Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Gao Shang,Peng Zhe,Xiao Bin,Hu Aiqun,Ren Kui

DOI: https://doi.org/10.1109/infocom.2017.8057009

2017-01-01

Abstract:The separated control and data planes in software-defined networking (SDN) with high programmability introduce a more flexible way to manage and control network traffic. However, SDN will experience long packet delay and high packet loss rate when the communication link between two planes is jammed by SDN-aimed DoS attacks with massive table-miss packets. In this paper, we propose FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between the controller platform and other controller apps, and can protect both the data and control plane resources by leveraging three new techniques: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to identify attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. All designs of FloodDefender conform to the OpenFlow policy, requiring no additional devices. We implement a prototype of FloodDefender and evaluate its performance in both software and hardware environments. Experimental results show that FloodDefender can efficiently mitigate the SDN-aimed DoS attacks, incurring less than 0.5% CPU computation to handle attack traffic, only 18ms packet delay and 5% packet loss rate under attacks.

Fuliang Li,Jiannong Cao,Xingwei Wang,Yinchu Sun,Tian Pan,Xuefeng Liu

DOI: https://doi.org/10.1109/tcc.2018.2846620

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:Software-Defined-Networking (SDN) is progressively dominating the dynamic management for timely network trouble shooting and fine grained traffic scheduling in data center networks. One critical issue in SDN is to reduce the communication overhead between the switches and the controller. Such overhead is mainly caused by handling miss-match packets, because for each miss-match packet, a switch will send a request to the controller asking for forwarding rule. Existing approaches to address this problem generally need to deploy intermediate proxy or authority switches to hold rule copies, so as to reduce the number of requests sent to the controller. In this paper, we argue that using the intrinsic buffer in a SDN switch can also greatly reduce the communication overhead without using additional devices. If a switch buffers each miss-match packet, only a few header fields instead of the entire packet are required to be sent to the controller. Experiment results show that this can reduce 78.7 percent control traffic and 37 percent controller overhead at the cost of increasing only 5.6 percent switch overhead on average. If the proposed flow-granularity buffer mechanism is adopted, only one request message needs to be sent to the controller for a new flow with many arrival packets. Thus the control traffic and controller overhead can be further reduced by 64 percent and 35.7 percent respectively on average without increasing the switch overhead.

computer science, information systems, theory & methods

Menghao Zhang,Jun Bi,Jiasong Bai,Guanyu Li

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00101

2018-01-01

Abstract:Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Menghao Zhang,Jun Bi,Jiasong Bai,Yangyang Wang

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.001

2017-01-01

Abstract:To further mitigate the dedicated denial-of-service(DoS)attack(data-to-control plane saturation attack)against SDN infrastructure,a controller and switch cooperative defense framework, that is,FloodShield,is presented.In this attack,a large number of packets are flooded by attacker to trigger massive table-misses and packet-in messages in the data plane, which would exhaust re-sources of different components of SDN infrastructure, including TCAM in the data plane, band-width of the control channel, and CPU cycles of the controller.With the extensive analysis of the vulnerability of SDN against the saturation attack,a deployable,comprehensive and lightweight SDN defense framework,FloodShield,is proposed and designed.The following two techniques are com-bined with FloodShield:1)source address validation for filtering forged packets directly in the data plane,and 2)stateful packet supervision for monitoring traffic states of real addresses and perform-ing dynamic countermeasures based on evaluation scores and network resource usage.Experimental results show that, compared with previous defense framework, FloodShield provides an effective protection for data plane,control channel and control plane of SDN infrastructure,meanwhile consu-ming less resource.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

