OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers

doi:10.1016/j.comnet.2015.08.038

Computer Networks

Volume 92, Part 1, 9 December 2015, Pages 89-100

https://doi.org/10.1016/j.comnet.2015.08.038 Get rights and content

Abstract

TCP SYNFLOOD attacks are a type of Distributed Denial of Service (DDoS) attacks usually carried out against web servers. TCP SYNFLOOD rely on the normal TCP Three-Way Handshake mechanism to consume resources on the targeted server. In this way server resources are blocked and the server is made unresponsive. To this purpose, the attacker sends multiple fake SYN packets as if it wants to set several TCP connections up, but then it does not finalize the Three-Way Handshake. In this way, it blocks the resources of the attacked server, uselessly. In traditional networks, these attacks have been counteracted by means of firewalls and intrusion detection schemes. However, these solutions are not effective since can be violated. Software Defined Networks (SDNs) offer new features like network programmability which make solutions to TCP SYNFLOOD attacks more effective. In fact, in SDN networks intelligence for counteracting security menaces can be moved to a single network element, i.e., the Controller, which has complete information about the network and is in the best condition to identify ongoing attacks. However, in this way TCP SYNFLOOD attacks can turn into attacks to the Controller, which becomes a unique point of failure for the network. In this paper we propose OPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. OPERETTA is implemented in the Controller which manages incoming TCP SYN packets and rejects fake connection requests. The OPERETTA protocol works in heterogeneous networks, as it can be implemented not only on a centralized Controller, but also on delocalized Controllers available in the access routers at the users’ premises. OPERETTA has been tested using MININET and to this purpose prototypes of the relevant Control Plane functions have been implemented starting from the POX Controller. Numerical results show that OPERETTA achieves good performance in terms of resilience to TCP SYNFLOOD attacks and low level of CPU and memory consumption.

Introduction

TCP SYNFLOOD attacks are a type of Distributed Denial of Service (DDoS) attack that rely on the normal TCP Three-Way Handshake mechanism to consume resources on the targeted server. In this way server resources are blocked and the server is made unresponsive. As a consequence the attacked server is overwhelmed and cannot support the requested service.

The TCP SYNFLOOD attack was identified by Ziegler in 1994 [1]. Analyzing statistics on this type of attacks, it has been observed that it represents the 90% of the DoS attacks worldwide [2]; so it is a widespread and critical menace to be faced. In the TCP SYNFLOOD attack it is assumed that the victim node, upon receiving a connection request in the form of a SYN segment from a remote user, enters a listening state where its resources are frozen waiting for the confirmation ack from the initiating node. The victim waits for a certain amount of time and then gives up. If the victim’s buffer allows to enqueue multiple packets, this mechanism will exhaust the victim available resources.

TCP SYNFLOOD attacks have been widely addressed in the literature as discussed in [3].

Methodologies used to counteract such a menace typically employ firewalls and intrusion detection schemes which can be ineffective and can be violated.

In SDN networks the decoupling between the data plane and the Control Plane allows to set up more effective solutions to TCP SYNFLOOD attacks. In fact, in these networks, the intelligence for counteracting security menaces can be moved to a single network element, i.e., the OpenFlow Controller, which has complete information about the network and is in the best situation to identify ongoing attacks. However, in this way TCP SYNFLOOD attacks can turn into attacks to the Controller, which becomes a unique point of failure for the network.

In this paper we propose OPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. OPERETTA is implemented in the Controller which manages incoming TCP SYN packets and rejects fake connection requests. According to a traditional SDN architecture, OPERETTA logically consists of a single Controller, although physically OPERETTA can also be employed in a decentralized manner where multiple Controllers are available in the access routers at the users’ premises to run control operations. This delocalization of the Controller function into multiple Controllers also achieves the objective of higher system reliability since, in case of DoS attacks, only a portion of the network, and not the entire network, is involved in the attack. OPERETTA has been tested using MININET and to this purpose prototypes of the relevant Control Plane functions have been implemented starting from the POX Controller. Numerical results show that OPERETTA achieves good performance in terms of resilience to TCP SYNFLOOD attacks and low level of CPU and memory usage.

