SYN Flooding Attack Detection and Mitigation in SDN Nan Haymarn Oo 1 and Aung Htein Maw 2 1 University of Computer Studies, Yangon 2 University of Information Technology Abstract. Software-defined networking separates network architecture into logical control layer and data forwarding layer with the aim of providing high flexibility, agility, and security. Although it manages the whole network from the controller with the ease of programmability, many security issues still exist in SDN architecture. Attacker's target can be at the various layers of SDN by DDoS attack. Defining threshold in detection and mitigation of the attack is one of the most important issues. Existing researches emphasize the detection of DDoS attack with various mechanisms in SDN infrastructure. This paper provides a simple mechanism for both detection and mitigation of common type of DDoS attack, SYN flooding attack via sFlow analyzer with dynamic threshold calculated by using adaptive threshold algorithm. It uses own generated network traffic consisting both normal and attack traffic and shows that how the calculated dynamic threshold adapts the incoming traffic. It also evaluates the performance of the detection and mitigation mechanism by detection rate, false alarm rate, false negative rate, and accuracy in order to prove our proposed system can timely detect and reasonably mitigate DDoS attack. Keywords: adaptive threshold, DDoS, detection and mitigation, SDN, sFlow. 1. Introduction SYN flooding attack is a common DoS attack that exploits the TCP's three-way handshake procedure to exhaust memory by maintaining half-open connections. It works at the transport layer of the TCP/IP model [1]. The attacker sends a very large number of SYN messages to a single victim server. However, the client never acknowledges the server's SYN/ACK messages. As a result, the server consumes all its resource for maintaining many half-open connections and no longer accept the new TCP connection requests [2-3]. A large number of flows sending by SYN flooding attack might overflow the storage space or OpenFlow table in OpenFlow switches in data forwarding layer. In addition, the attack might break not only the controller at the control layer but also the link between the control layer and data layer [1]. Even if the flooding attack is launched in a few seconds, the entire network can be breached or stopped. Therefore, obtaining the visibility of all devices in the entire network is important in order to detect the flooding attack in time. By adding InMon's sFlowRT module into SDN stack [4], it can deliver real-time network, host and application visibility to SDN applications [5] and reduce the overhead of flow statistic in SDN application. Thus, the attacks can be detected by using sFlow analyzer as well as they can be mitigated via SDN application. Aizuddin, Ahmad Ariff, et al. proposed a solution via sFlow with security-centric SDN for detection and mitigation of DNS amplification attack using sFlow analyzer [6]. One of the most important parts in the detection and mitigation of attacks is defining the appropriate threshold value in order to differentiate the attack traffic from the normal traffic. It can be defined statically or dynamically. The static threshold cannot consider the changes in network traffic. As a result, it may produce a vast amount of false alarms. In contrast, the dynamic threshold can adapt to the trend of traffic and Corresponding author. Tel.: + 959795333487; fax: +95 01 610633. E-mail address: [email protected]. This research is supported by Asi@Connect grant Asi@Connect-17-094 - OF@TEIN+: Open/Federated Playground for Future Networks. ISBN 978-981-14-1455-8 Yangon, Myanmar, February 27-March 1, 2019, pp. 126-131 126
6
Embed
SYN Flooding Attack Detection and Mitigation in SDN · statistical anomaly detection algorithms: adaptive threshold algorithm and cumulative sum (CUSUM) algorithm. The first algorithm
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SYN Flooding Attack Detection and Mitigation in SDN
Nan Haymarn Oo 1 and Aung Htein Maw 2
1 University of Computer Studies, Yangon 2 University of Information Technology
Abstract. Software-defined networking separates network architecture into logical control layer and data
forwarding layer with the aim of providing high flexibility, agility, and security. Although it manages the
whole network from the controller with the ease of programmability, many security issues still exist in SDN
architecture. Attacker's target can be at the various layers of SDN by DDoS attack. Defin ing threshold in
detection and mitigation of the attack is one of the most important issues. Existing researches emphasize the
detection of DDoS attack with various mechanis ms in SDN infrastructure. This paper p rovides a simple
mechanis m for both detection and mitigation of common type of DDoS attack, SYN flooding attack via
sFlow analyzer with dynamic threshold calculated by using adaptive threshold algorithm. It uses own
generated network traffic consisting both normal and attack traffic and shows that how the calculated
dynamic threshold adapts the incoming t raffic. It also evaluates the performance of the detection and
mitigation mechanis m by detection rate, false alarm rate, false negative rate, and accuracy in order to prove
our proposed system can timely detect and reasonably mitigate DDoS attack.
Keywords: adaptive threshold, DDoS, detection and mitigation, SDN, sFlow.
1. Introduction SYN flooding attack is a common DoS attack that exploits the TCP's three-way handshake procedure to
exhaust memory by maintaining half-open connections. It works at the transport layer of the TCP/IP model
[1]. The attacker sends a very large number of SYN messages to a single victim server. However, the client
never acknowledges the server's SYN/ACK messages. As a result, the server consumes all its resource for
maintaining many half-open connections and no longer accept the new TCP connection requests [2-3]. A
large number of flows sending by SYN flooding attack might overflow the storage space or OpenFlow table
in OpenFlow switches in data forwarding layer. In addition, the attack might break not only the controller at
the control layer but also the link between the control layer and data layer [1]. Even if the flooding attack is
launched in a few seconds, the entire network can be breached or stopped.
Therefore, obtaining the visibility of all devices in the entire network is important in order to detect the
flooding attack in time. By adding InMon's sFlowRT module into SDN stack [4], it can deliver real-time
network, host and application visibility to SDN applications [5] and reduce the overhead of flow statistic in
SDN application. Thus, the attacks can be detected by using sFlow analyzer as well as they can be mitigated
via SDN application. Aizuddin, Ahmad Ariff, et al. proposed a solution via sFlow with security-centric SDN
for detection and mitigation of DNS amplification attack using sFlow analyzer [6].
One of the most important parts in the detection and mitigation of attacks is defining the appropriate
threshold value in order to differentiate the attack traffic from the normal traffic. It can be defined statically
or dynamically. The static threshold cannot consider the changes in network traffic. As a result, it may
produce a vast amount of false alarms. In contrast, the dynamic threshold can adapt to the trend of traffic and