SD-OVS: SYN Flooding Attack Defending Open vSwitch for SDN

Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10144)

Abstract

Software defined networking (SDN) is a novel programmable networking paradigm that decouples control and data planes. SDN relies heavily on the controller in control plane that tells the data plane how to handle new packets. Because the entire network may be disrupted if the controller is disabled, many attacks including SYN flooding aim to overload the controller by passing through the ingress switches. In this paper, we propose a security enhanced Open vSwitch (SD-OVS) to protect the controller from SYN flooding. The switch authenticates benign hosts by interchanging cookie packets and generates a short-lived security association (SA). The retransmitted SYN packet from these benign hosts is validated using SA and passed on to the controller. Our evaluation shows that SD-OVS protects the controller from SYN flooding at an acceptable time cost.

Keywords

Software defined networking OpenFlow Open vSwitch SYN flooding 
This is a preview of subscription content, log in to check access.

Notes

Acknowledgements

This work was supported by Samsung Research Funding Center of Samsung Electronics under Project Number SRFC-TB1403-04.

References

  1. 1.
    McKeown, N., et. al.: OpenFlow: enabling innovation in campus networks. In: ACM SIGCOMM Computer Communications Review, New York, pp. 69–74 (2008)Google Scholar
  2. 2.
    CERT, TCP SYN Flooding and IP Spoofing Attacks (1996)Google Scholar
  3. 3.
    Eddy, W.: TCP SYN flooding attacks and common mitigations. In: Request for Comments: 4987, pp. 6–10 (2007)Google Scholar
  4. 4.
    Gavaskar, S., Surendiran, R., Ramaraj, E.: Three counter defense mechanism for TCP SYN flooding attacks. Int. J. Comput. Appl. 6(6), 12–15 (2010)Google Scholar
  5. 5.
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS Symposium on 2015, San Diego (2015)Google Scholar
  6. 6.
    Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE 35th Conference on Local Computer Networks (LCN), pp. 408–415. IEEE, Denver (2010)Google Scholar
  7. 7.
    Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, New York, pp. 413–424 (2013)Google Scholar
  8. 8.
  9. 9.
  10. 10.
    Bernstein, D.J.: SYN cookie, September 1996Google Scholar
  11. 11.
    Kim, T., Choi, Y., Kim, J., Hong, S.: Annulling SYN flooding attacks with whitelist. In: 22nd International Conference on Advanced Information Networking and Applications, Okinawa, pp. 371–376 (2008)Google Scholar
  12. 12.
  13. 13.
    Goldreich, O.: Foundations of Cryptography: Volume II Basic Applications, pp. 498–502. Cambridge University Press, New York (2004)CrossRefGoogle Scholar
  14. 14.
    PUB, FIPS, Secure Hash Standard. FIPS PUB 180-4, pp. 18–20 (2012)Google Scholar
  15. 15.
    Scott-Hayward, S., O’Callaghan, G., Sezer, S.: SDN security: a survey. In: Future Networks and Services (SDN4FNS), pp. 1–7. IEEE, Trento (2013)Google Scholar
  16. 16.
    Kloti, R., Kotronis, V., Smith, P.: OpenFlow: a security analysis. In: 21st IEEE International Conference on Network Protocols, pp. 1–6. IEEE, Goettingen (2013)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringPOSTECHPohangRepublic of Korea

Personalised recommendations