Figure 1 - uploaded by Raed Bani-Hani
Content may be subject to copyright.
TCP three-way handshaking. 

TCP three-way handshaking. 

Context in source publication

Context 1
... basic vulnerability that allows SYN Flooding attack to occur depends on the design and implementation of TCP, precisely in the three-way handshaking which represents the connection setup part of TCP. This handshaking happens in three steps. First, the client sends a Synchronize (SYN) packet to the server. Second, the server allocates resources and responds with a SYN and SYN acknowledgement (SYN- ACK) packet. Finally, the client responds back with an ACK packet[ 14]. Based on that, the attacker utilizes the second step to make a successful attack. As shown in Figure 1, when a TCP server receives a SYN packet, it immediately allocates resources for the received SYN in the ”Transmission Control Block” (TCB) that is used to hold information about each connection. Each TCB has a memory of at least 280 bytes. When the server is in the SYN RECEIVED state, the connection is half opened and there is no verified information about the other side; if no response was received, the server is stuck in the SYN-RECEIVED state for a while. From this we can clearly see a potential DoS attack: by sending a flood of SYN packets and ignoring the corresponding server’s replies, the server will keep allocating TCBs for the incoming connections and eventually the server’s memory will be exhausted and as a result the server will crash. If, on the other hand, the server’s reply is handled, this could let the server free some of the TCBs. Many types of defenses were proposed after this attack was discovered. However, the attack also evolved and adapted to overcome these defenses. This paper clarifies types and variations of the attack, exploits and weaknesses in the host that the attacker looks for to launch his attack, and describes types of end-host based defenses against the attack. In addition, the paper will illustrate the strengths and weaknesses of each defense type. Attackers exploit certain properties of the Internet, which are: destination oriented routing, the stateless nature of the Internet and the lack of authenticity. All of these proper- ties combined with the deterministic nature of the Internet protocols make DoS attacks absolutely achievable. This informative paper aims to be an opening to a research that could hopefully end up with a standard to prevent SYN Flooding attack. By describing this attack and explaining the available defense methods, we are planning to propose a new type of defense, or correct the flaws and weaknesses in an existing one. Furthermore, multiple types of defense (called Hybrid Approach) can be proposed based on the cur- rent defense approaches. The rest of the paper is organized as follows: section 2 explains the SYN attack. Section 3 discusses types of attacks including direct attack, spoofed based, distributed and reflectors attacks. Section 4 discusses end-host based defenses against the attack. Section 5 explains the issues to consider before designing a defense method and provides some hybrid approaches for defending against the attack. Finally, we conclude the paper in section 6. ”TCP implementation as described in RFC 4987 lets the host to enter the LISTEN state for all, some or none of the IP addresses pair, port number pair specified in application” [8]. If the server host does not know the IP address neither the port number of the client host, the server host must listen to any address and to any port. Thus, it can not specify any information about the client host. If the server host enters such listening state, we call it ”unbound” LISTEN state [8]. Unbound Listen state is the target of the SYN-flooding attack in which the attacker depends on the deterministic nature of TCP. The attacker expects the server host to accept requests and also to allocate resources for these requests. As result, the attack will consume the server’s resources. Web applications, which use TCP, depend on unbound listen for their functionality, so many of them are under the threat of such attack. DoS Attacks on the Internet defer depending on what type of resources the attacker consumes to make the victim incapable of serving legitimate clients. For example, some may consume link bandwidth, memory or CPU cycles. Allocating resources for the received SYN segments is the main goal of SYN Flooding attack, so the attack aims to exhaust the memory space of the victim for the longest possible time by sending a flood of fake SYN packets. Two important issues to be considered in making a successful SYN-flood attack are Barrage Size and Barrage Fre- quency[8]. Barrage size means how many SYN packets to be sent to the victim. Usually the size or number of SYNs to send is measured according to the backlog queue (the memory space allocated for the incoming connections). Thus, the number of SYN packets must be larger or equal to the backlog queue size to consume all reserved memory for incoming connections. Barrage frequency means how long to wait between floods of request. SYN-flood attack aims to consume the end host resources but not to burn the bandwidth, so there must be some time measurement to determine when to resend SYN packets. This depends on the lifetime of the half-opened connections since the victim would reclaim the resources after this amount of time. For instance, a timer is set for 75 seconds after sending the SYN-ACK packet; here the frequency barrage should be every 75 seconds to keep the victim busy and all resources are consumed for longer time. An important thing to note is that ”the attack is directed at a particular listening application not ...

