SYNChecker: A Scalable and Reliable TCP Connection Management for Defending SYN Flooding in SDN

Abstract

Software Defined Networking (SDN) is a novel programmable networking paradigm that decouples control plane and data plane. SDN highly relies on the controller in control plane that commands data plane how to handle new packets. Because the whole network may be disrupted if the controller is disabled, many attacks including SYN flooding aim to overload the controller passing through ingress switches. The thesis proposes an enhanced OpenFlow Switch called SYNChecker to protect the controller from SYN flooding. The switch authenticates benign hosts by interchanging cookie packets and generates a short-lived security association (SA). The retransmitted SYN packet from benign hosts is validated using SA and passed on to the controller. Our evaluation shows that SYNChecker protects the controller from the SYN flooding with acceptable time cost.