期刊
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT
卷 15, 期 4, 页码 1545-1559出版社
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/TNSM.2018.2861741
关键词
Denial-of-service (DDoS); software-defined networking; security; entropy; TCP SYN-flooding
资金
- DEiTY Government of India project, ISEA-II in the Department of Computer Science and Engineering at Malaviya National Institute of Technology, Jaipur
- Marie Curie Fellowship - European Commission [PCIG11-GA-2012-321980]
- EU TagItSmart! Project [H2020-ICT30-2015-688061]
- project Physical-Layer Security for Wireless Communication - University of Padua
- project Content Centric Networking: Security and Privacy Issues - University of Padua
Software defined networking (SDN) is an emerging network paradigm which emphasizes the separation of the control plane from the data plane. This decoupling provides several advantages such as flexibility, programmability, and centralized control. However, SDN also introduces new vulnerabilities due to the required communication between data plane and control plane. Examples of threats that leverage such vulnerabilities are the control plane saturation and switch buffer overflow attacks. These attacks can be launched by flooding the TCP SYN packets from data plane (i.e., switches) to the control plane. This paper presents SAFETY, a novel solution for the early detection and mitigation of TCP SYN flooding. SAFETY harnesses the programming and wide visibility approach of SDN with entropy method to determine the randomness of the flow data. The entropy information includes destination IP and few attributes of TCP flags. To show the feasibility and effectiveness of SAFETY, we implement it as an extension module in Floodlight controller and evaluate it under different conditional scenarios. We run a thorough evaluation of our implementation through extensive emulation via Mininet. The experimental results show that when compared to the state-of-the-art, SAFETY brings a significant improvement (13%) regarding processing delay experienced by a legitimate node. Other parameters such as CPU utilization at the controller and attack detection time are also examined and shows improvement in various scenarios.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据