The rest of this paper is organized as follows. In Section 2 we discuss the background literature in the field. In Section 3 we describe OPERETTA and in Section 4 we discuss the protocol performance. Finally, in Section 5 conclusions are drawn.

Section snippets

Background

In this section we provide a brief overview of the relevant literature in the field. More specifically, in Section 2.1 we discuss Denial of Service attacks in general and in Section 2.2 we focus on the TCP SYNFLOOD attack in particular. In Section 2.3 we recall Software Defined Networks with special focus on OpenFlow and in Section 2.4 we illustrate the few solutions to TCP SYNFLOOD attacks proposed so far for SDNs.

OPERETTA

In this section we describe OPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. In particular, in Section 3.1 we illustrate OPERETTA in a nutshell; then, in Section 3.2 the protocol behavior is described in more details.

Performance Assessment

In this section we describe the implementation details of our experimental testbed and illustrate the scenarios being considered and the model of attack implemented.

Conclusions

In this paper we have introduced OPERETTA, an OpenFlow Remedy to TCP SYNFLOOD attacks. OPERETTA relies on the use of an SDN approach to protect the OF Controller from TCP SYNFLOOD attacks. OPERETTA achieves four main targets, i.e., it provides a robust methodology to identify TCP SYNFLOOD attacks while also providing a flexible network mechanism for coping with these attacks which does not introduce significant CPU processing or memory overhead. Observe that OPERETTA works in heterogeneous

Silvia Fichera received her laurea degree in Telecommunications Engineering from University of Catania, Catania, Italy, in 2014. She was also trainee at Ecole Polytechnique Fédérale de Lausanne (EPFL). Now she is with Scuola Superiore di Studi S. Anna, Pisa, Italy.

References (28)

B. Ziegler
Hacker tangles panix web site
Wall Street J.
(September 12, 1996)
D. Moore et al.
Inferring internet denial of service activity
Proceedings of USENIX Security Symposium
(2001)
J. Mirkovic et al.
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Comput. Commun. Rev.
(April 2004)
E. Damon et al.
Hands-on denial of service lab exercises using SlowLoris and RUDY
Proceedings of INFOCSECD
(2012)
M. Bogdanoski et al.
Analysis of the SYN Flood DoS Attack
Int. J. Comput. Netw. Inf. Secur.
(2013)
Radware, security report, global application & network, 2013,...
Cisco, defining strategies to protect against TCP SYN denial of service attacks, 2006,...
W.M. Eddy
Defenses against TCP SYN flooding attacks
Internet Protoc. J.
(2006)
J. Lemon
Resisting SYN flood DoS attacks with a SYN cache
Proceedings of the BSD Conference
(2002)
P. Ferguson, D. Senie, 2000, RFC 2827 Network ingress filtering: defeating denial of service attacks which employ IP...

IETF RFC 2960 Stream Control Transmission...

...

N. McKeown et al.

OpenFlow: enabling innovation in campus networks

ACM SIGCOMM Comput. Commun. Rev.

(2008)

Open Networking Foundation - ONF White Paper, Software-Defined Networking: the new norm for networks, 2012,...

Cited by (67)

