期刊
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT
卷 14, 期 2, 页码 487-497出版社
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/TNSM.2017.2701549
关键词
TCP SYN flooding; SDN; security; SYN flooding countermeasure
资金
- European Commission [PCIG11-GA-2012-321980]
- EU TagItSmart! Project [H2020-ICT30-2015-688061]
- EU-India REACH Project [ICI+/2014/342-896]
- project Physical-Layer Security for Wireless Communication - University of Padua
- project Content Centric Networking: Security and Privacy Issues - University of Padua
- Cisco University Research Program Fund [2017-166478 (3696)]
- Silicon Valley Community Foundation
Software defined networking (SDN) is a novel networking paradigm which decouples control plane from data plane. This separation facilitates a high level of programmability and manageability. On the other hand, it makes the SDN controller a bottleneck and hence vulnerable to control plane saturation attack. One of the key mechanism to achieve control plane saturation is via TCP SYN flooding attack. This is one of the most effective and popular denial of service attack, in which the attacker produces many half-open TCP connections on the targeted server in order to degrade its availability. Furthermore, when applied to SDN, TCP SYN flooding attack also introduces control plane saturation attack. In particular, the attacker generates a significant number of TCP SYN packets and imposes data plane switches to forward them to the controller. As a result, the performance of the controller degrades and the controller will not be able to respond genuine requests in acceptable time. In this paper, we propose SLICOTS, an effective and efficient countermeasure to mitigate TCP SYN flooding attack in SDN. SLICOTS takes the advantage of dynamic programmability nature of SDN to detect and prevent attacks. SLICOTS is implemented in the controller, it surveils ongoing TCP connection requests, and blocks malicious hosts. We implemented SLICOTS as an extension module of OpenDayLight controller and evaluated it under different attack scenarios. The experimental results confirm that, compared to the state-of-art, SLICOTS reduces the response time overhead up to some 50%, while ensuring the same level of protection.
作者
我是这篇论文的作者
点击您的名字以认领此论文并将其添加到您的个人资料中。
推荐
暂无数据