defined networking , 2019, Wirel. Networks.

[5]  Mauro Conti,et al.  SAFETY: Early Detection and Mitigation of TCP SYN Flood Utilizing Entropy in SDN , 2018, IEEE Transactions on Network and Service Management.

[6]  Nagarathna Ravi,et al.  TeFENS: Testbed For Experimenting Next-Generation-Network Security , 2018, 2018 IEEE 5G World Forum (5GWF).

[7]  Ankit Kumar Jain,et al.  SRL: An TCP SYNFLOOD DDoS Mitigation Approach in Software-Defined Networks , 2018, 2018 Second International Conference on Electronics, Communication and Aerospace Technology (ICECA).

[8]  Sunny Behal,et al.  Characterizing DDoS attacks and flash events: Review, research gaps and future directions , 2017, Comput. Sci. Rev..

[9]  Mauro Conti,et al.  SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks , 2017, IEEE Transactions on Network and Service Management.

[10]  Laura Galluccio,et al.  OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers , 2015, Comput. Networks.

[11]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[12]  S. Thamarai Selvi,et al.  DDoS detection and analysis in SDN-based environment using support vector machine classifier , 2014, 2014 Sixth International Conference on Advanced Computing (ICoAC).

[13]  Muhammad Awais,et al.  Performance evaluation of OpenDaylight SDN controller , 2014, 2014 20th IEEE International Conference on Parallel and Distributed Systems (ICPADS).

[14]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[15]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[16]  Tzi-cker Chiueh,et al.  Sequence Number-Based MAC Address Spoof Detection , 2005, RAID.

[17]  Yongdae Kim,et al.  A machine learning framework for network anomaly detection using SVM and GA , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[18]  R. Hunt,et al.  TCP/IP security threats and attack methods , 1999, Comput. Commun..

[19]  Raj Jain,et al.  A Quantitative Measure Of Fairness And Discrimination For Resource Allocation In Shared Computer Systems , 1998, ArXiv.

[20]  H. E. Barry Merrill,et al.  A technique for comparative analysis of Kiviat graphs , 1974, PERV.