SAFETY: Early Detection and Mitigation of TCP SYN Flood Utilizing Entropy in SDN

Software defined networking (SDN) is an emerging network paradigm which emphasizes the separation of the control plane from the data plane. This decoupling provides several advantages such as flexibility, programmability, and centralized control. However, SDN also introduces new vulnerabilities due to the required communication between data plane and control plane. Examples of threats that leverage such vulnerabilities are the control plane saturation and switch buffer overflow attacks. These attacks can be launched by flooding the TCP SYN packets from data plane (i.e., switches) to the control plane. This paper presents SAFETY, a novel solution for the early detection and mitigation of TCP SYN flooding. SAFETY harnesses the programming and wide visibility approach of SDN with entropy method to determine the randomness of the flow data. The entropy information includes destination IP and few attributes of TCP flags. To show the feasibility and effectiveness of SAFETY, we implement it as an extension module in Floodlight controller and evaluate it under different conditional scenarios. We run a thorough evaluation of our implementation through extensive emulation via Mininet. The experimental results show that when compared to the state-of-the-art, SAFETY brings a significant improvement (13%) regarding processing delay experienced by a legitimate node. Other parameters such as CPU utilization at the controller and attack detection time are also examined and shows improvement in various scenarios.