Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Xuanbo Huang,Kaiping Xue,Yitao Xing,Dingwen Hu,Ruidong Li,Qibin Sun

DOI: https://doi.org/10.1109/mass50613.2020.00048

2020-01-01

Abstract:The whole Software-Defined Networking (SDN) system might be out of service when the control plane is overloaded by control plane saturation attacks. In this attack, a malicious host can manipulate massive table-miss packets to exhaust the control plane resources. Even though many studies have focused on this problem, systems still suffer from more influenced switches because of centralized mitigation policies, and long recovery delay because of the remaining attack flows. To solve these problems, we propose FSDM, a Fast recovery Saturation attack Detection and Mitigation framework. For detection, FSDM extracts the distribution of Control Channel Occupation Rate (CCOR) to detect the attack and locates the port that attackers come from. For mitigation, with the attacker’s location and distributed Mitigation Agents, FSDM adopts different policies to migrate or block attack flows, which influences fewer switches and protects the control plane from resource exhaustion. Besides, to reduce the system recovery delay, FSDM equips a novel functional module called Force_Checking, which enables the whole system to quickly clean up the remaining attack flows and recovery faster. Finally, we conducted extensive experiments, which show that, with the increasing of attack PPS (Packets Per Second), FSDM only suffers a minor recovery delay increase. Compared with traditional methods without cleaning up remaining flows, FSDM saves more than 81% of ping RTT under attack rate ranged from 1000 to 4000 PPS, and successfully reduced the delay of 87% of HTTP requests time under large attack rate ranged from 5000 to 30000 PPS.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Hao Wu,Aiqin Hou,Weike Nie,Chase Wu

DOI: https://doi.org/10.1109/icnc57223.2023.10074226

2023-01-01

Abstract:As a new network paradigm, software-defined networking (SDN) technology has been increasingly adopted. Unfortunately, SDN-enabled networks are more prone to threats from DDoS attacks than traditional networks due to the nature of centralized management. We propose an integrated defense framework to detect and mitigate various types of DDoS attacks in SDN-enabled networks. The proposed framework deploys two technical modules in the control plane of SDN for defending against high-rate and low-rate DDoS attacks, respectively. The former module consists of three components, which watch out for suspicious traffic, detect attacks using ensemble learning, and intercept malicious packets, respectively. The latter module is designed specifically to defend against the Slow Ternary Content Addressable Memory (TCAM) exhaustion attack (Slow-TCAM) using a new Alleviative Threat for TCAM (ATFT) algorithm. The proposed framework is implemented and tested in simulated networks using Mininet and further evaluated on the CICDDoS2019 dataset. Experimental results illustrate the superior performance of the proposed framework in defending against different types of DDoS attacks in comparison with other state-of-the-art algorithms.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Pengfei Zhai,Yanbo Song,Xiaoming Zhu,Lihui Cao,Jiaming Zhang,Chungang Yang

DOI: https://doi.org/10.1109/iccc49849.2020.9238872

2020-01-01

Abstract:Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network,and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat,we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address,and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

Dan Tang,Xiyin Wang,Yudong Yan,Dongshuo Zhang,Huan Zhao

DOI: https://doi.org/10.1016/j.comcom.2021.10.007

IF: 5.047

2022-01-01

Computer Communications

Abstract:Low-rate Denial of Service (LDoS) attacks cause severe destructiveness to network security. Consequently, the implementation of detection and defense against them is a concern among the research communities. But it is formidable to deploy extension modules to detect and mitigate attacks online in traditional networks, because devices are deficient of flexibility and scalability. To address the problem, we design and implement an online attack detection and mitigation system (ADMS) framework via the scalable and programmable Software Defined Networking (SDN). ADMS is installed on SDN controllers and conforms to the OpenFlow policy without extra devices. ADMS consists of two modules: the two-phase detection module and the mitigation module. The two-phase detection module combines the new port traffic feature and the Lightgbm classifier based on flow table statistics traffic to precisely detect LDoS attacks. The mitigation module utilizes the novel Sequence Matching based Dynamic Series Analysing (SMDSA) algorithm to locate the attacker, and efficiently mitigates attack traffic by packet filter. The SMDSA algorithm distinguishes the victim port from benign ports by calculating the anomaly score of each port. Our evaluation on a prototype implementation of ADMS shows that the framework is able to precisely identify and efficiently mitigate LDoS attacks in real-time.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pengpeng Wu,Lin Yao,Chi Lin,Guowei Wu,Mohammad S. Obaidat

DOI: https://doi.org/10.1002/dac.3543

2018-01-01

International Journal of Communication Systems

Abstract:Software‐defined networking (SDN) emerges as the next generation of networking architecture, aiming to improve the network manageability and adaptability. However, because of the centralized control policy, SDN is liable to suffering from the denial of service attack in both the data plane and the control plane. To resist the attack and prevent the network from being paralyzed, we propose a novel mitigation scheme named flow migration defense, which uses a slave controller as a substitution to endure flooding requests mitigated from the master controller. Considering the special case that the normal requests may be regarded as the malicious ones, these requests are reforwarded back to the master controller on the basis of the round‐robin scheduling. To prevent the master controller from being flooded by the reforwarded requests, we design the adaptive rate adjustment method to adjust the reforwarding rate. Compared with multilevel feedback queue and FloodDefender, simulations demonstrate that flow migration defense can mitigate the SDN‐aimed denial of service attack efficiently with a better performance in terms of request response time, packet loss rate, and mitigation time.

