Abstract
Software Defined Networking (SDN) is a network paradigm with the separation of the control plane from the data plane. Centralized management of the network and dynamic programming ability are the advantages of this separation. However, SDN suffers from security threats like DDoS attacks. In this paper, we propose an early detection and mitigation model to detect the DDoS attacks caused by the TCP SYN flood. This model uses the programming ability of SDN to collect features from network traffic at the centralized controller. For that, we implement the proposed model as a module in the POX controller. Our model extracts the header features: MAC addresses and TCP flags to construct the list of number of half-open connections per each host in the network within a given time period. The extended chi-square goodness of fit test serves as a basis for the detection method in our model. We calculate the \(\chi ^2\) value for the list of half-open connections and from this \(p\_{value}\) is derived. When \(p\_{value}\) drops below the threshold value, the attack is detected. We also mitigate the attack by blocking the attack traffic from the attackers’ within the network using source MAC addresses. The experiments results show that the model is successful in TCP SYN flood detection and mitigation at the source end, i.e. attack-originating network. We compare our model with existing literature and show improvement over attack detection and discuss the advantages of the proposed model over the existing schemes in the literature.
Similar content being viewed by others
Availability of data and materials
Not applicable (no dataset used.)
References
Tuncer D, Charalambides M, Clayman S, Pavlou G (2015) Adaptive resource management and control in software defined networks. IEEE Trans Netw Serv Manag 12(1):18–33
Görkemli B, Parlakışık A.M, Civanlar S, Ulaş A, Tekalp AM (2016) Dynamic management of control plane performance in software-defined networks. In: 2016 IEEE NetSoft Conference and Workshops (NetSoft), IEEE. pp 68–72
McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74
Conti M, Gangwal A, Gaur MS (2017) A comprehensive and effective mechanism for ddos detection in sdn. In: 2017 IEEE 13th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp 1–8. https://doi.org/10.1109/WiMOB.2017.8115796
Ukraine and romania suffer large-scale ddos attacks (2022). https://www.bankinfosecurity.in/ukraine-romania-suffer-large-scale-ddos-attacks-a-18999. Accessed 5 May 2022 (online)
Goodin D (2022) Ars technica news. https://arstechnica.com/information-technology/2022/04/one-of-the-most-powerful-ddoses-ever-targets-cryptocurrency-platform/. Accessed 5 May 2022 (online)
Center for strategic and international studies (2022). https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents. Accessed 18 April 2022 (online )
Johnson G (2022) Marshall island news. https://www.rnz.co.nz/international/pacific-news/464125/marshall-islands-telecom-service-hit-by-cyber-attack. Accessed 18 April 2022 (online )
Security affairs (2022). https://securityaffairs.co/wordpress/130032/hacking/ddos-took-down-finnish-govt-sites.html. Accessed 18 April 2022 (online )
Infosecurity magazine (2022). https://www.infosecurity-magazine.com/news/finland-government-sites-offline/. Accessed 18 April 2022 (online )
bbc news (2022). https://www.bbc.com/news/technology-53093611. Accessed 18 April 2022 (online )
Coble S (2022) Infosecurity. https://www.infosecurity-magazine.com/news/ddos-attacks-hit-alltime-high/. Accessed 18 April 2022 (online )
Alomari E, Manickam S, Gupta B.B, Karuppayah S, Alfaris R (2012) Botnet-based distributed denial of service (ddos) attacks on web servers: classification and art. ar**v preprint ar**v:1208.0403. https://doi.org/10.48550/ar**v.1208.0403
Computer World Article (2022). https://www.computerworld.com/article/2574209/mydoom-lesson--take-proactive-steps-to-prevent-ddos-attacks.html. Accessed 18 April 2022 (online )
News Article (2022). https://www.wired.com/2009/07/mydoom/. Accessed 18 April 2022 (online )
Postel J et al (1981) Transmission control protocol Request for Comments, RFC 793, Protocol Specification, DARPA Internet Program. https://dl.acm.org/doi/pdf/10.17487/RFC0793
