Yi Shen,Chunming Wu,Qiumei Cheng,Dezhang Kong

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00122

2020-01-01

Abstract:Software-Defined Networking (SDN) is an emerging network platform, which decouples the control and data planes. As the most popular southbound protocol and standard, OpenFlow converts network forwarding policies to rule entries and stores them in the flow table. However, the capacity of the flow table is restricted, which can lead to table-overflow if the space is inefficiently used. In this paper, we propose an adaptive flow table management scheme (AFTM) on the control plane, which combines assigning dynamic timeout and proactive eviction to manage the limited flow table resources. The timeout assignment module and the proactive eviction module are not independent parts but work collaboratively. The timeout assignment module sets suitable timeouts for rule entries according to flow characteristics, so that entries of short-lived flows are quickly removed while entries of flows with large packet intervals are retained. When the table space is insufficient, the proactive eviction module removes rule entries to protect the flow table from table-overflow. In our design, the eviction thresholds and parameters in both modules can be adaptively adjusted according to the network load. Experimental results show that AFTM can effectively manage the flow table resource and reduce the number of packet drop rates by up to 81% compared with existing schemes.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Dezhang Kong,Chunming Wu,Yi Shen,Xiang Chen,Hongyan Liu,Dong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10001437

2022-01-01

Abstract:One of the most important components of Software-Defined Networking (SDN) is the flow table. It receives flow rules from the controller and uses them to handle network traffic. However, a flow table can only store a few thousand flow rules, which makes it an attractive target for table overflow attacks. These attacks force the controller to populate the flow table with a large number of meaningless flow rules, which prevents normal flows from finding matching rules and therefore having to be reported to the controller. It results in a significant latency overhead, degrading the performance of the whole network. In this paper, we present a key characteristic of table overflow attacks: even though attackers can change some critical attack parameters (e.g., attack speed) to avoid detection, proactive flows from the attacked port always occupy a stable proportion in the flow table regardless of the attack form. In light of this finding, we propose TableGuard, a novel security mechanism that uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. The experiments demonstrate that TableGuard can mitigate both high-rate and low-rate table overflow attacks. Compared with existing defenses, TableGuard has the best mitigation performance and the minimal overhead on normal flows.

Kun Zhao,Qing Li,Yong Jiang

DOI: https://doi.org/10.1109/glocom.2014.7037083

2014-01-01

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme of configuration consistency is required. Current schemes solve the problem of packet-level configuration consistency very well, but perform poorly for flow-level configuration consistency. In this paper, we provide a new scheme to guarantee flow-level consistency during configuration updates in SDN. In our scheme, the controller 1) collects the existing flow information; 2) computes K optimal prefixes covering the existing flows; 3) installs the new rule and K old sub-rules with lower and higher priorities respectively. We design the K-prefix covering algorithm by dynamic programming, which computes the K optimal prefixes with the minimum covering space. Therefore, the new rules will be activated for the maximum space. We evaluate our scheme and algorithm by comprehensive experiments. The results show that our scheme reduces the transition time to 10% of the current periodical direct division scheme.

Qing Li,Kun Zhao,Yong Jiang,Mingwei Xu,Shu-Tao Xia

DOI: https://doi.org/10.1016/j.comnet.2015.09.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme with configuration consistency is required. Current schemes well guarantee the packet-level consistent update, but perform poorly for the flow-level case. In this paper, we present a Smart Approach of Rule Division (SARD) for fast flow-level consistent update in SDN. We first provide a simplified mathematical model of the network. Based on this model, we then propose SARD to guarantee the flow-level consistency during configuration updates. In SARD, the controller (1) collects the information of existing flows; (2) computes K optimal prefixes covering these flows, meanwhile with the minimized space; (3) installs the new rule and K old sub-rules with lower and higher priorities respectively. SARD preserves the flow-level consistent property and accelerates the process of configuration update in SDN. We evaluate the performance of SARD by comprehensive experiments. The results show that our scheme reduces the transition time to about 10% of the current method of periodical direct division.

