Abstract
As one of the main types of Distributed Denial of Service (DDoS) attacks, SYN flood attacks have caused serious issues for servers when legitimate clients may be denied connections. There is an essential demand for a sufficient approach to mitigate SYN flood attacks. In this paper, we introduce an efficient high-throughput and low-latency SYN flood defender architecture, carefully designed with a pipeline model. A mathematical model is also introduced with the architecture for estimating SYN flood protection throughput and latency. The first prototype version based on the architecture with Verilog-HDL can function as standalone to alleviate high-rate SYN flood attacks and can be integrated into an OpenFlow switch for handling network packets. Our experiments with NetFPGA-10G platforms show that the core can protect servers against SYN flood attacks by up to 28+ millions packets per second that outperforms most well-known hardware-based approaches in the literature.
Highlights
Along with the rapid development in technology as well as network architectures, cybersecurity becomes a primary issue for organizations such as commercial trades, banks, military networks
Both the standalone SYN flood defender core and the OFS with our core integrated are developed on the NetFPGA-10G platform containing a Xilinx Virtex-5 xc5vtx240t device
While the standalone core does not use any Intellectual Property (IP) core for improving flexibility, the OFS with our core integrated uses some IP core provided by Xilinx such as AXI4 lite
Summary
Along with the rapid development in technology as well as network architectures, cybersecurity becomes a primary issue for organizations such as commercial trades, banks, military networks. SDN architecture suffers from security vulnerabilities in the control plane as well as in the data plane and the communication channel. SDN systems can be broken down since TCP SYN attacks flood the communication channel. To overcome this critical security issue, strengthening the processing power of the control plane using software approaches, such as work in [6,7,8], is well researched. Hardware-based approaches, comprising Field Programmable Gate Arrays (FPGA) [20] or ApplicationSpecific Integrated Circuit (ASIC) [21] for parallel processing, have been used as efficient platforms for building SYN flood defense systems. The main advantages of hardware approaches are parallel processing and low latencies, suitable for protecting against high-rate SYN flood attacks. There still exist some limitations such as low scalability, high implementation cost, and high complexity which have not optimized the design yet
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
