AEGIS: Detection and Mitigation of TCP SYN Flood on SDN Controller

Nagarathna Ravi*, S. Mercy Shalinie, Chhagan Lal, Mauro Conti

*Corresponding author for this work

Research output: Contribution to journalArticleScientificpeer-review

21 Citations (Scopus)


Software-Defined Network (SDN) segregates the control plane and the data plane to bring about a programmable network. The controller at the control plane runs network modules and sets rules for forwarding the packets in the switches that resides at the data plane. Though advantageous in several ways, SDN can fail when the controller is saturated by a flood of TCP SYN packets. SYN flood can be created using malicious spoofing of IP or MAC addresses or flash crowd. The existing solutions to mitigate SYN flood against the controller does not adequately handle MAC spoofing based SYN flood, and these are unable to distinguish between flash crowd and malicious traffic. To overcome some limitations in existing solutions, we propose a novel mechanism called AEGIS, which detect and mitigate SYN flood against the controller in SDN. AEGIS runs in the controller, and it regularly checks if there is a performance lag in the controller due to an ongoing SYN flood. If a performance degradation is detected, then AEGIS takes it an indication of SYN flood and it identifies whether it is due to spoofed addresses or flash crowd. Once the reason is found, the appropriate mitigation procedure is triggered. We evaluate AEGIS in testbed and emulator settings, and we compare the results of the evaluation with state-of-the-art solutions. The performance evaluation of AEGIS shows that it identifies the malicious SYN at an accuracy of 97.78%. Moreover, when there is no SYN flood, AEGIS takes 0.0637s to set up a successful TCP connection, which is 53.81% less than the time taken by the state-of-the-art solution, thus, it proves that AEGIS is lightweight.

Original languageEnglish
Article number9253566
Pages (from-to)745-759
Number of pages15
JournalIEEE Transactions on Network and Service Management
Issue number1
Publication statusPublished - Mar 2021
Externally publishedYes


  • controller
  • flash crowd
  • security
  • Software-defined network
  • TCP SYN flood


Dive into the research topics of 'AEGIS: Detection and Mitigation of TCP SYN Flood on SDN Controller'. Together they form a unique fingerprint.

Cite this