SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks

Software defined networking (SDN) is a novel networking paradigm which decouples control plane from data plane. This separation facilitates a high level of programmability and manageability. On the other hand, it makes the SDN controller a bottleneck and hence vulnerable to control plane saturation attack. One of the key mechanism to achieve control plane saturation is via TCP SYN flooding attack. This is one of the most effective and popular denial of service attack, in which the attacker produces many half-open TCP connections on the targeted server in order to degrade its availability. Furthermore, when applied to SDN, TCP SYN flooding attack also introduces control plane saturation attack. In particular, the attacker generates a significant number of TCP SYN packets and imposes data plane switches to forward them to the controller. As a result, the performance of the controller degrades and the controller will not be able to respond genuine requests in acceptable time. In this paper, we propose SLICOTS, an effective and efficient countermeasure to mitigate TCP SYN flooding attack in SDN. SLICOTS takes the advantage of dynamic programmability nature of SDN to detect and prevent attacks. SLICOTS is implemented in the controller, it surveils ongoing TCP connection requests, and blocks malicious hosts. We implemented SLICOTS as an extension module of OpenDayLight controller and evaluated it under different attack scenarios. The experimental results confirm that, compared to the state-of-art, SLICOTS reduces the response time overhead up to some 50%, while ensuring the same level of protection.