SYNTROPY: TCP SYN DDoS attack detection for Software Defined Network based on Rényi entropy
2024, Computer Networks
The rapidly evolving landscape of network security, particularly in Software Defined Networks (SDNs), presents a critical need for efficient and adaptive DDoS attack detection methods, especially in the face of TCP SYN DDoS attacks. These attacks pose significant threats to network resources and service availability. Current state-of-the-art solutions, predominantly based on Shannon entropy, have inherent limitations, that give equal weightage to all frequency probability. This inherent assumption often leads to inadequate detection in complex and dynamic network environments, where attack patterns are increasingly sophisticated and variable. In this paper, we present a novel framework called SYNTROPY that is designed to detect TCP SYN DDoS attacks in SDN environments. The proposed SYNTROPY framework leverages Rényi entropy to effectively generalize the measurement of uncertainty in the network traffic. Unlike Shannon entropy, Rényi entropy offers the flexibility to adjust sensitivity to varying network conditions and attack patterns, thereby enhancing detection accuracy. It filters benign, flash, and suspicious traffic and employs a min–max threshold to identify attack patterns accurately. Our framework is implemented using the Ryu Controller, thus enabling seamless integration with SDN systems. The experiment is conducted to evaluate the SYNTROPY performance using the CAIDA UCSD DDoS 2007 Attack Dataset. The comparative analysis demonstrates that SYNTROPY performs better across various metrics than state-of-the-art solutions. It includes a 40% reduction in average CPU load, 59% enhancement in average detection time, 13% increase in true positives rate, 34% decrease in false negatives rate, 10% recall improvement, and 8% higher F1-Score. These promising results showcase the potential of SYNTROPY as a robust and effective solution for addressing TCP SYN DDoS attacks in SDNs.
M-RL: A mobility and impersonation-aware IDS for DDoS UDP flooding attacks in IoT-Fog networks
2024, Computers and Security
The Internet of Things (IoT) has recently received a lot of attention from the information and communication technology community. It has turned out to be a crucial development for harnessing the incredible power of wireless media in the real world. The nature of IoT-Fog networks requires the use of defense techniques who are light and mobile-aware. The edge resources in such a distributed environment are open to various safety hazards. DDoS UDP flooding attacks are the most frequent threats to edge resources in IoT-Fog networks. It is crucial for sabotaging fog gateways and can overcome traditional data filtering techniques. This paper introduces M-RL, a lightweight intrusion detection system with mobility awareness that can detect DDoS UDP flooding attacks while taking into account adversarial IoT devices that engage in IP spoofing. To this end, this paper analyzes the malicious behaviors that result in anonymity against Rate Limiting and Received Signal Strength (RSS)-based approaches, combines their advantages, and addresses their vulnerabilities. We test our method in different contexts to achieve that goal, and we find that it may decrease the accuracy of the RL, RSS, and RSS-RL methods to 70%, 48.9%, and 64.3%, respectively. The outcomes demonstrate the proposed approach's resistance to software-based source address forgery, impersonation, and signal modification. It offers more than 99% accuracy and supports node mobility. In this case, the best possible accuracy of the previous methods is 77%.
Analyzing effective mitigation of DDoS attack with software defined networking: Effectiveness Analysis of DDoS Mitigation
2023, Computers and Security
Distributed Denial of Service (DDoS) attack prevention research is mostly focused upon attack detection. Early attack detection facilitates the network administrator to quickly manage these attacks with least impact on the legitimate users. The approach generally used to manage/mitigate the DDoS attacks is to start dropping the attack/suspicious flows at the location of detection, which affects the communication of legitimate users of the network as well. This paper is focused on comparing the DDoS attack mitigation approaches, as well as, the location of mitigation in the network that will impose the least impact on the legitimate users in the network, resulting in least network performance degradation. A mathematical analysis of packet filtering, rate limiting and controller/server migration techniques for mitigation of DDoS attacks is done, followed by Mininet implementation with realistic traffic. It provides a detailed insight of the pros and cons of respective techniques w.r.t. various network requirements. Further, the identification of appropriate location to deploy desired mitigation technique is done.
DOCUS-DDoS detection in SDN using modified CUSUM with flash traffic discrimination and mitigation
2022, Computer Networks
Citation Excerpt :