Zhou Ye,Yang Xu,Li Yong,Su Li,Jin De-peng,Zeng Lie-guang

DOI: https://doi.org/10.3724/sp.j.1146.2012.01431

2013-01-01

Abstract:Software Defined Network (SDN) becomes a hot topic in recent years, in which flow update is one of important issues. In this paper, a classification based consistent flow update scheme is proposed, which has the advantage of strong generality and efficiently lightening working load on controller. The logic synthesis is also used to demonstrate how the scheme maintains consistency in the whole updating process. Simulation results in multiple scenarios show that the proposed scheme achieves better generality than existing schemes in related work. In addition, the scheme reduces significantly working load on controller while only costs nearly the same time in the update process as compared schemes.

Yi Wang,Dongzhe Tai,Ting Zhang,Boyang Xu,Linxiao Jin,Huichen Dai,Bin Liu,Xin Wu

DOI: https://doi.org/10.1109/ancs.2015.7110142

2015-01-01

Abstract:Updating rules in the flow tables of SDN switches are complex and time-consuming. Therefore, we propose a cache-based scheme (named FlowShadow) to improve the packet processing performance and keep continuous operating while updating rules in the flow tables. FlowShadow caches the microflows in the hash table to build a fast path for packet processing. By leveraging the Action Table, FlowShadow achieves update consistency and good update performance. In order to examine the reliability, validity, utility and scalability of FlowShadow, we implement FlowShadow on the Open VSwitch and conduct numerous experiments with different settings to measure the performance of FlowShadow. The experimental results demonstrate that FlowShadow achieves a lookup speed of 75 million packets per second on a commodity PC under the real backbone traces; the system with FlowShadow speeds up 3.4× times of the original Open VSwitch.

Zaiyu Pang,Xiao Huang,Zonghui Li,Sukun Zhang,Yanfen Xu,Hai Wan,Xibin Zhao

DOI: https://doi.org/10.1109/tii.2020.2998224

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:The digital transformation of industry requires industrial control networks provide high flexibility and determinacy. Time-sensitive software-defined networking that combines time-sensitive networking and software-defined networking is a new network paradigm which provides both real-time transmission feature and network flexibility. During network updates, the transmission consistency needs to be maintained. However, previous mechanisms mostly target on the proper schedule transition, which cannot guarantee no frame loss and also introduces extra update overhead. The article proposes a novel flow schedule generation model which guarantees no frame loss during network updates even with the basic two-phase update mechanism and introduces no extra update overhead. Two algorithms are designed for the model to adapt to different application scenarios: the offline algorithm poses better schedulability, whereas the online one consumes less time with slightly decreased schedulability. The experiments on two real-world industrial networks demonstrate our mechanism achieves zero frame loss without extra update overhead compared to existing methods, and the online algorithm saves 40% execution time with at most 10% schedulability decrease when the bandwidth utilization is less than 50%.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1109/infocom.2018.8486230

2018-01-01

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. FlowCloak imposes only a 0.3 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Yi Wang,Dongzhe Tai,Ting Zhang,Bin Liu

DOI: https://doi.org/10.1109/iwqos.2016.7590393

2016-01-01

Abstract:The fast path, as the cache of exact-match rules in the slow path, is applied in software-based OpenFlow switches to improve the forwarding performance. A microflow in the fast path is the specification of its corresponding rules in the slow path, i.e., every field is explicit in a microflow. A rule can generate multiple microflows in the fast path, and a microflow can be generated from multiple rules since there are multiple flow tables in an OpenFlow switch. Due to the many-to-many mapping relationship between the microflows and the rules, the update consistency between the slow path and the fast path becomes a big challenge in software switches, e.g., Open vSwitch (OVS). In this paper, we propose a cache-based scheme (named FlowShadow) to achieve high update performance while keeping update consistency in OVS. In order to examine the reliability, validity, utility and scalability of FlowShadow, we implement FlowShadow on the OVS and conduct numerous experiments with different settings to measure the performance of FlowShadow. The experimental results demonstrate that FlowShadow achieves a lookup speed of 75 million packets per second on a commodity PC under the real backbone traces; the system with FlowShadow speeds up 3.4× times of the original OVS; and FlowShadow also shows high update performance and good scalability at different update speeds and with different numbers of flow tables.