Yang Xu,Yong Liu

DOI: https://doi.org/10.1109/infocom.2016.7524500

2016-01-01

Abstract:Software Defined Networking (SDN) has recently emerged as a new network management platform. The centralized control architecture presents many new opportunities. Among the network management tasks, measurement is one of the most important and challenging one. Researchers have proposed many solutions to better utilize SDN for network measurement. Among them, how to detect Distributed Denial-of-Services (DDoS) quickly and precisely is a very challenging problem. In this paper, we propose methods to detect DDoS attacks leveraging on SDN's flow monitoring capability. Our methods utilize measurement resources available in the whole SDN network to adaptively balance the coverage and granularity of attack detection. Through simulations we demonstrate that our methods can quickly locate potential DDoS victims and attackers by using a constrained number of flow monitoring rules.

Rui Wang,Zhiyong Zhang,Lei Ju,Zhiping Jia

DOI: https://doi.org/10.4018/ijisp.2015070102

2015-01-01

International Journal of Information Security and Privacy

Abstract:Software-Defined Networking (SDN) and OpenFlow have brought a promising architecture for the future networks. However, there are still a lot of security challenges to SDN. To protect SDN from the Distributed denial-of-service (DDoS) flooding attack, this paper extends the flow entry counters and adds a mark action of OpenFlow, then proposes an entropy-based distributed attack detection model, a novel IP traceback and source filtering response mechanism in SDN with OpenFlow-based Deterministic Packet Marking. It achieves detecting the attack at the destination and filtering the malicious traffic at the source and can be easily implemented in SDN controller program, software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results show that this scheme can detect the attack quickly, achieve a high detection accuracy with a low false positive rate, shield the victim from attack traffic and also avoid the attacker consuming resource and bandwidth on the intermediate links.

Menghao Zhang,Jun Bi,Jiasong Bai,Guanyu Li

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00101

2018-01-01

Abstract:Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.

Liang Tan,Yue Pan,Jing Wu,Jianguo Zhou,Hao Jiang,Yuchuan Deng

DOI: https://doi.org/10.1109/access.2020.3021435

IF: 3.9

2020-01-01

IEEE Access

Abstract:While software defined network (SDN) brings more innovation to the development of future networks, it also faces a more severe threat from DDoS attacks. In order to deal with the single point of failure on SDN controller caused by DDoS attacks, we propose a framework for detection and defense of DDoS attacks in the SDN environment. Firstly, we deploy a trigger mechanism of DDoS attack detection on data plane to screen for abnormal flows in the network. Then, we use a combined machine learning algorithm based on K-Means and KNN to exploit the rate characteristics and asymmetry characteristics of the flows and to detect the suspicious flows determined by the detection trigger mechanism. Finally, the controller will take corresponding actions to defense against the attacks. In this paper, we propose a new framework of cooperative detection methods of control plane and data plane, which effectively improve the detection accuracy and efficiency, and prevent DDoS attacks on SDN.

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yongyi Cao,Jing Wu,Bo Zhu,Hao Jiang,Yuchuan Deng,Wei Luo

DOI: https://doi.org/10.1007/978-3-030-34139-8_23

2019-01-01

Abstract:Distributed Denial of Service (DDoS) has been one of the biggest threats in the field of network security and a big problem to many researchers and large enterprises for years. In SDN, traditional DDoS attack detection mechanisms are mostly based on intermediate plug-ins or SDN controllers, most of which have problems of large southbound communication overhead, detection delay or lacking network-wide monitoring information. In this paper, we propose a cross-plane cooperative DDoS defense system (CPCS) under the architecture of SDN, which filters abnormal traffic through coarse-grained detection on the data plane and fine-grained detection on the control plane. On the data plane, a preliminary screening is performed to reduce the detection range of the control plane, and the K-means clustering algorithm is used to perform fine-grained analysis of traffic on the control plane. In addition, an anti-false positive module is added ingeniously. The proposed method captures the key characteristics of DDoS attack traffic by polling the value of counters in OpenFlow switches which leverages the computational power of OpenFlow switches that currently not fully utilized. We conducted experiments on a campus network center including OpenFlow switches and RYU controllers. The results show that the framework and traffic monitoring algorithms proposed in this paper can greatly improve detection efficiency and accuracy, and reduce detection delay and southbound communication overhead.

Yunhe Cui,Qing Qian,Chun Guo,Guowei Shen,Youliang Tian,Huanlai Xing,Lianshan Yan

DOI: https://doi.org/10.1016/j.jnca.2021.103156

IF: 7.574

2021-01-01

Journal of Network and Computer Applications

Abstract:Software-Defined Networking (SDN) is widely considered as one of the next generation network architecture. However, SDN faces with a series of issues which restraint its development and application, where the security is one of the serious issues. The Distributed Denial of Service (DDoS) is such a devastating security problem. In this work, a comprehensive review of the DDoS detection mechanisms utilized in SDN is presented. DDoS attacks in SDN are classified into two types and five subtypes based on the features of DDoS and SDN. For each kind of DDoS, how the attackers can exploit the vulnerabilities of SDN to launch DDoS attacks is discussed. Subsequently, the DDoS detection mechanisms used in SDN are reviewed and categorized into five types and forty-six subtypes. These kinds of DDoS detection mechanisms are compared and analyzed, where we draw a conclusion that the machine learning-based DDoS detection mechanisms and threshold-based DDoS detection mechanisms are the two most popular technologies utilized to detect DDoS attacks in SDN. More importantly, for each kind of DDoS detection mechanism, the generational process, advantages, and disadvantages are discussed. Additionally, the open problems and future directions of DDoS detection in SDN are discussed. By presenting these review, discussion and analysis, we hope it can facilitate the understanding of DDoS detection in SDN.

Ping Dong,Xiaojiang Du,Hongke Zhang,Tong Xu

DOI: https://doi.org/10.1109/ICC.2016.7510992

2016-01-01

Abstract:A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.