Detection and mitigation of SYN and HTTP flood DDoS attacks in software defined networks

Abstract

Distributed Denial of Service (DDoS) constitutes major threat to both traditional and SDN networks. An attacker can launch a DDoS attack to exhaust either the controller or other network resources, such as switches, or both. There are different DDoS attacks such as UDP flood, SYN flood, Ping of death, ICMP flood and HTTP flood. Among these, SYN and HTTP flood are the most common attacks these days. In this thesis, we focus on developing a security scheme to alleviate the DDoS attacks with spoofed and non-spoofed IP addresses in the SDN environment. First we use a simple detection mechanism that utilizes a time series window-based traffic statistic measurement to detect possible SYN flood and/or HTTP flood DDoS attacks. To reduce false positives, further investigation of traffic is done based on valid source IP address scheme and single flow packet scheme to separate legitimate traffic from attack traffic. Once the attack is detected, the security scheme deploys a number of mitigation methods to alleviate the attack. For the SYN flood attack, the mitigation method of Source IP address filtering is used to permit traffic only with valid source IP addresses to enter the network. For HTTP flood attack mitigation, a mitigation method is used to identify the attack sources and discard the traffic from those sources. We test our proposed scheme with other DDoS attacks such as ICMP flood attack and UDP flood attacks. We also compare our scheme with other security schemes found in the literature. The result shows that our proposed scheme can effectively protect controller and other network resources from some common DDoS attacks, and that our scheme allows more legitimate traffic connections with less false positives in comparison with other schemes.