Software defined networking (SDN) has emerged over the past few years as a novel networking technology that enables fast and easy network management. Separating the control plane and the data plane in SDNs allows for dynamic network management, implementation of new applications, and implementing network specific functions in software. This paper addresses the problem of SYN flood attacks in SDNs which are considered among the most challenging threats because their effect exceeds the targeted end system to the controller and TCAM of OpenFlow switches. These attacks exploit the three-way handshaking connection establishment mechanism in TCP, where attackers overwhelm the victim machine with flood of spoofed SYN packets resulting in a large number of half-open connections that would never complete. Therefore, degrading the performance of the controller and populating OpenFlow switches’ TCAMs with spoofed entries. In this paper, we propose ISDSDN, a mechanism for SYN flood attack mitigation in software defined networks. The proposed mechanism adopts the idea of intentional dropping to distinguish between legitimate and attack SYN packets in the context of software defined networks. ISDSDN is implemented as an extension module of POX controller and is evaluated under different attack scenarios. Performance evaluation shows that the proposed mechanism is very effective in defending against SYN flood attacks.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
Scroxton, A.: Enterprise SDN adoption rapidly approaching tipping point, claims report. https://www.computerweekly.com/news/450426701/Enterprise-SDN-adoption-rapidly-approaching-tipping-point-claims-report (2017). Accessed 10 May 2020.
Kalkan, K., Gur, G., Alagoz, F.: Defense mechanisms against DDoS attacks in SDN environment. IEEE Commun. Magaz. 55(9), 175–179 (2017)
Swami, R., Dave, M., Ranga, V.: Software-defined networking-based DDoS defense mechanisms. ACM Comput. Surv. 52(2), 1–36 (2019)
Ranger, S.: GitHub hit with the largest DDoS attack ever seen. https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/ (2018). Accessed 10 May 2020
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M. and Kumar, D.: Understanding the mirai botnet. In 26th USENIX Security Symposium (2017)
Zhang, P., Wang, H., Hu, C., Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)
Abhishta, A., van Rijswijk-Deij, R., Nieuwenhuis, L.J.: Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers. ACM SIGCOMM Comput. Commun. Rev. 48(5), 70–76 (2019)
Gkountis, C., Taha, M., Lloret, J. and Kambourakis, G.: Lightweight algorithm for protecting SDN controller against DDoS attacks. In 10th IFIP Wireless and Mobile Networking Conference (WMNC), 1-6 (2017)
Pascoal, T.A., Dantas, Y.G., Fonseca, I.E., Nigam, V.: Slow TCAM exhaustion DDoS attack. IFIP International Conference on ICT Systems Security and Privacy Protection 17–31, (2017)
Al-Duwairi, B. and Manimaran, G.: Intentional dropping: a novel scheme for SYN flood mitigation. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, Vol. 4, 2820-2824 (2005)
Mohammadi, R., Javidan, R., Conti, M.: Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Trans. Netw. Service Manag. 14(2), 487–497 (2017)
Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2014)
Xu, Y. and Liu, Y.: DDoS attack detection under SDN context. In IEEE INFOCOM 2016-the 35th annual IEEE international conference on computer communications, 1-9 (2016)
Fichera, S., Galluccio, L., Grancagnolo, S.C., Morabito, G., Palazzo, S.: OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD attacks against web servers. Comput. Netw. 92, 89–100 (2015)
Bernstein, D.: SYN cookies. http://cr.yp.to/syncookies.html. Accessed (10 May 2020)
Lemon, J.: Resisting SYN Flood DoS Attacks with a SYN Cache. BSDCon 2002, 89–97 (2002)
Cisco systems: Security Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 15SY.https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/15-sy/sec-data-atprvn-15-sy-book.html. Accessed 10 May 2020
Ghosh, A., Wong, L., Di Crescenzo, G. and Talpade, R.: InFilter: predictive ingress filtering to detect spoofed IP traffic. In 25th IEEE International Conference on Distributed Computing Systems Workshops, 99-106 (2005)
Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Depend. Secure Comput. 2(3), 216–232 (2005)
Li, J., Mirkovic, J., Wang, M., Reiher, P. and Zhang, L.: SAVE: Source address validity enforcement protocol. In Proceedings. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies, Vol. 3, 1557–1566 (2002)
Jin, C., Wang, H. and Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In Proceedings of the 10th ACM conference on Computer and communications security, 30–41 (2003)
Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. IEEE Int. Conf. Commun. 1, 482–486 (2003)
Shin, S., Yegneswaran, V., Porras, P. and Gu, G.: Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 413–424) (2013)
Nugraha, M., Paramita, I., Musa, A., Choi, D., Cho, B.: Utilizing OpenFlow and sFlow to detect and mitigate SYN flooding attack. J. Kor. Multimed. Soc. 17(8), 988–994 (2014)
Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: Tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1219 (2016)
Liu, X., Cho, B., Kim, J.: Sd-ovs: SYN flood attack defending open vswitch for sdn. International Workshop on Information Security Applications 29–41, (2016)
Dhaliwal, A., S.: Detection and Mitigation of SYN and HTTP flood DDoS attacks in Software Defined Networks. MS thesis, Ryerson University, Toronto, Canada (2017)
Mohammadi, R., Conti, M., Lal, C., Kulhari, S.C.: SYN-Guard: an effective counter for SYN flood attack in software-defined networking. Int. J. Commun. Syst. 32(17), e4061 (2019)
Kumar, P., Tripathi, M., Nehra, A., Conti, M., Lal, C.: SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Trans. Netw. Serv. Manag. 15(4), 1545–1559 (2018)
Jamjoom, H. and Shin, K.G.: Persistent dropping: An efficient control of traffic aggregates. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, 287–298 (2003)
Agarwal, S., Kodialam, M. and Lakshman, T.V.: Traffic engineering in software defined networks. In 2013 Proceedings IEEE INFOCOM, 2211–2219 (2013)
Hu, F., Hao, Q., Bao, K.: A survey on software-defined network and openflow: from concept to implementation. IEEE Commun. Surv. Tutor. 16(4), 2181–2206 (2014)
Paxson, D.V., Sargent, M., Allman, M.: Computing TCP’s retransmission timer. RFC 6298, (2011)
Goldschmidt, P.: TCP Reset Cookies–a heuristic method for TCP SYN Flood mitigation. Student Conference of IT Innovation, Technology and Science, Brno Faculty of Information Technology (2020)
Wang, R., Jia, Z. and Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1, 310-317 (2015)
Bae, Y., Kim, I., Hwang, S.O.: An efficient detection of TCP Syn flood attacks with spoofed IP addresses. J. Intellig. Fuzzy Syst. 35(6), 5983–5991 (2018)
Afek, Y., Bremler-Barr, A.: Network anti-spoofing with SDN data plane. In IEEE INFOCOM 2017-IEEE Conference on Computer Communications, 1-9 (2017)
About POX. https://github.com/noxrepo/pox. Accessed 10 May 2020
Mininet. http://www.mininet.org. Accessed 10 May 2020
Scapy. https://scapy.net. Accessed 10 May 2020
curl tool. Available at: https://curl.haxx.se. Accessed 10 May 2020
ISDSDN project repository. https://github.com/yazid2121/ISDSDN. Accessed 10 May 2020
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
About this article
Cite this article
Al-Duwairi, B., Al-Quraan, E. & AbdelQader, Y. ISDSDN: Mitigating SYN Flood Attacks in Software Defined Networks. J Netw Syst Manage 28, 1366–1390 (2020). https://doi.org/10.1007/s10922-020-09540-1
- Network security
- Intentional dropping