TCP SYNFLOOD attacks are a type of Distributed Denial of Service (DDoS) attacks usually carried out against web servers. TCP SYNFLOOD rely on the normal TCP Three-Way Handshake mechanism to consume resources on the targeted server. In this way server resources are blocked and the server is made unresponsive. To this purpose, the attacker sends multiple fake SYN packets as if it wants to set several TCP connections up, but then it does not finalize the Three-Way Handshake. In this way, it blocks the resources of the attacked server, uselessly. In traditional networks, these attacks have been counteracted by means of firewalls and intrusion detection schemes. However, these solutions are not effective since can be violated. Software Defined Networks (SDNs) offer new features like network programmability which make solutions to TCP SYNFLOOD attacks more effective. In fact, in SDN networks intelligence for counteracting security menaces can be moved to a single network element, i.e., the Controller, which has complete information about the network and is in the best condition to identify ongoing attacks. However, in this way TCP SYNFLOOD attacks can turn into attacks to the Controller, which becomes a unique point of failure for the network. In this paper we propose OPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. OPERETTA is implemented in the Controller which manages incoming TCP SYN packets and rejects fake connection requests. The OPERETTA protocol works in heterogeneous networks, as it can be implemented not only on a centralized Controller, but also on delocalized Controllers available in the access routers at the users' premises. OPERETTA has been tested using MININET and to this purpose prototypes of the relevant Control Plane functions have been implemented starting from the POX Controller. Numerical results show that OPERETTA achieves good performance in terms of resilience to TCP SYNFLOOD attacks and low level of CPU and memory consumption.
OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers
Fichera, Silvia
;PALAZZO, SERGIO
2015-01-01
Abstract
TCP SYNFLOOD attacks are a type of Distributed Denial of Service (DDoS) attacks usually carried out against web servers. TCP SYNFLOOD rely on the normal TCP Three-Way Handshake mechanism to consume resources on the targeted server. In this way server resources are blocked and the server is made unresponsive. To this purpose, the attacker sends multiple fake SYN packets as if it wants to set several TCP connections up, but then it does not finalize the Three-Way Handshake. In this way, it blocks the resources of the attacked server, uselessly. In traditional networks, these attacks have been counteracted by means of firewalls and intrusion detection schemes. However, these solutions are not effective since can be violated. Software Defined Networks (SDNs) offer new features like network programmability which make solutions to TCP SYNFLOOD attacks more effective. In fact, in SDN networks intelligence for counteracting security menaces can be moved to a single network element, i.e., the Controller, which has complete information about the network and is in the best condition to identify ongoing attacks. However, in this way TCP SYNFLOOD attacks can turn into attacks to the Controller, which becomes a unique point of failure for the network. In this paper we propose OPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. OPERETTA is implemented in the Controller which manages incoming TCP SYN packets and rejects fake connection requests. The OPERETTA protocol works in heterogeneous networks, as it can be implemented not only on a centralized Controller, but also on delocalized Controllers available in the access routers at the users' premises. OPERETTA has been tested using MININET and to this purpose prototypes of the relevant Control Plane functions have been implemented starting from the POX Controller. Numerical results show that OPERETTA achieves good performance in terms of resilience to TCP SYNFLOOD attacks and low level of CPU and memory consumption.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
