Hi all,
I'm trying to implement a syn flood protection, so, if the controller
receives a syn without ack consider the source a suspect source and I add
its mac address, dst mac addr and dst TCP port in a grey list. After
receiving a certain numer of syn packet (a threshold) without ack response
I wanna drop the incoming syn traffic from the "attacker" identifing it by
its mac address.
I've installed the dropping rule leaving the actions list empty in this way:
actions=[]
match=of.ofp_match.from_packet(packet,inport)
match.dl_src=SRCmac
match.tp_src=None
match.nw_src=None
#match.tp_dst=None
msg=of.ofp_flow_mod(command=of.OFPFC_ADD,
idle_timeout=FLOW_IDLE_TIMEOUT,
hard_timeout=of.OFP_FLOW_PERMANENT,
buffer_id=event.ofp.buffer_id,
actions=actions,match=match)
event.connection.send(msg.pack())
print("Dropping Rule installed")
but if the attacker performs ip spoofing and send a syn packet with the new
IP my controller install again the rule, also if the srcIP is wildcarded.
There are any wrong matching?
P.S.:
When the controller receives syn packet, if numer of syn <threshold, it
pretends to be the destination host and sent the syn ack packet.
If it receives the ack sends a reset, add the src ip in a whitelist and
install the forwarding rule.
Thanks for your help.
--
Silvia Fichera
