SynFloWatch: An Entropy-Based Live Defense System against SYN Spoofing DDoS Attacks in Hybrid SDN

SynFloWatch: An Entropy-Based Live Defense System against SYN Spoofing DDoS Attacks in Hybrid SDN

연구 분야: Networking

학회: Journal of Network and Systems Management

A hybrid software-defined network (SDN) is the combination of both traditional network infrastructure and SDN which provides the benefits of centralized SDN control and the distributed nature of legacy networks. However, it faces security challenges, particularly SYN spoofing-based Distributed Denial-of-Service (DDoS) attacks. In this attack, malicious hosts send a large number of fake TCP-SYN packets to both controller and victim servers by spoofing the packets’ header fields, leading to network malfunction. Existing solutions are unable to detect low-rate and multi-victim SYN spoofing attacks, leading to a high False Negative Rate (FNR), and indiscriminately block both benign and malicious traffic during an attack, leading to a high False Positive Rate (FPR). To address these challenges, we present SynFloWatch, a live defense system against SYN spoofing based DDoS attacks in hybrid SDN. SynFloWatch is designed at the control layer of SDN and it consists of two modules: (i) DDoS Detection module, and (ii) DDoS Mitigation module. The DDoS Detection module employs Tsallis entropy analysis on network traffic directed towards the controller to identify DDoS traffic, victim servers, and malicious switch ports generating spoofed SYN packets. The DDoS Mitigation module uses a combination of SYN-proxy and SYN-cookie approaches to drop spoofed SYN packets from malicious switch ports while allowing legitimate traffic to proceed. We implement SynFloWatch in Floodlight controller and evaluate its performance under various attack scenarios using Mininet emulator. Experimental results demonstrate that SynFloWatch detects both low and high-rate SYN-flood attacks with a reduced FNR of 25% and effectively mitigates their impact with a decreased FPR of 50% compared to existing state-of-the-art solutions.