Post on 24-Apr-2022
SYN Flood Attack Detection and Mitigation using Machine Learning Traffic Classification and Programmable Data Plane Filtering
Marinos Dimolianis, Adam Pavlidis, Vasilis MaglarisNetwork Management & Optimal Design Laboratory (NETMODE)
School of Electrical & Computer EngineeringNational Technical University of Athens
24th Conference on Innovation in Clouds, Internet and Networks (ICIN 2021)March 3rd, 2021
Paris, France
SYN Flood Attack (1/2)
https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q4-2020/
https://www.imperva.com/blog/imperva-mitigates-largest-ddos-attacks-of-2020-so-far/
SYN Flood Attack (2/2)
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
SYN Flood – State of the art Mitigation
▪ Source IP Filtering (Blocks attack traffic)
❑ Rules proportional to the source IPs
❑ IP Spoofing
▪ SYN Cookies (Responds to attack traffic)
❑ Source IP Verification
❑ Processing Resources Consumption
❑ Backscatter Traffic
Signature-based Detection & Mitigation
Signature
Classification
Yes
No
XDP
Malicious Signatures
Signature
Reduction
Mitigation
MechanismSYN Cookies
Monitoring
Data
Internet
Sources
Border
Router
Victim
Protected
Networks
Redirection
Signals
Attack Redirection
Network Traffic
TCP Traffic to victim
Control/Management Signalling
Benign Traffic
Dropped Traffic
▪ Packet Aggregation in Signatures within time-windows
▪ Frequency Encoding
❑ Example Signature (ip.ttl, ip.dst)
Signature Classification (1/2)
Packet Fields
ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size
ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq
239 192.168.1.1 3 60% 80%
62 192.168.1.1 1 20% 80%
61 10.1.1.1 1 20% 20%
▪ Signature Classification via Supervised Learning
Signature Classification (2/2)
ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq
239 192.168.1.1 3 60% 80%
62 192.168.1.1 1 20% 80%
61 10.1.1.1 1 20% 20%
▪ Signature Classification via Supervised Learning
Signature Classification (2/2)
ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq
239 192.168.1.1 3 60% 80%
62 192.168.1.1 1 20% 80%
61 10.1.1.1 1 20% 20%
▪ Signature Classification via Supervised Learning
Signature Classification (2/2)
ip.ttl ip.dst #Packets ip.ttl_freq ip.dst_freq
239 192.168.1.1 3 60% 80%
62 192.168.1.1 1 20% 80%
61 10.1.1.1 1 20% 20%
▪ Multi-objective Optimization (Feature Selection)
❑ the number of malicious signatures
❑ the dropped benign traffic
Signature Reduction
Packet Fields
ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size
▪ Feature Selection problem that minimizes
❑ the number of malicious signatures
❑ the dropped benign traffic
Signature Reduction
Packet Fields
ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size
▪ Feature Selection problem that minimizes
❑ the number of malicious signatures
❑ the dropped benign traffic
Signature Reduction
Packet Fields
ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size
▪ Feature Selection problem that minimizes
❑ the number of malicious signatures
❑ the dropped benign traffic
▪ Non-dominated Sorting Genetic Algorithm (NSGA) II
