Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Dezhang Kong,Chunming Wu,Yi Shen,Xiang Chen,Hongyan Liu,Dong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10001437

2022-01-01

Abstract:One of the most important components of Software-Defined Networking (SDN) is the flow table. It receives flow rules from the controller and uses them to handle network traffic. However, a flow table can only store a few thousand flow rules, which makes it an attractive target for table overflow attacks. These attacks force the controller to populate the flow table with a large number of meaningless flow rules, which prevents normal flows from finding matching rules and therefore having to be reported to the controller. It results in a significant latency overhead, degrading the performance of the whole network. In this paper, we present a key characteristic of table overflow attacks: even though attackers can change some critical attack parameters (e.g., attack speed) to avoid detection, proactive flows from the attacked port always occupy a stable proportion in the flow table regardless of the attack form. In light of this finding, we propose TableGuard, a novel security mechanism that uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. The experiments demonstrate that TableGuard can mitigate both high-rate and low-rate table overflow attacks. Compared with existing defenses, TableGuard has the best mitigation performance and the minimal overhead on normal flows.

Jishuai Li,Tengfei Tu,Yongsheng Li,Sujuan Qin,Yijie Shi,Qiaoyan Wen

DOI: https://doi.org/10.3390/s22031061

IF: 3.9

2022-01-29

Sensors

Abstract:Software-defined networking (SDN) is a new networking paradigm that realizes the fast management and optimal configuration of network resources by decoupling control logic and forwarding functions. However, centralized network architecture brings new security problems, and denial-of-service (DoS) attacks are among the most critical threats. Due to the lack of an effective message-verification mechanism in SDN, attackers can easily launch a DoS attack by faking the source address information. This paper presents DoSGuard, an efficient and protocol-independent defense framework for SDN networks to detect and mitigate such attacks. DoSGuard is a lightweight extension module on SDN controllers that mainly consists of three key components: a monitor, a detector, and a mitigator. The monitor maintains the information between the switches and the hosts for anomaly detection. The detector utilizes OpenFlow message and flow features to detect the attack. The mitigator protects networks by filtering malicious packets. We implement a prototype of DoSGuard in the floodlight controller and evaluate its effectiveness in a simulation environment. Experimental results show the DoSGuard achieves 98.72% detecion precision, and the average CPU utilization of the controller is only around 8%. The results demonstrate that DoSGuard can effectively mitigate DoS attacks against SDN with limited overhead.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Menghao Zhang,Jun Bi,Jiasong Bai,Guanyu Li

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00101

2018-01-01

Abstract:Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Gao Shang,Peng Zhe,Xiao Bin,Hu Aiqun,Ren Kui

DOI: https://doi.org/10.1109/infocom.2017.8057009

2017-01-01

Abstract:The separated control and data planes in software-defined networking (SDN) with high programmability introduce a more flexible way to manage and control network traffic. However, SDN will experience long packet delay and high packet loss rate when the communication link between two planes is jammed by SDN-aimed DoS attacks with massive table-miss packets. In this paper, we propose FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between the controller platform and other controller apps, and can protect both the data and control plane resources by leveraging three new techniques: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to identify attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. All designs of FloodDefender conform to the OpenFlow policy, requiring no additional devices. We implement a prototype of FloodDefender and evaluate its performance in both software and hardware environments. Experimental results show that FloodDefender can efficiently mitigate the SDN-aimed DoS attacks, incurring less than 0.5% CPU computation to handle attack traffic, only 18ms packet delay and 5% packet loss rate under attacks.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Menghao Zhang,Jun Bi,Jiasong Bai,Yangyang Wang

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.001

2017-01-01

Abstract:To further mitigate the dedicated denial-of-service(DoS)attack(data-to-control plane saturation attack)against SDN infrastructure,a controller and switch cooperative defense framework, that is,FloodShield,is presented.In this attack,a large number of packets are flooded by attacker to trigger massive table-misses and packet-in messages in the data plane, which would exhaust re-sources of different components of SDN infrastructure, including TCAM in the data plane, band-width of the control channel, and CPU cycles of the controller.With the extensive analysis of the vulnerability of SDN against the saturation attack,a deployable,comprehensive and lightweight SDN defense framework,FloodShield,is proposed and designed.The following two techniques are com-bined with FloodShield:1)source address validation for filtering forged packets directly in the data plane,and 2)stateful packet supervision for monitoring traffic states of real addresses and perform-ing dynamic countermeasures based on evaluation scores and network resource usage.Experimental results show that, compared with previous defense framework, FloodShield provides an effective protection for data plane,control channel and control plane of SDN infrastructure,meanwhile consu-ming less resource.

