Show/Hide Menu
Hide/Show Apps
Logout
Türkçe
Türkçe
Search
Search
Login
Login
OpenMETU
OpenMETU
About
About
Open Science Policy
Open Science Policy
Open Access Guideline
Open Access Guideline
Postgraduate Thesis Guideline
Postgraduate Thesis Guideline
Communities & Collections
Communities & Collections
Help
Help
Frequently Asked Questions
Frequently Asked Questions
Guides
Guides
Thesis submission
Thesis submission
MS without thesis term project submission
MS without thesis term project submission
Publication submission with DOI
Publication submission with DOI
Publication submission
Publication submission
Supporting Information
Supporting Information
General Information
General Information
Copyright, Embargo and License
Copyright, Embargo and License
Contact us
Contact us
ConPoolUBF: Connection pooling and updatable Bloom filter based SYN flood defense in programmable data planes
Date
2023-07-01
Author
Şahin, Mehmet Emin
DEMİRCİ, MEHMET
Metadata
Show full item record
This work is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
.
Item Usage Stats
9
views
0
downloads
Cite This
SYN flood attack is one of the common ways in which attackers take the advantage of TCP's three-way handshake connection establishment to overwhelm target systems. With the emergence of programmable networks, many promising security functions have been implemented at the network layer. SYN authentication and cookie-based SYN proxy are two significant approaches recommended on programmable switches against SYN flood attacks. However, while the implementation of a cookie-based SYN proxy causes additional delays and packet drops, the SYN authentication approach increases the number of packets required to establish a TCP connection. In this study, two novel functions are implemented on programmable switches using the P4 language, and a new security solution against SYN flood attacks is proposed by combining both functions. The first function is the high-accuracy updatable Bloom filters implemented to track the state of network flows for TCP connection establishment. As the proposed data structure uses a salted input, it is more resistant to target-set coverage attacks. The second is the connection pooling function on programmable switches for requests to the backend servers. In this regard, the TCP three-way handshake is offloaded from the target systems to network switches. Upon the verification of a connection request, dynamic resource allocation is carried out from the connection pool on the P4 switch, enabling the client to connect to the server seamlessly and transparently without the need for additional packets. We implement these functions and demonstrate their feasibility as an effective defense against SYN flood.
URI
https://hdl.handle.net/11511/113191
Journal
COMPUTER NETWORKS
DOI
https://doi.org/10.1016/j.comnet.2023.109802
Collections
Department of Computer Engineering, Article
Citation Formats
IEEE
ACM
APA
CHICAGO
MLA
BibTeX
M. E. Şahin and M. DEMİRCİ, “ConPoolUBF: Connection pooling and updatable Bloom filter based SYN flood defense in programmable data planes,”
COMPUTER NETWORKS
, vol. 231, pp. 0–0, 2023, Accessed: 00, 2025. [Online]. Available: https://hdl.handle.net/11511/113191.