Citations

... Because the source address of the SYN packet is false, the ACK response never arrives because the SYN-ACK has been sent to some spoofed address, which causes the connection to be in a half-open state (SYN-RECV) and memory resources are not released. Therefore, with a large number of SYN segments being sent, the TCP connection queue is populated and eventually cause server crashes causing it to fail to respond to legitimate requests from a TCP client [23]. ...
Article
Full-text available
Software Defined Networks (SDN) represent a new network architecture that provides central control over the network. The main innovation behind an SDN network is that it decouples the data plane from the control plane, which defines a network programmable environment. In the control plane, the controller supports the execution of services that define the control policies and distributes these rules to the data plane through a standard protocol, such as OpenFlow. Despite the numerous benefits provided by this architecture, the security of an SDN network is still a matter of concern since the aforementioned decoupling increase the attack surface in the network. In fact, Denial of Service (DoS) attacks are the ones that challenge the SDN environments in many aspects, mainly due to vulnerabilities between the control and the data plane layers. Entropy-based DoS detection method is a technique widely used in conventional network architecture. This paper proposes the use of entropy in an SDN environment, through of the OpenFlow switches statistics, to build a mechanism that monitor the network and is able to differentiate DoS traffic from the benign traffic. Experimental results show the practical feasibility of the proposed solution.
... Since the source address of the SYN packet is false, the ACK response will never arrive because the SYN-ACK is sent to a spurious address, causing the connection to be in a semi-open state, consuming controller memory resources. Thus, with numerous SYN segments being sent, the TCP connection queue fills up overloading the SDN controller, making it unable to respond to legitimate TCP client requests [5]. Statistical and Machine Learning (ML) DDoS attack detection methods have been proposed in the literature. ...
Article
Distributed denial of service (DDoS) attacks challenge software-defined networks (SDN), primarily due to vulner-abilities present in the separation between the control and data planes. The control plane maintains continuous communication with the data plane switches to direct traffic according to forwarding policies. Although the literature presents various solutions to detect DDoS attacks, most of them concentrate on the control plane. The controller facilitates automated network management, making it easier to integrate and administer applications. On the other hand, the development of security solutions on the control plane imposes an additional load on the controller's duties. As an alternative to this problem, the research community proposed security solutions adapted to work on the data plane. However, due to the complexity of acting in this layer, the proposed solutions are restricted to statistical analysis of the network flow. This work proposes DataPlane-ML, a machine learning (ML) solution that acts on the data plane to detect DDoS attacks. To realize the use of ML techniques at the data plane, DataPlane-ML makes use of white box switches enhanced with P4 constructs to handle input flow and ML libraries to run ML models. This strategy allows the use of ML techniques on the data plane to provide more elaborated solutions that operate close to the input flow, reducing the impact on the SDN controller. The proposed DataPlane-ML was evaluated using the KNN, SVM and RF algorithms to detect DDoS attacks on real network traces. The experimental results show that DataPlane-ML is ≈ 23% faster than statistical-based solutions while providing better accuracy and similar CPU usage.
... Since the source address of the SYN packet is false, the ACK response will never arrive because the SYN-ACK is sent to a spurious address, causing the connection to be in a semi-open state, consuming controller memory resources. Thus, with numerous SYN segments being sent, the TCP connection queue fills up overloading the SDN controller, making it unable to respond to legitimate TCP client requests [5]. Statistical and Machine Learning (ML) DDoS attack detection methods have been proposed in the literature. ...
... This research work providing an accessible and effective procedure for NFVs placement and chaining combined with protective and responsive mechanisms to address physical link failures and consistency in uncertain network [5]. Also to compute the optimum entrenching is to enumerate the entire entrant hosts used for each virtual means i.e., node and/or link within the somatic network known as hardware nodes and/or paths. ...
... This research work providing an accessible and effective procedure for NFVs placement and chaining combined with protective and responsive mechanisms to address physical link failures and consistency in uncertain network [5]. Also to compute the optimum entrenching is to enumerate the entire entrant hosts used for each virtual means i.e., node and/or link within the somatic network known as hardware nodes and/or paths. ...
Article
Full-text available
Software Defined Network (SDN) system controller stands with excessive benefits from the separated promoting devices. The SDN will resolve security issues, inheritance community with acute liabilities. The most important exposure is DDoS attack. The goals of this work to endorse a learning technique on DDoS attacks by SDN based system. Disturb the user's defensible actions elevate to advise Adaptive Learning method (ALM) as advance set of SVM to return certain viabilities. This paper notices two types of flooding-based DDoS attacks. Proposed Virtualization method decreases the exercise and testing time using the key features, namely the volumetric and the asymmetric features. The accurateness of the revealing process is around 97% of fastest practice and investigation time.
