TFAD: TCP flooding attack detection in software-defined networking using proxy-based and machine learning-based mechanisms

Software-defined networks (SDN) offer a centralized administration programming interface to govern the network infrastructure. It overtook conventional networks by creating a configurable link between the control and data planes. As the logic of the SDN environment completely depends on the control plane, the controller is vulnerable to many security attacks. To degrade the network's performance, attackers will saturate the control plane resources. TCP flooding is a serious threat in which attackers restrict legitimate users from accessing the network resources. To handle this problem, we propose a TCP Flooding Attack Detection (TFAD) technique using proxy-based and Machine-Learning-based mechanisms (ML-TFAD). The TFAD technique contains two proxies, SYN and ACK: the former defends against TCP SYN flood attacks and the latter against TCP ACK flood attacks. The ML-TFAD module uses the C4.5 decision tree algorithm, which detects SYN flood attacks before reaching the targeted server. The CAIDA 2007 DDoS dataset is involved in training the proposed model. The proposed mechanisms help remove half-opened connections from the server queue at the earliest to accommodate TCP connection requests from legitimate users.

Automated summary

Software-defined networks (SDN) provide a centralized administration programming interface to govern the network infrastructure by creating a configurable link between the control and data planes. However, the logic of the SDN environment depends on the control plane, making the controller vulnerable to security attacks. To address the serious threat of TCP flooding, we propose a technique called TCP Flooding Attack Detection (TFAD) using proxy-based and Machine-Learning-based mechanisms (ML-TFAD).