Maria Apostolaki,Vamsi Addanki,Manya Ghobadi,Laurent Vanbever

DOI: https://doi.org/10.48550/arXiv.2105.10553

2021-05-22

Abstract:Today, network devices share buffer across priority queues to avoid drops during transient congestion. While cost-effective most of the time, this sharing can cause undesired interference among seemingly independent traffic. As a result, low-priority traffic can cause increased packet loss to high-priority traffic. Similarly, long flows can prevent the buffer from absorbing incoming bursts even if they do not share the same queue. The cause of this perhaps unintuitive outcome is that today's buffer sharing techniques are unable to guarantee isolation across (priority) queues without statically allocating buffer space. To address this issue, we designed FB, a novel buffer sharing scheme that offers strict isolation guarantees to high-priority traffic without sacrificing link utilizations. Thus, FB outperforms conventional buffer sharing algorithms in absorbing bursts while achieving on-par throughput. We show that FB is practical and runs at line-rate on existing hardware (Barefoot Tofino). Significantly, FB's operations can be approximated in non-programmable devices.

Networking and Internet Architecture

Chun-Hao Yang,Jhen-Ping Wu,Fang-Yi Lee,Ting-Yu Lin,Meng-Hsun Tsai

DOI: https://doi.org/10.3390/s23083817

2023-04-07

Abstract:Software-defined networking (SDN) is a new network architecture that provides programmable networks, more efficient network management, and centralized control than traditional networks. The TCP SYN flooding attack is one of the most aggressive network attacks that can seriously degrade network performance. This paper proposes detection and mitigation modules against SYN flooding attacks in SDN. We combine those modules, which have evolved from the cuckoo hashing method and innovative whitelist, to get better performance compared to current methods Our approach reduces the traffic through the switch and improves detection accuracy, also the required register size is reduced by half for the same accuracy.

Xuanbo Huang,Kaiping Xue,Yitao Xing,Dingwen Hu,Ruidong Li,Qibin Sun

DOI: https://doi.org/10.1109/mass50613.2020.00048

2020-01-01

Abstract:The whole Software-Defined Networking (SDN) system might be out of service when the control plane is overloaded by control plane saturation attacks. In this attack, a malicious host can manipulate massive table-miss packets to exhaust the control plane resources. Even though many studies have focused on this problem, systems still suffer from more influenced switches because of centralized mitigation policies, and long recovery delay because of the remaining attack flows. To solve these problems, we propose FSDM, a Fast recovery Saturation attack Detection and Mitigation framework. For detection, FSDM extracts the distribution of Control Channel Occupation Rate (CCOR) to detect the attack and locates the port that attackers come from. For mitigation, with the attacker’s location and distributed Mitigation Agents, FSDM adopts different policies to migrate or block attack flows, which influences fewer switches and protects the control plane from resource exhaustion. Besides, to reduce the system recovery delay, FSDM equips a novel functional module called Force_Checking, which enables the whole system to quickly clean up the remaining attack flows and recovery faster. Finally, we conducted extensive experiments, which show that, with the increasing of attack PPS (Packets Per Second), FSDM only suffers a minor recovery delay increase. Compared with traditional methods without cleaning up remaining flows, FSDM saves more than 81% of ping RTT under attack rate ranged from 1000 to 4000 PPS, and successfully reduced the delay of 87% of HTTP requests time under large attack rate ranged from 5000 to 30000 PPS.

Jiahao Cao,Renjie Xie,Kun Sun,Qi Li,Guofei Gu,Mingwei Xu

DOI: https://doi.org/10.14722/ndss.2020.23040

2020-01-01

Abstract:Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

HU Hui,CHEN Ming,LIU Bo,XU Bo,XING Chang-you,HU Chao

DOI: https://doi.org/10.11959/j.issn.1000-436x.2017190

2017-01-01

Abstract:Large numbers of redundant control packets produced by connectionless UDP flows may engender serious in-fluence over the performance of the SDN controllers and networks. The endangerment of the redundant control packets for the performance of SDN controllers by testing and modeling was firstly analyzed, and then a basic solution to solve the problem was formed. Therefore, a preinstalling flow-tables & filtering redundant packets (PFFR) mechanism was proposed. By preinstalling flow tables, PFFR limited the initial rate of control packets in UDP flows, and through instal-ling flow tables according to paths and utilizing the redundant packets filtering algorithm, PFFR eliminated redundant packets rapidly. A prototype system based on PFFR was implemented and tested. The experimental results prove that the PFFR mechanism can effectively improve the performance of the controller.