Dongbin Wang,Yu Zhao,Hui Zhi,Dongzhe Wu,Weihan Zhuo,Yueming Lu,Xu Zhang

DOI: https://doi.org/10.3390/s23125426

IF: 3.9

2023-06-08

Sensors

Abstract:The limited computation resource of the centralized controller and communication bandwidth between the control and data planes become the bottleneck in forwarding the packets in Software-Defined Networking (SDN). Denial of Service (DoS) attacks based on Transmission Control Protocol (TCP) can exhaust the resources of the control plane and overload the infrastructure of SDN networks. To mitigate TCP DoS attacks, DoSDefender is proposed as an efficient kernel-mode TCP DoS prevention framework in the data plane for SDN. It can prevent TCP DoS attacks from entering SDN by verifying the validity of the attempts to establish a TCP connection from the source, migrating the connection, and relaying the packets between the source and the destination in kernel space. DoSDefender conforms to the de facto standard SDN protocol, the OpenFlow policy, which requires no additional devices and no modifications in the control plane. Experimental results show that DoSDefender can effectively prevent TCP DoS attacks in low computing consumption while maintaining low connection delay and high packet forwarding throughput.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yang Wang,Tao Hu,Guangming Tang,Jichao Xie,Jie Lu

DOI: https://doi.org/10.1109/access.2019.2895092

IF: 3.9

2019-01-01

IEEE Access

Abstract:Software-defined networking (SDN) achieves flexible and efficient network management by decoupling control plane from the data plane, where the controller with a global network view is responsible for planning routing for packets. However, the centralized design makes the controller become a potential bottleneck, and adversaries can exploit this vulnerability to launch distributed denial-of-service (DDoS) attacks to the controller. Existing solutions are fundamentally based forged traffic analysis, increasing computational cost and being prone to produce false positives. This paper proposes a safe-guard scheme (SGS) for protecting control plane against DDoS attacks, and the main characteristic of SGS is deploying multi-controller in control plane through the controller's clustering. SGS procedures are organized in two modules: anomaly traffic detection and controller dynamic defense. Anomaly traffic detection focuses on switches in data plane to distinguish forged flows from legitimate ones by innovatively adopting four-tuple feature vector. Controller dynamic defense mitigates DDoS attacks' effects on control plane by remapping controller and sending the access control message to switches. The simulation results demonstrate the efficiency of our proposed SGS with real-time DDoS attack defense and high detection accuracy, as well as high-efficiency network resource utilization.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

Ping Dong,Xiaojiang Du,Hongke Zhang,Tong Xu

DOI: https://doi.org/10.1109/ICC.2016.7510992

2016-01-01

Abstract:A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.

Tao Wang,Hongchang Chen

DOI: https://doi.org/10.1109/cc.2017.7961368

2017-01-01

China Communications

Abstract:Software Defined Networking（SDN） is a revolutionary networking paradigm towards the future network,experiencing rapid development nowadays.However,its main characteristic,the separation of control plane and data plane,also brings about new security challenges,i.e.,Denial-of-Service（DoS） attacks specific to Open Flow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of Open Flow switch.To mitigate the DoS attacks in the Open Flow networks,we design and implement SGuard,a security application on top of the NOX controller that mainly contains two modules:Access control module and Classification module.We employ novel six-tuple as feature vector to classify traffic flows,meanwhile optimizing classification by feature ranking and selecting algorithms.All the modules will cooperate with each other to complete a series of tasks such as authorization,classification and so on.At the end of this paper,we experimentally use Mininet to evaluate SGuard in a software environment.The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Tao Wang,Hongchang Chen