We categorize this section as four sub sections based on detection approach of schemes as DDoS detection using half-open connections, statistical detection techniques, DDoS detection with flash traffic separation and DDoS detection in recent new environments. The schemes [13,16] detect the DDoS attack by counting the number of half-open connections for each source MAC address. Statistical techniques like entropy, information distance, CUSUM are successful in DDoS attack detection.
Software Defined Networking (SDN) is a network paradigm with a significant philosophy of separating the data plane from the control plane. This separation helps in achieving centralized control over the entire network and faster data transmission. However, SDN suffers from network security challenges; Distributed Denial of Service (DDoS) is one such significant challenge. Most of the existing SDN DDoS attack detection models have an issue with identifying the genuine benign flash traffic as a DDoS attack. In this paper, we develop DOCUS (DDoS detection in SDN by modified CUSUM) to overcome this major issue, i.e., to identify and separate flash traffic while detecting DDoS attacks, thus reducing false detection of benign traffic as an attack.
The emulated experiment results show that the DOCUS model effectively detects DDoS attacks targeted toward a web server in a given network. We compare the DOCUS detection scheme with existing research schemes and show that the average DDoS attack detection time for DOCUS is 83.3% less than recent schemes proposed in the literature. We also compare our flash detection model with the existing literature scheme. We show that DOCUS efficiently identifies flash traffic as benign and attack traffic as DDoS attacks under various scenarios. DOCUS also mitigates the attack by identifying and blocking the attack traffic from all the attackers.
A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions
2021, Computers and Security
The recent emergence of technologies such as Network Functions Virtualization (NFV), Intent based Networking, Internet of Things (IoT), 5G, and Cloud Computing have led to the rapid growth of networks. The inflexibility and vendor-specific nature of traditional network devices are unable to fulfill the requirements of modern data centers. Software-Defined Networking (SDN) has captured data center space due to its innovative features viz. vendor neutrality, programmability, and centralized management. However, SDN is also facing various security threats due to weaknesses in its inherent architecture. This article has attempted to identify various vulnerable points in the SDN framework and has classified the SDN-aimed DDoS attacks based on their impacts. This article presents a systematic literature review on various DDoS defense mechanisms to protect the control plane, data plane, and data-control plane communication channel. In this study, a well-defined methodology is used to select the high-quality research articles of DDoS defense mechanisms in the SDN framework. Among numerous articles published in the last few years, the authors have selected 75 articles with the highest impact factor and citation. Moreover, we present the taxonomy of DDoS defense solutions that classify the reviewed articles based on the attack targets, DDoS defense approaches, testing environment, and traffic generation mechanism. Finally, we identified the research gaps and highlighted various research challenges for future research. This study is intended to serve as a ready reference for the research community to develop more efficient and reliable DDoS defense solutions in the SDN networks.
Enhancing the security of blockchain-based software defined networking through trust-based traffic fusion and filtration
2021, Information Fusion
Citation Excerpt :
They further presented a prototype using the NetFPGA OpenFlow platform. Fichera et al. [54] described OPERETTA, a mechanism that could secure the OpenFlow controller from TCP SYNFLOOD attacks. It aims to handle incoming TCP SYN packets and reduce fake connection requests.
With the rapid development of Internet-of-Things (IoT), more smart devices can be connected to the Internet, resulting in a dramatic increase of data transmission and communication. Software-Defined Networking (SDN), which separates the control planes and data planes, is considered as a promising solution to provide the scale and versatility necessary for IoT. However, SDN still suffers from several challenges, i.e., the centralized control plane would be a single point of failure. With the wide adoption of blockchain applications, such technologies can have a positive impact on SDN’s performance, i.e., blockchains allow non-confident individuals to interact with each other without the need for a central authority. However, attackers can still inject traffic to influence blockchain nodes from normal operations. Motivated by the recent development of blockchains and SDN, in this work, we focus on blockchain-based SDN and develop BSDNFilter, an IDS-based security mechanism that builds a trust-based filtration by using traffic fusion and aggregation to handle and reduce malicious traffic. Through collaborating with an IT organization, our evaluation in a real blockchain-based SDN environment demonstrates that our BSDNFilter is able to achieve better filtration performance against flooding attacks than similar approaches.