Peng Zhang,Huanzhao Wang,Chengchen Hu,Chuang Lin

DOI: https://doi.org/10.1109/mnet.2016.1600109nm

IF: 10.294

2016-01-01

IEEE Network

Abstract:Software defined networking greatly simplifies network management by decoupling control functions from the network data plane. However, such a decoupling also opens SDN to various denial of service attacks: an adversary can easily exhaust network resources by flooding short-lived spoofed flows. Toward this issue, we present a comprehensive study of DoS attacks in SDN, and propose multi-layer fair queueing (MLFQ), a simple but effective DoS mitigation method. MLFQ enforces fair sharing of an SDN controller's resources with multiple layers of queues, which can dynamically expand and aggregate according to controller load. Both testbed-based and emulation-based experiments demonstrate the effectiveness of MLFQ in mitigating DoS attacks targeted at SDN controllers.

Hanlin Huang,Xinle Du,Tong Li,Haiyang Wang,Ke Xu,Mowei Wang,Huichen Dai

DOI: https://doi.org/10.1109/tnet.2024.3430989

2024-01-01

Abstract:Converged Ethernet employs Priority-based Flow Control (PFC) to provide a lossless network. However, issues caused by PFC, including victim flow, congestion spreading, and deadlock, impede its large-scale deployment in production systems. The fine-grained experimental observations on switch buffer occupancy find that the root cause of these performance problems is a mismatch of sending rates between end-to-end congestion control and hop-by-hop flow control. Resolving this mismatch requires the switch to provide an additional buffer, which is not supported by the classic dynamic threshold (DT) policy in current shared-buffer commercial switches. In this paper, we propose Selective-PFC (SPFC), a practical buffer management scheme that handles such mismatch. Specifically, SPFC incrementally modifies DT by proactively detecting port traffic and adjusting buffer allocation accordingly to trigger PFC PAUSE frames selectively. Extensive case studies demonstrate that SPFC can reduce the number of PFC PAUSEs on non-bursty ports by up to 69.0%, and reduce the average flow completion time by up to 83.5% for large victim flows.

Sijiang Huang,Mowei Wang,Yong Cui

DOI: https://doi.org/10.1109/tnet.2022.3173930

2021-01-01

Abstract:Switch buffer serves an important role in the modern internet. To achieve efficiency, today's switches often use on-chip shared memory. Shared memory switches rely on buffer management policies to allocate buffer among ports. To avoid waste of buffer resources or excessive buffer occupation by a few ports, existing policies tend to maximize overall buffer utilization and pursue queue length fairness. However, blind pursuit of utilization and misleading fairness definition based on queue length lead to buffer occupation with no benefit to throughput but extends queuing delay and undermines burst absorption of other ports. With analysis of current dynamic threshold policies, we demonstrate that meaningless buffer occupation can potentially impair the absorption capability of shared buffer, whereas none of the existing policies have addressed this problem. We contend that a buffer management policy should proactively detect port traffic and adjust buffer allocation accordingly. In this paper, we propose Traffic-aware Dynamic Threshold (TDT) policy. On the basis of the classic dynamic threshold policy, TDT proactively raises or lowers port threshold to absorb burst traffic or evacuate meaningless buffer occupation. We present detailed designs of port control state transition and state decision module that detect real-time traffic and change port thresholds accordingly. Simulation and DPDK-based real testbed demonstrate that TDT simultaneously optimizes for throughput, loss and delay, and reduces up to 50% flow completion time.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1109/infocom.2018.8486230

2018-01-01

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. FlowCloak imposes only a 0.3 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Sun Hancun,Chen Xu,Luo Yantian,Ge Ning