Guanhao Wu,Xiaofeng Gao,Tao Chen,Hao Zhou,Linghe Kong,Guihai Chen

DOI: https://doi.org/10.1109/icnp.2018.00050

2018-01-01

Abstract:Consistent routing update based on Software-Defined Networks (SDN) is a complicated problem due to the asynchronous and distributed data plane. Existing ordered update approaches mostly focus on the consistent routing update problem for unicast other than multicast, which should guarantee two consistencies, drop-freeness and duplicate-freeness. In this paper, we propose Shifter, a novel dynamic ordered update scheme for consistent multicast routing update based on SDN to guarantee both consistencies. Shifter advocates configuring inport match field in the forwarding rules to avoid duplicate. In order to guarantee drop-freeness, Shifter employs a dependency graph to dynamically schedule update operations, and uses a greedy solution to solve a subproblem named Replace Operation Tree Migration Problem (ROTMP). We conduct simulations to evaluate Shifter and find that Shifter can give a near optimal solution of ROTMP with very few rounds and little runtime for multicast routing update scenarios. To the best of our knowledge, Shifter is the first ordered update scheme to guarantee the two consistencies simultaneously.

Xin Jin,Jennifer Rexford,David Walker

DOI: https://doi.org/10.1145/2620728.2620731

2014-01-01

Abstract:To realize the vision of SDN---an ``app store'' for network-management services---we need a way to compose applications developed for different controller platforms. For instance, an enterprise may want to combine a firewall written on OpenDaylight with a load balancer on Ryu and a monitoring application on Floodlight. To make this vision a reality, we propose a new kind of hypervisor that allows multiple applications to collaborate in processing the same traffic. Inspired by past work on Frenetic, our hypervisor supports a flexible configuration language that can combine packet-processing rules from different applications using sequential and parallel composition. A major challenge is efficiently combining updates to each prioritized list of OpenFlow rules, based on the hypervisor policy. Our key insight is that rule priorities form a convenient algebra that allows the hypervisor to compute the correct relative priorities of new rules incrementally , without shifting or rewriting the priorities of existing rules. We prove the correctness of our algorithms and show experimentally that these techniques can reduce computational overhead by 4X and the number of rule updates by 5X, compared to existing techniques.

Moreno Ambrosin,Mauro Conti,Fabio De Gaspari,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1502.02234

2015-02-08

Networking and Internet Architecture

Abstract:Software Defined Networking (SDN) is a new networking architecture which aims to provide better decoupling between network control (control plane) and data forwarding functionalities (data plane). This separation introduces several benefits, such as a directly programmable and (virtually) centralized network control. However, researchers showed that the required communication channel between the control and data plane of SDN creates a potential bottleneck in the system, introducing new vulnerabilities. Indeed, this behavior could be exploited to mount powerful attacks, such as the control plane saturation attack, that can severely hinder the performance of the whole network. In this paper we present LineSwitch, an efficient and effective solution against control plane saturation attack. LineSwitch combines SYN proxy techniques and probabilistic blacklisting of network traffic. We implemented LineSwitch as an extension of OpenFlow, the current reference implementation of SDN, and evaluate our solution considering different traffic scenarios (with and without attack). The results of our preliminary experiments confirm that, compared to the state-of-the-art, LineSwitch reduces the time overhead up to 30%, while ensuring the same level of protection.