Zhang Y, Liu Q, Zhao G (2010) A real-time ddos attack detection and prevention system based on per-ip traffic behavioral analysis. In: 2010 3rd International Conference on Computer Science and Information Technology, vol 2, pp 163–167. https://doi.org/10.1109/ICCSIT.2010.5563549
Kumar P, Tripathi M, Nehra A, Conti M, Lal C (2018) Safety: early detection and mitigation of tcp syn flood utilizing entropy in sdn. IEEE Trans Netw Serv Manag 15(4):1545–1559
Mousavi S.M, St-Hilaire M (2015) Early detection of ddos attacks against sdn controllers. In: 2015 International Conference on Computing, Networking and Communications (ICNC), IEEE. pp 77–81
Wang H, Zhang D, Shin KG (2004) Change-point monitoring for the detection of dos attacks. IEEE Trans Dependable Secur Comput 1(4):193–208
Leu FY, Lin IL (2010) A dos/ddos attack detection system using chi-square statistic approach. J Syst Cybern Inform 8(2), 41–51
Mann PS (2007) Introductory statistics. Wiley
Devi BK, Subbulakshmi T (2019) Cloud-based ddos attack detection and defence system using statistical approach. Int J Inf Comput Secur 11(4–5):447–475
Gauravdeep R (2017) Statistical approach for detecting distributed denial of service attacks. Asian J Comput Sci Inf Technol 7:85–89
Rastogi R, Khan Z, Khan M (2012) Network anomalies detection using statistical technique: a chi-square approach. Int J Comput Sci Issues (IJCSI) 9(2):515–522
Abouzakhar N, Bakar A. (2010) A chi-square testing-based intrusion detection model. In: Proceedings of the 4th International Conference on Cybercrime Forensics Education and Training
Mirkovic J, Prier G, Reiher P (2002) Attacking ddos at the source. In: 10th IEEE International Conference on Network Protocols, 2002. Proceedings., pp 312–321. https://doi.org/10.1109/ICNP.2002.1181418
Mohammadi R, Javidan R, Conti M (2017) Slicots: an sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Trans Netw Serv Manage 14(2):487–497
Caida backscatter dataset (2008). https://www.caida.org/data/passive/backscatter_dataset.xml
Mishra A, Gupta N, Gupta B (2021) Defense mechanisms against ddos attack based on entropy in sdn-cloud using pox controller. Telecommun Syst 77(1):47–62
Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni FZ (2021) The ddos attacks detection through machine learning and statistical methods in sdn. J Supercomput 77(3):2383–2415
noxrepo/pox (2019)The pox network software platform - github. https://github.com/noxrepo/pox. Accessed 9 Aug 2021 (online)
Fichera S, Galluccio L, Grancagnolo SC, Morabito G, Palazzo S (2015) Operetta: An openflow-based remedy to mitigate tcp synflood attacks against web servers. Comput Netw 92:89–100
DeCusatis C, Carranza A, Delgado-Caceres J (2016) Modeling software defined networks using mininet. In: Proc. 2nd Int. Conf. Comput. Inf. Sci. Technol. Ottawa, Canada, 133, pp 1–6
Evans RD, Evans R (1955) The atomic nucleus, vol. 582. McGraw-Hill, New York
Feinstein L, Schnackenberg D, Balupari R, Kindred D (2003) Statistical approaches to ddos attack detection and response. In: Proceedings DARPA Information Survivability Conference and Exposition. IEEE, vol 1, pp 303–314 https://doi.org/10.1109/DISCEX.2003.1194894
Mininet (2018) an instant virtual network on your laptop (or other pc)-mininet. https://www.mininet.org/. Accessed 9 Aug 2021 (online)
Nodejs server (2020). https://nodejs.org/en/knowledge/HTTP/servers/how-to-create-a-HTTP-server/. Accessed 21 Nov 2021 (online)
Scapy (2019). https://scapy.net/. Accessed 9 Aug 2021 (online)
Curl (2019) https://curl.se/docs/manual.html. Accessed 9 Aug 2021 (online)
Funding
Not applicable.
Author information
Authors and Affiliations
Contributions
PVS: conceptualization, methodology, software (coding and implementation), conducting experiments, writing—original draft preparation, Editing. VR: supervision, writing—reviewing and Editing. SGS: supervision, writing- reviewing and editing.
Corresponding author
Ethics declarations
Conflict of interest
We (the authors) declare that, we have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Ethical approval
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Shalini, P.V., Radha, V. & Sanjeevi, S.G. Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square test. J Supercomput 79, 10353–10385 (2023). https://doi.org/10.1007/s11227-023-05057-x
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-023-05057-x