Signature Reduction
Packet Fields
ip.src ip.dst ip.dsfield.ecn ip.id ip.flags.df ip.ttl tcp.srcport tcp.dstport tcp.window_size
▪ Programmable Packet Matching & Dropping
▪ Signature-based Filtering
▪ SYN Cookies
eXpress Data Path Mitigation Mechanism
Yes
No
XDP
Malicious Signatures
SYN Cookies
Victim
Experimental Evaluation
▪ Datasets
▪ Signature Classification Accuracy
▪ Signature Reduction Evaluation
▪ SYN Flood Mitigation Performance
▪ Benign Datasets B1, B2 from WIDE-F1
▪ Malicious Datasets A1 – A5 (SYN Flood Attacks)
Experimental Evaluation – Datasets
Attack ip.src ip.dst ip.dsfield.ecn ip.flags.df tcp.srcport tcp.dstport ip.id ip.ttl tcp.window_size
A1 15 1 1 1 65535 65535 1 3 1
A2 760863 1 1 1 65534 65534 1 4 1
A3 839660 1 1 1 65535 65535 1 4 1
A4 3415575 1 1 1 65536 1 65535 2 1
A5 1493948 1 1 1 65536 1 65535 3 1
0
20
40
60
80
100
0 10 20 30 40 50 60
Kpps
Time (s)
TCP SYN Attacks Packet Rate
A1 A2 A3 A4 A5
1. http://mawi.wide.ad.jp/mawi/
▪ Supervised Learning Models
❑ Random Forest (RF) - Multilayer-Perceptron (MLP)
Signature Detection Accuracy
0%
20%
40%
60%
80%
100%
A1/B1 A2/B1 A3/B1 A4/B1 A5/B1
TP
R (%
)
Training Dataset
RF - TPR (5s)
A1/B2
A2/B2
A3/B2
A4/B2
A5/B2
Test
Dataset
0%
20%
40%
60%
80%
100%
A1/B1 A2/B1 A3/B1 A4/B1 A5/B1
TP
R (%
)
Training Dataset
RF - TPR (10s)
A1/B2
A2/B2
A3/B2
A4/B2
A5/B2
Test
Dataset
0%
20%
40%
60%
80%
100%
A1/B1 A2/B1 A3/B1 A4/B1 A5/B1
TP
R (%
)
Training Dataset
RF - TPR (30s)
A1/B2
A2/B2
A3/B2
A4/B2
A5/B2
Test
Dataset
0%
20%
40%
60%
80%
100%
A1/B1 A2/B1 A3/B1 A4/B1 A5/B1
TP
R (%
)
Training Dataset
MLP - TPR (10s)
A1/B2
A2/B2
A3/B2
A4/B2
A5/B2
Test
Dataset
0%
20%
40%
60%
80%
100%
A1/B1 A2/B1 A3/B1 A4/B1 A5/B1
TP
R (%
)Training Dataset
MLP - TPR (30s)
A1/B2
A2/B2
A3/B2
A4/B2
A5/B2
Test
Dataset
▪ NSGA-II1
Signature Reduction Evaluation
1. https://platypus.readthedocs.io/en/latest/
Datasets #Malicious Signatures #Signatures Reduced (Range)
A1+B1 758078
A2+B1 1070311
A3+B1 1331799
A4+B1 3417663
A5+B1 1494425
▪ NSGA-II1
▪ Signature Reduction 99,99%
▪ Worst Case for Dropped Benign Traffic ≈ 2%
Signature Reduction Evaluation
1. https://platypus.readthedocs.io/en/latest/
Datasets #Malicious Signatures #Signatures Reduced (Range)
A1+B1 758078 [1, 15]
A2+B1 1070311 [1, 4]
A3+B1 1331799 [1, 4]
A4+B1 3417663 [1, 2]
A5+B1 1494425 [1, 3]
▪ Packet processing performance evaluation
❑ SYN cookies (state-of-the-art)
❑ BPF MAP (Signatures stored in memory)
❑ STATIC (Signatures as if-then-else conditions)
SYN Flood Mitigation Performance
XDP Implementation Packets blocked (%) out of 10Mpps
SYN cookies 47%
BPF MAP 70%
STATIC 92%
Conclusions & Future Directions
Conclusions
▪ SYN Flood DDoS Detection & Mitigation❑ High Accuracy using Supervised Learning methods
❑ Effective & Efficient Mitigation
Future Work
▪ Explore other attack vectors e.g. SYN-ACK, ACK Floods
▪ Extend our approach to collaborative schemas towards cooperative DDoS Detection & Mitigation
▪ Deploy and evaluate our mechanism within production environments.
THANK YOU!
Marinos Dimolianis
mdimolianis@netmode.ntua.gr