View all citing articles on Scopus

Laura Galluccio received her laurea degree in Electrical Engineering from University of Catania, Catania, Italy, in 2001. In March 2005 she got her Ph.D. in Electrical, Computer and Telecommunications Engineering at the same university under the guidance of Prof. Sergio Palazzo. Since 2002 she is also at the Italian National Consortium of Telecommunications (CNIT), where she worked as a Research Fellow within the VICOM (Virtual Immersive Communications) and the SATNEX Projects. Since November 2010 she is Assistant Professor at University of Catania. Her research interests include ad hoc and sensor networks, protocols and algorithms for wireless networks, and network performance analysis. From May to July 2005 she has been a Visiting Scholar at the COMET Group, Columbia University, NY under the guidance of Prof. Andrew T. Campbell. She is member of the Sigmobile, IEEE and N2Women.

Salvatore Grancagnolo received his laurea degree in Telecommunications Engineering from University of Catania, Catania, Italy, in 2014. Formerly he was with Consorzio nazionale Interuniversitario per le Telecomunicazioni. Now he is consultant at Altran Italia SPA.

Giacomo Morabito was born in Messina, Sicily (Italy) on March 16, 1972. He received the laurea degree in Electrical Engineering and the PhD in Electrical, Computer and Telecommunications Engineering from the Istituto di Informatica e Telecomunicazioni, University of Catania, Catania (Italy), in 1996 and 2000, respectively. From November 1999 to April 2001, he was with the Broadband and Wireless Networking Laboratory of the Georgia Institute of Technology as a Research Engineer. Since April 2001 he is with the Dipartimento di Ingegneria Informatica e delle Telecomunicazioni of the University of Catania where he is currently Associate Professor. His research interests focus on analysis and solutions for wireless networks.

Sergio Palazzo was born in Catania, Italy, on December 12, 1954. He received his degree in electrical engineering from the University of Catania in 1977. Until 1981, he was at ITALTEL, Milano, where he was involved in the design of operating systems for electronic exchanges. He then joined CREI, which is the center of the Politecnico di Milano for research on computer networks. Since 1987 he has been at the University of Catania, where is now a Full Professor of Telecommunications Networks. In 1994, he spent the summer at the International Computer Science Institute (ICSI), Berkeley, as a Senior Visitor. He is a recipient of the 2003 Visiting Erskine Fellowship by the University of Canterbury, Christchurch, New Zealand. Since 1992, he has been serving on the Technical Program Committee of INFOCOM, the IEEE Conference on Computer Communications. He has been the General Chair of some ACM conferences, including MobiHoc 2006 and MobiOpp 2010, and currently is a member of the MobiHoc Steering Committee. He has also been the TPC Co-Chair of the IFIP Networking 2011, IWCMC 2013, and European Wireless 2014 conferences. Moreover, in the recent past, he has been the Program Co-Chair of the 2005 International Tyrrhenian Workshop on Digital Communications, focused on “Distributed Cooperative Laboratories: Networking, Instrumentation, and Measurements”, the General Vice Chair of the ACM MobiCom 2001 Conference, and the General Chair of the 2001 International Tyrrhenian Workshop on Digital Communications, focused on “Evolutionary Trends of the Internet”. He currently serves the Editorial Board of the journal Ad Hoc Networks. In the recent past, he also was an Editor of IEEE Wireless Communications Magazine (formerly IEEE Personal Communications Magazine), IEEE/ACM Transactions on Networking, IEEE Transactions on Mobile Computing, Computer Networks, and Wireless Communications and Mobile Computing. He was a Guest Editor of Special Issues in the IEEE Journal of Selected Areas in Communications (“Intelligent Techniques in High-Speed Networks”), in the IEEE Personal Communications Magazine (“Adapting to Network and Client Variability in Wireless Networks”), in the Computer Networks journal (“Broadband Satellite Systems: a Networking Perspective”), in the EURASIP Journal on Wireless Communications and Networking (“Ad Hoc Networks: Cross-Layer Issues”, and “Opportunistic and Delay Tolerant Networks”). He also was the recipient of the 2002 Best Editor Award for the Computer Networks journal. His current research interests include mobile systems, wireless and satellite IP networks, intelligent techniques in network control, multimedia traffic modeling, and protocols for the next generation of the Internet.

View full text

OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers

Abstract

Introduction

Section snippets

Background

OPERETTA

Performance Assessment

Conclusions

Hacker tangles panix web site

Wall Street J.

Inferring internet denial of service activity

Proceedings of USENIX Security Symposium

A taxonomy of DDoS attack and DDoS defense mechanisms

ACM SIGCOMM Comput. Commun. Rev.

Hands-on denial of service lab exercises using SlowLoris and RUDY

Proceedings of INFOCSECD

Analysis of the SYN Flood DoS Attack

Int. J. Comput. Netw. Inf. Secur.

Defenses against TCP SYN flooding attacks

Internet Protoc. J.

Resisting SYN flood DoS attacks with a SYN cache

Proceedings of the BSD Conference

OpenFlow: enabling innovation in campus networks

ACM SIGCOMM Comput. Commun. Rev.