SSG - A Solution to Prevent Saturation Attack on the Data Plane and Control Plane in SDN/Openflow Network

The SDN/Openflow architecture opens new opportunities for effective solutions to address network security problems; however, it also brings new security challenges compared to the traditional network. One of those is the mechanism of reactive installation for new flow entries that can make the data plane and control plane easily become a target for resource saturation attacks with spoofing technique such as SYN flood. There are a number of solutions to this problem such as Connection Migration (CM) mechanism in Avant-Guard solution. However, most of them increase load to the commodity switches and/or split benign TCP connections, which can cause increase of packet latency and disable some features of the TCP protocol. This paper presents a solution called SDN-based SYN Flood Guard (SSG), which takes advantages of Openflow’s ability to match TCP Flags fields and the RST Cookie technique to authenticate three-way handshake processes of TCP connections in a separated device from SDN/Openflow switches. The experiment results reveal that SSG solves the aforementioned problems and improves the SYN Flood.