DOI: https://doi.org/10.1587/transinf.2017edp7419

2018-01-01

IEICE Transactions on Information and Systems

Abstract:Software-defined networking (SDN) has rapidly emerged as a promising new technology for future networks and gained considerable attention from both academia and industry. However, due to the separation between the control plane and the data plane, the SDN controller can easily become the target of denial-of service (DoS) attacks. To mitigate DoS attacks in OpenFlow networks, our solution, MinDoS, contains two key techniques/modules: the simplified DoS detection module and the priority manager. The proposed architecture sends requests into multiple buffer queues with different priorities and then schedules the processing of these flow requests to ensure better controller protection. The results show that MinDoS is effective and adds only minor overhead to the entire SDN/OpenFlow infrastructure.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Shang Gao,Zecheng Li,Yuan Yao,Bin Xiao

DOI: https://doi.org/10.2139/ssrn.4068465

2022-01-01

Abstract:In software-defined networks, data-to-control plane saturation attacks can jam switchcontroller links and overload the control plane. Previous studies show that saturation attacks can successfully dysfunction edge switches, but can hardly affect proactive networks and internal switches. In this paper, we introduce new SDN-aimed DDoS attacks that can penetrate into SDN to dysfunction internal switches in both reactive and proactive networks. Moreover, the new attacks can be distributed, which conceals the identity of attackers and makes attack detection difficult. To address the challenge of SDN-aimed DDoS attacks, we propose FloodBarrier, which can reduce the communication between the controller and switches, and efficiently handle attack traffic. We implement a prototype of FloodBarrier against the new SDN-aimed DDoS attacks.

Kuan-Yin Chen,Sen Liu,Yang Xu,Ishant Kumar Siddhrau,Siyu Zhou,Zehua Guo,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2021.3105187

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) is increasingly popular in today's information technology industry, but existing SDN control plane is insufficiently scalable to support on-demand, high-frequency flow requests. Weaknesses along SDN control paths can be exploited by malicious third parties to launch distributed denial-of-service (DDoS) attacks against the SDN control plane. Recently proposed solutions only partially solve the problem, by protecting either the SDN network edges or the centralized controller. We propose SDNShield, a solution based on emerging network function virtualization (NFV) technologies, which enforces more comprehensive defense against potential DDoS attacks on SDN control plane. SDNShield incorporates a three-stage overload control scheme. The first stage statistically identifies legitimate flows with low complexity and performance overhead. The second stage further performs in-depth TCP handshake verification to ensure good flows are eventually served. The third stage intellectually salvages the misclassified legitimate flows that are falsely dropped from the first two stages. Prototype tests and real data-driven simulation results show that SDNShield can achieve high resilience against brute-force attacks, and maintain good flow-level service quality at the same time.

Xueli Huang,Xiaojiang Du,Bin Song

DOI: https://doi.org/10.1109/icc.2017.7997187

2017-01-01

Abstract:In this paper, we propose a scheme to protect the Software Defined Network(SDN) controller from Distributed Denial-of-Service(DDoS) attacks. We first predict the amount of new requests for each openflow switch periodically based on Taylor series, and the requests will then be directed to the security gateway if the prediction value is beyond the threshold. The requests that caused the dramatic decrease of entropy will be filtered out and rules will be made in security gateway by our algorithm; the rules of these requests will be sent to the controller. The controller will send the rules to each switch to make them direct the flows matching with the rules to the honey pot. The simulation shows the averages of both false positive and false negative are less than 2%.

Guowei Wu,Zhaoxin Li,Lin Yao

DOI: https://doi.org/10.1109/PADSW.2018.8644627

2018-01-01

Abstract:Software defined network (SDN)can manage the whole network flexibly because of its programmability and logically centralized architecture. However, the centralized architecture of SDN makes it more vulnerable to Denial of Service (DoS)attack which is launched by sending a large number of malicious packet_in packets to consume the resources of the controller and data planes. In order to protect the normal operation of the network from DoS, we propose an effective DoS mitigation framework based on non-cooperative repeated game called PrioGuard. DoS can be detected based on the information entropy, packet_in rate and packet_in response rate. Furthermore, the penalty-incentive mechanism of repeated game is adopted to punish these attackers by lowering their priority in order to postpone their requests. The requests from attackers will be migrated to data plane cache, which can mitigate the interface cache of control plane and make the controller process the normal requests effectively. We have implemented a prototype system of PrioGuard. Simulation evaluations demonstrate that our scheme is very effective with less response time, less packet loss rate and lower controller load.