Detecção de ataques syn-flooding em redes definidas por software

Abstract

With the amount of information available on the Internet, one can easily perform a DoS attack by just following an available tutorial, without having to have much computational knowledge for this action. Syn-flooding is a simple attack to be carried out, but has disastrous consequences, making it impossible to access a site or other resources on a network. In Software Defined Networks (SDN), this type of attack can also affect the entire infrastructure and can stop a network altogether, from the denial of the service of the controller itself. Thi swork proposes the detection of Syn-flooding attacks in na SDN network by measuring the variation of the amount of flows in a pre-established time interval and the monitoring the TCP ports, helping the network administrator to perform corrective and preventive actions from the detection of the attack. To implement the proposal, a tool called FindFlows has been developed that displays a list of all the active hosts in an SDN network, informing the amount of flows of each host in different time intervals, the variation of the flows in those intervals and, finally, the classification of this host as an attacker, victim or legitimate user. Of the tests performed, the FindFlows was able to detect the Syn-flooding attack in 90% of cases.