Early detection and mitigation of TCP SYN flood attacks in SDN using chi-square test

Software Defined Networking (SDN) is a network paradigm with the separation of the control plane from the data plane. Centralized management of the network and dynamic programming ability are the advantages of this separation. However, SDN suffers from security threats like DDoS attacks. In this paper, we propose an early detection and mitigation model to detect the DDoS attacks caused by the TCP SYN flood. This model uses the programming ability of SDN to collect features from net-work traffic at the centralized controller. For that, we implement the proposed model as a module in the POX controller. Our model extracts the header features: MAC addresses and TCP flags to construct the list of number of half-open connections per each host in the network within a given time period. The extended chi-square goodness of fit test serves as a basis for the detection method in our model. We calculate the x(2) value for the list of half-open connections and from this p_value is derived. When p_value drops below the threshold value, the attack is detected. We also mitigate the attack by blocking the attack traffic from the attackers' within the network using source MAC addresses. The experiments results show that the model is successful in TCP SYN flood detection and mitigation at the source end, i.e. attack-originating network. We compare our model with existing literature and show improvement over attack detection and discuss the advantages of the proposed model over the existing schemes in the literature.