DOI: https://doi.org/10.23919/jcc.fa.2024-0209.202411

2024-12-04

China Communications

Abstract:Link flooding attack (LFA) is a type of covert distributed denial of service (DDoS) attack. The attack mechanism of LFAs is to flood critical links within the network to cut off the target area from the Internet. Recently, the proliferation of Internet of Things (IoT) has increased the quantity of vulnerable devices connected to the network and has intensified the threat of LFAs. In LFAs, attackers typically utilize low-speed flows that do not reach the victims, making the attack difficult to detect. Traditional LFA defense methods mainly reroute the attack traffic around the congested link, which encounters high complexity and high computational overhead due to the aggregation of massive attack traffic. To address these challenges, we present an LFA defense framework which can mitigate the attack flows at the border switches when they are small in scale. This framework is lightweight and can be deployed at border switches of the network in a distributed manner, which ensures the scalability of our defense system. The performance of our framework is assessed in an experimental environment. The simulation results indicate that our method is effective in detecting and mitigating LFAs with low time complexity.

telecommunications

Danfeng Shan,Yuqi Liu,Tong Zhang,Yifan Liu,Yazhe Tang,Hao Li,Peng Zhang

DOI: https://doi.org/10.1109/icdcs57875.2023.00019

2023-01-01

Abstract:In datacenters, lossless network is very attractive as it can achieve ultra-low latency. In commodity Ethernet, lossless forwarding is achieved by hop-by-hop Priority-based Flow Control (PFC). To avoid buffer overflow, PFC-enabled switches need to reserve some buffer as headroom, which is for absorbing in-flight packets during the delay for backpressure messages to take effect. However, with the growing link speed in production networks, the buffer becomes increasingly insufficient, and the headroom can occupy a considerable fraction of buffer. As a result, the remaining buffer for absorbing normal traffic bursts is significantly squeezed, leading to frequent PFC messages that degrade the network performance. However, the current static and queue-independent headroom allocation scheme is inherently inefficient in solving this problem. In light of this, we propose Dynamic and Shared Headroom allocation scheme (DSH), which dynamically allocates headroom to congested queues and enables the allocated headroom to be shared among different queues. By statistical multiplexing, DSH needs much less headroom to ensure lossless forwarding. Furthermore, DSH can be implemented on switching chips with moderate modifications. Extensive simulations show that DSH can absorb 4× more bursts without triggering PFC messages and reduce the flow completion time by up to ~31%.

Moreno Ambrosin,Mauro Conti,Fabio De Gaspari,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1502.02234

2015-02-08

Networking and Internet Architecture

Abstract:Software Defined Networking (SDN) is a new networking architecture which aims to provide better decoupling between network control (control plane) and data forwarding functionalities (data plane). This separation introduces several benefits, such as a directly programmable and (virtually) centralized network control. However, researchers showed that the required communication channel between the control and data plane of SDN creates a potential bottleneck in the system, introducing new vulnerabilities. Indeed, this behavior could be exploited to mount powerful attacks, such as the control plane saturation attack, that can severely hinder the performance of the whole network. In this paper we present LineSwitch, an efficient and effective solution against control plane saturation attack. LineSwitch combines SYN proxy techniques and probabilistic blacklisting of network traffic. We implemented LineSwitch as an extension of OpenFlow, the current reference implementation of SDN, and evaluate our solution considering different traffic scenarios (with and without attack). The results of our preliminary experiments confirm that, compared to the state-of-the-art, LineSwitch reduces the time overhead up to 30%, while ensuring the same level of protection.

Tao Wang,Hongchang Chen

DOI: https://doi.org/10.1587/transinf.2017edp7419

2018-01-01

IEICE Transactions on Information and Systems

Abstract:Software-defined networking (SDN) has rapidly emerged as a promising new technology for future networks and gained considerable attention from both academia and industry. However, due to the separation between the control plane and the data plane, the SDN controller can easily become the target of denial-of service (DoS) attacks. To mitigate DoS attacks in OpenFlow networks, our solution, MinDoS, contains two key techniques/modules: the simplified DoS detection module and the priority manager. The proposed architecture sends requests into multiple buffer queues with different priorities and then schedules the processing of these flow requests to ensure better controller protection. The results show that MinDoS is effective and adds only minor overhead to the entire SDN/OpenFlow infrastructure.