Jiaqi Zheng,Guihai Chen,Stefan Schmid,Haipeng Dai,Jie Wu

DOI: https://doi.org/10.1109/icdcs.2017.96

2017-01-01

Abstract:Software-Defined Networks (SDNs) introduce interesting new opportunities in how network routes can be defined, verified, and changed over time. Yet despite the logically-centralized perspective offered, an SDN still needs to be considered a distributed system: rule updates communicated from the controller to the individual switches traverse an asynchronous network and may arrive out-of-order, and hence lead to (temporary or permanent) inconsistencies. Accordingly, the consistent network update problem has recently received much attention. Motivated by the advent of tightly synchronized SDNs, we in this paper initiate the study of algorithms for consistent network updates in “timed SDNs”-SDNs in which individual node updates can be scheduled at specific times. This paper presents Chronus, which is based on provably congestion- and loop-free update scheduling algorithms, and avoids the flow table space headroom required by existing two-phase update approaches. We formulate the Minimum Update Time Problem (MUTP) as an optimization program. We propose a tree algorithm to check the feasibility and a greedy algorithm to find a update sequence in polynomial time. Extensive experiments on Mininet and numerical simulations show that Chronus can substantially reduce transient congestion by 75% and save over 60% of the rules compared to the state of the art.

Jiaqiang Liu,Yong Li,Huandong Wang,Depeng Jin,Li Su,Lieguang Zeng,Thanos Vasilakos

DOI: https://doi.org/10.1016/j.ins.2015.08.019

IF: 8.1

2015-01-01

Information Sciences

Abstract:Network operators employ a variety of security policies for protecting the data and services. However, deploying these policies in traditional network is complicated and security vulnerable due to the distributed network control and lack of standard control protocol. Software-defined network provides an ideal paradigm to address these challenges by separating control plane and data plane, and exploiting the logically centralized control. In this paper, we focus on taking the advantage of software-defined networking for security policies enforcement. We propose a two layer OpenFlow switch topology designed to implement security policies, which considers the limitation of flow table size in a single switch, the complexity of configuring security policies to these switches, and load balance among these switches. Furthermore, we introduce a safe way to update the configuration of these switches one by one for better load balance when traffic distribution changes. Specifically, we model the update process as a path in a graph, in which each node represents a security policy satisfied configuration, and each edge represents a single step of safely update. Based on this model, we design a heuristic algorithm to find an optimal update path in real time. Simulations of the update scheme show that our proposed algorithm is effective and robust under an extensive range of conditions.

Ying Zeng,Yong Wang,Yuming Liu

DOI: https://doi.org/10.1109/access.2024.3383877

IF: 3.9

2024-04-09

IEEE Access

Abstract:In Software-Defined Networks (SDN), the ternary content addressable memory (TCAM) capacity in switches is limited, making them vulnerable to low-rate flow table overflow attacks. Most existing research in this field has not focused on the influence of flow entry eviction mechanisms on the effectiveness of such attacks. This paper proposes an adaptive low-rate flow table overflow attack (ALFO), which can adopt corresponding attack modes under different flow entry eviction mechanisms, significantly degrading network service quality. Due to the different features of ALFO under different attack modes, the existing attack detection methods are ineffective in this attack. Therefore, this paper proposes a detection and mitigation framework, which is called adaptive low-rate flow table overflow attack guard framework (ALFO-Guard). It extracts flow features from flow entry information in the switch and aggregates them into a current-time graph model. Then, combining graph neural networks, it performs graph anomaly detection and flow entry classification to identify attack flow entries. Finally, the attack can be eliminated by deleting the identified attack flow entries and blocking the attack flows. The effectiveness of ALFO and ALFO-Guard is validated through extensive experiments, and the experimental results demonstrate that ALFO-Guard can effectively defend against ALFO.

computer science, information systems,telecommunications,engineering, electrical & electronic

Klaus-Tycho Foerster,Stefan Schmid

DOI: https://doi.org/10.48550/arXiv.1908.10086

2019-08-27

Abstract:While SDNs enable more flexible and adaptive network operations, (logically) centralized reconfigurations introduce overheads and delays, which can limit network reactivity. This paper initiates the study of a more distributed approach, in which the consistent network updates are implemented by the switches and routers directly in the data plane. In particular, our approach leverages concepts from local proof labeling systems, which allows the data plane elements to locally check network properties, and we show that this is sufficient to obtain global network guarantees. We demonstrate our approach considering three fundamental use cases, and analyze its benefits in terms of performance and fault-tolerance.

Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture