Abstract
Distributed Denial of Service (DDoS) constitutes major threat to both traditional and SDN networks. An attacker can launch a DDoS attack to exhaust either the controller or other network resources, such as switches, or both. There are different DDoS attacks such as UDP flood, SYN flood, Ping of death, ICMP flood and HTTP flood. Among these, SYN and HTTP flood are the most common attacks these days. In this thesis, we focus on developing a security scheme to alleviate the DDoS attacks with spoofed and non-spoofed IP addresses in the SDN environment. First we use a simple detection mechanism that utilizes a time series window-based traffic statistic measurement to detect possible SYN flood and/or HTTP flood DDoS attacks. To reduce false positives, further investigation of traffic is done based on valid source IP address scheme and single flow packet scheme to separate legitimate traffic from attack traffic. Once the attack is detected, the security scheme deploys a number of mitigation methods to alleviate the attack. For the SYN flood attack, the mitigation method of Source IP address filtering is used to permit traffic only with valid source IP addresses to enter the network. For HTTP flood attack mitigation, a mitigation method is used to identify the attack sources and discard the traffic from those sources. We test our proposed scheme with other DDoS attacks such as ICMP flood attack and UDP flood attacks. We also compare our scheme with other security schemes found in the literature. The result shows that our proposed scheme can effectively protect controller and other network resources from some common DDoS attacks, and that our scheme allows more legitimate traffic connections with less false positives in comparison with other schemes.
Highlights
1.1 Problem StatementIn Software Defined Networking (SDN), the controller is a single point of failure and a prime target of Distributed Denial of Service (DDoS) attacks
As we can see in the above figure, when the traffic becomes heavy in traffic pattern B, a total of 7 false positive reports are detected with a false positive ratio (FPR) being 0.14%
We proposed two detection and mitigation methods to defense SYN flood attack and HTTP flood attack
Summary
In Software Defined Networking (SDN), the controller is a single point of failure and a prime target of DDoS attacks. Distributed Denial of Service (DDoS) is a type of DoS attack and is a common threat to internet today in which multiple compromised systems launch attack on a single system specially server resulting in temporarily interrupting or suspending of services One such attack is SYN Flood attack. Instead of monitoring traffic at front end such as firewall or proxy, detection of SYN flood attack is done at leaf routers that connect end hosts to internet It is an instance of a non-parametric CUSUM, Sequential Change Point Detection method and based on TCP Synchronized-Finish (SYN-FIN) behaviour. The inadequacy of SYN-FIN pair’s scheme is, if the attacker is aware of the presence of such a detection system, it can fail the detection mechanism by flooding a mixture of SYNs and FINs (RSTs) packets
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.