Skip to main content
SpringerLink
Log in

Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square test

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Software Defined Networking (SDN) is a network paradigm with the separation of the control plane from the data plane. Centralized management of the network and dynamic programming ability are the advantages of this separation. However, SDN suffers from security threats like DDoS attacks. In this paper, we propose an early detection and mitigation model to detect the DDoS attacks caused by the TCP SYN flood. This model uses the programming ability of SDN to collect features from network traffic at the centralized controller. For that, we implement the proposed model as a module in the POX controller. Our model extracts the header features: MAC addresses and TCP flags to construct the list of number of half-open connections per each host in the network within a given time period. The extended chi-square goodness of fit test serves as a basis for the detection method in our model. We calculate the \(\chi ^2\) value for the list of half-open connections and from this \(p\_{value}\) is derived. When \(p\_{value}\) drops below the threshold value, the attack is detected. We also mitigate the attack by blocking the attack traffic from the attackers’ within the network using source MAC addresses. The experiments results show that the model is successful in TCP SYN flood detection and mitigation at the source end, i.e. attack-originating network. We compare our model with existing literature and show improvement over attack detection and discuss the advantages of the proposed model over the existing schemes in the literature.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Availability of data and materials

Not applicable (no dataset used.)

References

  1. Tuncer D, Charalambides M, Clayman S, Pavlou G (2015) Adaptive resource management and control in software defined networks. IEEE Trans Netw Serv Manag 12(1):18–33

    Article  Google Scholar 

  2. Görkemli B, Parlakışık A.M, Civanlar S, Ulaş A, Tekalp AM (2016) Dynamic management of control plane performance in software-defined networks. In: 2016 IEEE NetSoft Conference and Workshops (NetSoft), IEEE. pp 68–72

  3. McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74

    Article  Google Scholar 

  4. Conti M, Gangwal A, Gaur MS (2017) A comprehensive and effective mechanism for ddos detection in sdn. In: 2017 IEEE 13th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp 1–8. https://doi.org/10.1109/WiMOB.2017.8115796

  5. Ukraine and romania suffer large-scale ddos attacks (2022). https://www.bankinfosecurity.in/ukraine-romania-suffer-large-scale-ddos-attacks-a-18999. Accessed 5 May 2022 (online)

  6. Goodin D (2022) Ars technica news. https://arstechnica.com/information-technology/2022/04/one-of-the-most-powerful-ddoses-ever-targets-cryptocurrency-platform/. Accessed 5 May 2022 (online)

  7. Center for strategic and international studies (2022). https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents. Accessed 18 April 2022 (online )

  8. Johnson G (2022) Marshall island news. https://www.rnz.co.nz/international/pacific-news/464125/marshall-islands-telecom-service-hit-by-cyber-attack. Accessed 18 April 2022 (online )

  9. Security affairs (2022). https://securityaffairs.co/wordpress/130032/hacking/ddos-took-down-finnish-govt-sites.html. Accessed 18 April 2022 (online )

  10. Infosecurity magazine (2022). https://www.infosecurity-magazine.com/news/finland-government-sites-offline/. Accessed 18 April 2022 (online )

  11. bbc news (2022). https://www.bbc.com/news/technology-53093611. Accessed 18 April 2022 (online )

  12. Coble S (2022) Infosecurity. https://www.infosecurity-magazine.com/news/ddos-attacks-hit-alltime-high/. Accessed 18 April 2022 (online )

  13. Alomari E, Manickam S, Gupta B.B, Karuppayah S, Alfaris R (2012) Botnet-based distributed denial of service (ddos) attacks on web servers: classification and art. arXiv preprint arXiv:1208.0403. https://doi.org/10.48550/arXiv.1208.0403

  14. Computer World Article (2022). https://www.computerworld.com/article/2574209/mydoom-lesson--take-proactive-steps-to-prevent-ddos-attacks.html. Accessed 18 April 2022 (online )

  15. News Article (2022). https://www.wired.com/2009/07/mydoom/. Accessed 18 April 2022 (online )

  16. Postel J et al (1981) Transmission control protocol Request for Comments, RFC 793, Protocol Specification, DARPA Internet Program. https://dl.acm.org/doi/pdf/10.17487/RFC0793

  17. Zhang Y, Liu Q, Zhao G (2010) A real-time ddos attack detection and prevention system based on per-ip traffic behavioral analysis. In: 2010 3rd International Conference on Computer Science and Information Technology, vol 2, pp 163–167. https://doi.org/10.1109/ICCSIT.2010.5563549

  18. Kumar P, Tripathi M, Nehra A, Conti M, Lal C (2018) Safety: early detection and mitigation of tcp syn flood utilizing entropy in sdn. IEEE Trans Netw Serv Manag 15(4):1545–1559

    Article  Google Scholar 

  19. Mousavi S.M, St-Hilaire M (2015) Early detection of ddos attacks against sdn controllers. In: 2015 International Conference on Computing, Networking and Communications (ICNC), IEEE. pp 77–81

