Dear all, I have a network with an hundred hosts in which most of them perform SYN-Flood attack. My implementation foresees a threshold to detect the attack (Controller tests the source pretending to be the real destination since the source doesn't complete 3-way handshake procedure. Only the honest source can talk to the real destination of the attack) and install a dropping rule on first switch when the threshold exceed. I am able to count the number of syn received by the controller with a counter that I added in it (I expect this should be equal to the number of the attackers times the threshold, but it is not so ), and if I compare this number with Wireshark capture I see a lot of packets more. There is a reason for this behavior? Could be because of the responsiveness of the controller?
Moreover, I know that Pox is single thread. There is any buffer in which incoming packets are queued? Thanks -- Silvia Fichera
