Effective Detection and Mitigation of SYN Flooding Attack in SDN

• Published in: 2019 19th International Symposium on Communications and Information Technologies (ISCIT) pp. 300 - 305
• Main Authors: Oo, Nan Haymarn, Htein Maw, Aung
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.09.2019
• Subjects: adaptive threshold; detection and mitigation; SDN; SYN flooding
• ISSN: 2643-6175
• DOI: 10.1109/ISCIT.2019.8905209

SYN flooding attack exploits the TCP's three-way handshake procedure of connection establishment process and sends a large number of SYN packets continuously. This attack might breach not only the SDN hosts but also the SDN controller. It might also down the links between the controller and the switches. Thus, an effective detection and mitigation technique of SYN flooding attack is necessary for SDN networks. The techniques of statistical analysis are simple and easy to implement for detection and mitigation of SYN flooding attack. But the effectiveness of these techniques strongly depends on the threshold definition. Defining the static threshold is a tedious job of a network administrator and produces a high false positive rate. Using the dynamic threshold is a solution to them. The dynamic threshold can be calculated by using adaptive threshold algorithm (ATA). Since this algorithm is based on the Exponential Weighted Moving Average (EWMA) formula, it will produce a high number of false alarms without modifying anything in this algorithm. Thus, a simple modification is made in this algorithm to signal alarm after a minimum number of consecutive violations of the threshold. This modification might increase the false negative rate when the network is in a real attack because it does not mitigate the attack as soon as the threshold is violated. In order to reduce the false negative rate, the existing ATA is modified with the baseline traffic of the network infrastructure. Finally, the comparative analysis of modified adaptive threshold algorithm (MATA) and ATA is performed on the measurement of the detection rate, false negative rate, and accuracy. The evaluation results show that the MATA reduces the false negative rate from 6.15% to 0.59% and raise the accuracy from 94.3% to 99.47%.