Software defined networking (SDN) has emerged over the past few years as a novel networking technology that enables fast and easy network management. Separating the control plane and the data plane in SDNs allows for dynamic network management, implementation of new applications, and implementing network specific functions in software. This paper addresses the problem of SYN flood attacks in SDNs which are considered among the most challenging threats because their effect exceeds the targeted end system to the controller and TCAM of OpenFlow switches. These attacks exploit the three-way handshaking connection establishment mechanism in TCP, where attackers overwhelm the victim machine with flood of spoofed SYN packets resulting in a large number of half-open connections that would never complete. Therefore, degrading the performance of the controller and populating OpenFlow switches’ TCAMs with spoofed entries. In this paper, we propose ISDSDN, a mechanism for SYN flood attack mitigation in software defined networks. The proposed mechanism adopts the idea of intentional dropping to distinguish between legitimate and attack SYN packets in the context of software defined networks. ISDSDN is implemented as an extension module of POX controller and is evaluated under different attack scenarios. Performance evaluation shows that the proposed mechanism is very effective in defending against SYN flood attacks.
Read full abstract