  20. Wang H, Zhang D, Shin KG (2004) Change-point monitoring for the detection of dos attacks. IEEE Trans Dependable Secur Comput 1(4):193–208

    Article  Google Scholar 

  21. Leu FY, Lin IL (2010) A dos/ddos attack detection system using chi-square statistic approach. J Syst Cybern Inform 8(2), 41–51

    Google Scholar 

  22. Mann PS (2007) Introductory statistics. Wiley

    MATH  Google Scholar 

  23. Devi BK, Subbulakshmi T (2019) Cloud-based ddos attack detection and defence system using statistical approach. Int J Inf Comput Secur 11(4–5):447–475

    Google Scholar 

  24. Gauravdeep R (2017) Statistical approach for detecting distributed denial of service attacks. Asian J Comput Sci Inf Technol 7:85–89

    Google Scholar 

  25. Rastogi R, Khan Z, Khan M (2012) Network anomalies detection using statistical technique: a chi-square approach. Int J Comput Sci Issues (IJCSI) 9(2):515–522

    Google Scholar 

  26. Abouzakhar N, Bakar A. (2010) A chi-square testing-based intrusion detection model. In: Proceedings of the 4th International Conference on Cybercrime Forensics Education and Training

  27. Mirkovic J, Prier G, Reiher P (2002) Attacking ddos at the source. In: 10th IEEE International Conference on Network Protocols, 2002. Proceedings., pp 312–321. https://doi.org/10.1109/ICNP.2002.1181418

  28. Mohammadi R, Javidan R, Conti M (2017) Slicots: an sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Trans Netw Serv Manage 14(2):487–497

    Article  Google Scholar 

  29. Caida backscatter dataset (2008). https://www.caida.org/data/passive/backscatter_dataset.xml

  30. Mishra A, Gupta N, Gupta B (2021) Defense mechanisms against ddos attack based on entropy in sdn-cloud using pox controller. Telecommun Syst 77(1):47–62

    Article  Google Scholar 

  31. Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni FZ (2021) The ddos attacks detection through machine learning and statistical methods in sdn. J Supercomput 77(3):2383–2415

    Article  Google Scholar 

  32. noxrepo/pox (2019)The pox network software platform - github. https://github.com/noxrepo/pox. Accessed 9 Aug 2021 (online)

  33. Fichera S, Galluccio L, Grancagnolo SC, Morabito G, Palazzo S (2015) Operetta: An openflow-based remedy to mitigate tcp synflood attacks against web servers. Comput Netw 92:89–100

    Article  Google Scholar 

  34. DeCusatis C, Carranza A, Delgado-Caceres J (2016) Modeling software defined networks using mininet. In: Proc. 2nd Int. Conf. Comput. Inf. Sci. Technol. Ottawa, Canada, 133, pp 1–6

  35. Evans RD, Evans R (1955) The atomic nucleus, vol. 582. McGraw-Hill, New York

    MATH  Google Scholar 

  36. Feinstein L, Schnackenberg D, Balupari R, Kindred D (2003) Statistical approaches to ddos attack detection and response. In: Proceedings DARPA Information Survivability Conference and Exposition. IEEE, vol 1, pp 303–314 https://doi.org/10.1109/DISCEX.2003.1194894

  37. Mininet (2018) an instant virtual network on your laptop (or other pc)-mininet. https://www.mininet.org/. Accessed 9 Aug 2021 (online)

  38. Nodejs server (2020). https://nodejs.org/en/knowledge/HTTP/servers/how-to-create-a-HTTP-server/. Accessed 21 Nov 2021 (online)

  39. Scapy (2019). https://scapy.net/. Accessed 9 Aug 2021 (online)

  40. Curl (2019) https://curl.se/docs/manual.html. Accessed 9 Aug 2021 (online)

Download references

Funding

Not applicable.

Author information

Authors and Affiliations

  1. National Institute of Technology Warangal and Institute for Development and Research in Banking Technology, Hyderabad, India

    P. V. Shalini

  2. Centre for Cloud Computing, Institute for Development and Research in Banking Technology, Hyderabad, India

    P. V. Shalini & V. Radha

  3. National Institute of Technology Warangal, Telangana, India

    Sriram G. Sanjeevi

Authors
  1. P. V. Shalini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. V. Radha
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sriram G. Sanjeevi
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

PVS: conceptualization, methodology, software (coding and implementation), conducting experiments, writing—original draft preparation, Editing. VR: supervision, writing—reviewing and Editing. SGS: supervision, writing- reviewing and editing.

Corresponding author

Correspondence to P. V. Shalini.

Ethics declarations

Conflict of interest

We (the authors) declare that, we have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Ethical approval

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shalini, P.V., Radha, V. & Sanjeevi, S.G. Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square test. J Supercomput 79, 10353–10385 (2023). https://doi.org/10.1007/s11227-023-05057-x

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-023-05057-x

Keywords

Search

Navigation