TCP SYNFLOOD attacks are a type of Distributed Denial of Service (DDoS) attacks usually carriedout against web servers. TCP SYNFLOOD rely on the normal TCP Three-Way Handshakemechanism to consume resources on the targeted server. In this way server resources areblocked and the server is made unresponsive. To this purpose, the attacker sends multiplefake SYN packets as if it wants to set several TCP connections up, but then it does not finalizethe Three-Way Handshake. In thisway, it blocks the resources of the attacked server, uselessly.In traditional networks, these attacks have been counteracted bymeans of firewalls and intrusiondetection schemes. However, these solutions are not effective since can be violated. SoftwareDefined Networks (SDNs) offer new features like network programmability which makesolutions to TCP SYNFLOOD attacks more effective. In fact, in SDN networks intelligence forcounteracting security menaces can be moved to a single network element, i.e., the Controller,which has complete information about the network and is in the best condition to identifyongoing attacks. However, in this way TCP SYNFLOOD attacks can turn into attacks to the Controller,which becomes a unique point of failure for the network. In this paper we proposeOPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. OPERETTA is implementedin the Controller which manages incoming TCP SYN packets and rejects fake connection requests.The OPERETTA protocol works in heterogeneous networks, as it can be implementednot only on a centralized Controller, but also on delocalized Controllers available in the accessrouters at the users’ premises. OPERETTA has been tested using MININET and to this purposeprototypes of the relevant Control Plane functions have been implemented starting from thePOX Controller. Numerical results show that OPERETTA achieves good performance in termsof resilience to TCP SYNFLOOD attacks and low level of CPU and memory consumption.
OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers
GALLUCCIO, LAURA;MORABITO, Giacomo;PALAZZO, Sergio
2015-01-01
Abstract
TCP SYNFLOOD attacks are a type of Distributed Denial of Service (DDoS) attacks usually carriedout against web servers. TCP SYNFLOOD rely on the normal TCP Three-Way Handshakemechanism to consume resources on the targeted server. In this way server resources areblocked and the server is made unresponsive. To this purpose, the attacker sends multiplefake SYN packets as if it wants to set several TCP connections up, but then it does not finalizethe Three-Way Handshake. In thisway, it blocks the resources of the attacked server, uselessly.In traditional networks, these attacks have been counteracted bymeans of firewalls and intrusiondetection schemes. However, these solutions are not effective since can be violated. SoftwareDefined Networks (SDNs) offer new features like network programmability which makesolutions to TCP SYNFLOOD attacks more effective. In fact, in SDN networks intelligence forcounteracting security menaces can be moved to a single network element, i.e., the Controller,which has complete information about the network and is in the best condition to identifyongoing attacks. However, in this way TCP SYNFLOOD attacks can turn into attacks to the Controller,which becomes a unique point of failure for the network. In this paper we proposeOPERETTA, an OPEnflow-based Remedy to TCP SYNFLOOD Attacks. OPERETTA is implementedin the Controller which manages incoming TCP SYN packets and rejects fake connection requests.The OPERETTA protocol works in heterogeneous networks, as it can be implementednot only on a centralized Controller, but also on delocalized Controllers available in the accessrouters at the users’ premises. OPERETTA has been tested using MININET and to this purposeprototypes of the relevant Control Plane functions have been implemented starting from thePOX Controller. Numerical results show that OPERETTA achieves good performance in termsof resilience to TCP SYNFLOOD attacks and low level of CPU and memory consumption.| File | Dimensione | Formato | |
|---|---|---|---|
|
operetta.pdf
solo gestori archivio
Tipologia:
Versione Editoriale (PDF)
Dimensione
2.86 MB
Formato
Adobe PDF
|
2.86 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
