Abstract
Software defined networking (SDN) is a novel programmable networking paradigm that decouples control and data planes. SDN relies heavily on the controller in control plane that tells the data plane how to handle new packets. Because the entire network may be disrupted if the controller is disabled, many attacks including SYN flooding aim to overload the controller by passing through the ingress switches. In this paper, we propose a security enhanced Open vSwitch (SD-OVS) to protect the controller from SYN flooding. The switch authenticates benign hosts by interchanging cookie packets and generates a short-lived security association (SA). The retransmitted SYN packet from these benign hosts is validated using SA and passed on to the controller. Our evaluation shows that SD-OVS protects the controller from SYN flooding at an acceptable time cost.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
McKeown, N., et. al.: OpenFlow: enabling innovation in campus networks. In: ACM SIGCOMM Computer Communications Review, New York, pp. 69–74 (2008)
CERT, TCP SYN Flooding and IP Spoofing Attacks (1996)
Eddy, W.: TCP SYN flooding attacks and common mitigations. In: Request for Comments: 4987, pp. 6–10 (2007)
Gavaskar, S., Surendiran, R., Ramaraj, E.: Three counter defense mechanism for TCP SYN flooding attacks. Int. J. Comput. Appl. 6(6), 12–15 (2010)
Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS Symposium on 2015, San Diego (2015)
Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE 35th Conference on Local Computer Networks (LCN), pp. 408–415. IEEE, Denver (2010)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, New York, pp. 413–424 (2013)
OpenFlow Switch Specification. http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf
Open vSwitch. http://openvswitch.org/
Bernstein, D.J.: SYN cookie, September 1996
Kim, T., Choi, Y., Kim, J., Hong, S.: Annulling SYN flooding attacks with whitelist. In: 22nd International Conference on Advanced Information Networking and Applications, Okinawa, pp. 371–376 (2008)
Floodlight. http://www.projectfloodlight.org/floodlight/
Goldreich, O.: Foundations of Cryptography: Volume II Basic Applications, pp. 498–502. Cambridge University Press, New York (2004)
PUB, FIPS, Secure Hash Standard. FIPS PUB 180-4, pp. 18–20 (2012)
Scott-Hayward, S., O’Callaghan, G., Sezer, S.: SDN security: a survey. In: Future Networks and Services (SDN4FNS), pp. 1–7. IEEE, Trento (2013)
Kloti, R., Kotronis, V., Smith, P.: OpenFlow: a security analysis. In: 21st IEEE International Conference on Network Protocols, pp. 1–6. IEEE, Goettingen (2013)
Acknowledgements
This work was supported by Samsung Research Funding Center of Samsung Electronics under Project Number SRFC-TB1403-04.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Liu, X., Cho, B., Kim, J. (2017). SD-OVS: SYN Flooding Attack Defending Open vSwitch for SDN. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-56549-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56548-4
Online ISBN: 978-3-319-56549-1
eBook Packages: Computer ScienceComputer Science (R0)