SAFETY: Early Detection and Mitigation of TCP SYN Flood Utilizing Entropy in SDN

Software defined networking (SDN) is an emerging network paradigm which emphasizes the separation of the control plane from the data plane. This decoupling provides several advantages such as flexibility, programmability, and centralized control. However, SDN also introduces new vulnerabilities due to the required communication between data plane and control plane. Examples of threats that leverage such vulnerabilities are the control plane saturation and switch buffer overflow attacks. These attacks can be launched by flooding the TCP SYN packets from data plane (i.e., switches) to the control plane. This paper presents SAFETY, a novel solution for the early detection and mitigation of TCP SYN flooding. SAFETY harnesses the programming and wide visibility approach of SDN with entropy method to determine the randomness of the flow data. The entropy information includes destination IP and few attributes of TCP flags. To show the feasibility and effectiveness of SAFETY, we implement it as an extension module in Floodlight controller and evaluate it under different conditional scenarios. We run a thorough evaluation of our implementation through extensive emulation via Mininet. The experimental results show that when compared to the state-of-the-art, SAFETY brings a significant improvement (13%) regarding processing delay experienced by a legitimate node. Other parameters such as CPU utilization at the controller and attack detection time are also examined and shows improvement in various scenarios.

[1]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[2]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[3]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[4]  Shui Yu,et al.  DDoS Attack Detection at Local Area Networks Using Information Theoretical Metrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[5]  Laura Galluccio,et al.  OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers , 2015, Comput. Networks.

[6]  Xiangyang Li,et al.  Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN) , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops.

[7]  Mauro Conti,et al.  SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks , 2017, IEEE Transactions on Network and Service Management.

[8]  Ying Zhang,et al.  SENSS: Software Defined Security Service , 2014, ONS.

[9]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[10]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[11]  Deokjai Choi,et al.  Utilizing OpenFlow and sFlow to Detect and Mitigate SYN Flooding Attack , 2014 .

[12]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[13]  George Pavlou,et al.  Adaptive Resource Management and Control in Software Defined Networks , 2015, IEEE Transactions on Network and Service Management.

[14]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[15]  Mauro Conti,et al.  LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking , 2017, IEEE/ACM Transactions on Networking.

[16]  Claude E. Shannon,et al.  Prediction and Entropy of Printed English , 1951 .

[17]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[18]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.