... TCP DoS Attacks. TCP SYN flooding is a major threat that is difficult to be identified due to the similarity to the legitimate establishment of TCP connections [1,5,15,51]. Similarly, TCP FIN flooding, TCP RST flooding, TCP ACK flooding, TCP URG flooding, and TCP Null flooding are other typical TCP DoS attacks [2,28], which aim to cause resource exhaustion of the TCP connection. ...
Preprint
In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet.
... Since the source address of the SYN packet is false, the ACK response will never arrive because the SYN-ACK was sent to a spurious address, causing the TCP connection to be in a half-open state (SYN-RECV) and the memory resources are not released. That way, with a large number of SYN segments being sent, the TCP connection queue is populated and eventually will cause server failures, causing it to not respond to legitimate requests from a TCP client [2]. ...
... If the value of the statistical method is above the threshold (δ > T w i ) 1 the DoS attack is detected (lines 21 -23), otherwise it will be considered as legitimate traffic, and the loop run again. In the case of attack indication, a mitigation strategy can be applied to maintain network operations [2,3]. The following sections detail these steps proposed to detect DoS attacks. ...
Chapter
Full-text available
Software-defined network (SDN) architecture is characterized by the separation between the data plane and the control plane. This feature provides the development of a programmable environment on the network. Despite the numerous benefits provided by this architecture, the security of an SDN network is still an important matter of concern. In particular, Denial of Service (DoS) attacks challenge SDN architectures in several ways. Solutions that act on the control plane require continuous communication with the data plane, which can result in higher processing time delays, which in turn can affect the time required to detect an attack. On the other hand, solutions that work in the data plane seek to reduce this processing time. However, these solutions still need to address a restricted set of traffic analysis functionality, limiting the scope of the security solutions developed in the data plane. This paper proposes a data plane architecture that allows the use of more sophisticated solutions to be implemented directly in the data plane. The proposed architecture is composed of a component that acts alongside the P4 switch and adds flexibility to the switch to handle more complex operations. The architecture also provides support for the OpenFlow protocol, ensuring compatibility with currently deployed controllers. We compared two DoS attack detection techniques (chi-square and entropy) when applied to control and data planes. Experimental results show that the data plane and the control plane yield similar results in terms of detection accuracy, although the data plane requires fewer packets to detect the attack, on average 45% less compared to the control plane.
... With a large volume of false SYN segments sent, the server's TCP connection queue is flooded, causing the server to eventually crash. This, in turn results in a state in which the server cannot respond to any requests from TCP clients [17]. ...
... Because the source address of the SYN packet is false, the ACK response never arrives because the SYN-ACK has been sent to some spoofed address, which causes the connection to be in a half-open state (SYN-RECV) and memory resources are not released. Therefore, with a large number of SYN segments being sent, the TCP connection queue is populated and eventually cause server crashes causing it to fail to respond to legitimate requests from a TCP client [23]. ...
... We create test cases of the proposed model by using Miniedit and OpenDaylight controllers [4]. In the traffic generation process, we generate normal traffics, UDP flooding DDoS attack traffics [5], and SYN flooding DDoS attack traffics [6]. In the traffic collection process, we collect the traffic from each switch. ...
Article
Full-text available
Software Defined Networking (SDN) has many advantages over a traditional network. The great advantage of SDN is that the network control is physically separated from forwarding devices. SDN can solve many security issues of a legacy network. Nevertheless, SDN has many security vulnerabilities. The biggest issue of SDN vulnerabilities is Distributed Denial of Service (DDoS) attack. The DDoS attack on SDN becomes an important problem, and varieties of methods had been applied for detection and mitigation purposes. The objectives of this paper are to propose a detection method of DDoS attacks by using SDN based technique that will disturb the legitimate user's activities at the minimum and to propose Advanced Support Vector Machine (ASVM) technique as an enhancement of existing Support Vector Machine (SVM) algorithm to detect DDoS attacks. ASVM technique is a multiclass classification method consisting of three classes. In this paper, we can successfully detect two types of flooding-based DDoS attacks. Our detection technique can reduce the training time as well as the testing time by using two key features, namely, the volumetric and the asymmetric features. We evaluate the results by measuring a false alarm rate, a detection rate, and accuracy. The detection accuracy of our detection technique is approximately 97% with the fastest training time and testing time.