Dezhang Kong,Chunming Wu,Yi Shen,Xiang Chen,Hongyan Liu,Dong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10001437

2022-01-01

Abstract:One of the most important components of Software-Defined Networking (SDN) is the flow table. It receives flow rules from the controller and uses them to handle network traffic. However, a flow table can only store a few thousand flow rules, which makes it an attractive target for table overflow attacks. These attacks force the controller to populate the flow table with a large number of meaningless flow rules, which prevents normal flows from finding matching rules and therefore having to be reported to the controller. It results in a significant latency overhead, degrading the performance of the whole network. In this paper, we present a key characteristic of table overflow attacks: even though attackers can change some critical attack parameters (e.g., attack speed) to avoid detection, proactive flows from the attacked port always occupy a stable proportion in the flow table regardless of the attack form. In light of this finding, we propose TableGuard, a novel security mechanism that uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. The experiments demonstrate that TableGuard can mitigate both high-rate and low-rate table overflow attacks. Compared with existing defenses, TableGuard has the best mitigation performance and the minimal overhead on normal flows.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Bin Yuan,Deqing Zou,Shui Yu,Hai Jin,Weizhong Qiang,Jinan Shen

DOI: https://doi.org/10.1109/tsc.2016.2602861

IF: 11.019

2019-01-01

IEEE Transactions on Services Computing

Abstract:The Software-Defined Network (SDN) is a new and promising network architecture. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one critical vulnerability in SDNs, the size of flow table, which is most likely to be attacked. Due to the expensive and power-hungry features of Ternary Content Addressable Memory (TCAM), a flow table usually has a limited size, which can be easily disabled by a flow table overloading attack (a transformed DDoS attack). To provide a security service in SDN, we proposed a QoS-aware mitigation strategy, namely, peer support strategy, which integrates the available idle flow table resource of the whole SDN system to mitigate such an attack on a single switch of the system. We established a practical mathematical model to represent the studied system, and conducted a thorough analysis for the system in various circumstances. Based on our analysis, we found that the proposed strategy can effectively defeat the flow table overloading attacks. Extensive simulations and testbed-based experiments solidly support our claims. Moreover, our work also shed light on the implementation of SDN networks against possible brute-force attacks.

Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Yadong Zhou,Kaiyue Chen,Junjie Zhang,Junyuan Leng,Yazhe Tang

DOI: https://doi.org/10.1155/2018/4760632

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:As the most competitive solution for next-generation network, SDN and its dominant implementation OpenFlow are attracting more and more interests. But besides convenience and flexibility, SDN/OpenFlow also introduces new kinds of limitations and security issues. Of these limitations, the most obvious and maybe the most neglected one is the flow table capacity of SDN/OpenFlow switches. In this paper, we proposed a novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN/OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data and control plane when the flow table is full. To the best of our knowledge, this is the first proposed inference attack model of this kind for SDN/OpenFlow. We implemented an inference attack framework according to our model and examined its efficiency and accuracy. The evaluation results demonstrate that our framework can infer the network parameters (flow table capacity and usage) with an accuracy of 80% or higher. We also proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel flow table architecture. These findings give us a deeper understanding of SDN/OpenFlow limitations and serve as guidelines to future improvements of SDN/OpenFlow.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.2139/ssrn.4129904

2022-01-01

Abstract:Download This Paper Open PDF in Browser Add Paper to My Library Share: Permalink Using these links will ensure access to this page indefinitely Copy URL Copy DOI

Yi Shen,Chunming Wu,Qiumei Cheng,Dezhang Kong

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00122

2020-01-01

Abstract:Software-Defined Networking (SDN) is an emerging network platform, which decouples the control and data planes. As the most popular southbound protocol and standard, OpenFlow converts network forwarding policies to rule entries and stores them in the flow table. However, the capacity of the flow table is restricted, which can lead to table-overflow if the space is inefficiently used. In this paper, we propose an adaptive flow table management scheme (AFTM) on the control plane, which combines assigning dynamic timeout and proactive eviction to manage the limited flow table resources. The timeout assignment module and the proactive eviction module are not independent parts but work collaboratively. The timeout assignment module sets suitable timeouts for rule entries according to flow characteristics, so that entries of short-lived flows are quickly removed while entries of flows with large packet intervals are retained. When the table space is insufficient, the proactive eviction module removes rule entries to protect the flow table from table-overflow. In our design, the eviction thresholds and parameters in both modules can be adaptively adjusted according to the network load. Experimental results show that AFTM can effectively manage the flow table resource and reduce the number of packet drop rates by up to 81% compared with existing schemes.

Dezhang Kong,Xiang Chen,Chunming Wu,Yi Shen,Zhengyan Zhou,Qiumei Cheng,Xuan Liu,Mingliang Yang,Yubing Qiu,Dong Zhang,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tifs.2024.3472477

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:The flow table is a critical component of Software-Defined Networking (SDN). However, flow tables' limited capacity makes them highly vulnerable to flow table overflow attacks (FTOAs). Due to the low attack cost and highly flexible attack forms, it is hard to eradicate FTOAs. This paper addresses three unsolved problems for table security and proposes a robust defense accordingly. First, we reveal that the existing defenses with fixed defense speeds will cause severe packet loss when handling diverse traffic. We prove that deleting multiple rules can efficiently solve this problem and give a rigorous derivation to calculate the suitable deletion number according to the environment. Second, we illustrate that abnormal table occupancy squeezing is a constant characteristic of FTOAs regardless of attack forms. It can be used to identify attacked ports accurately in different scenarios. Third, we mathematically prove that random deletion can guarantee the continuous decrease of malicious flow rules after confirming attacked ports. It achieves fast speed and robust effectiveness in different environments. Based on these findings, we design rDefender, a robust and lightweight defense prototype. We evaluate its effect by designing diverse, powerful attacks and using real-world datasets and topology. The results demonstrate that it achieves the best overall performance compared to six existing mainstream defenses, providing stable security for switch flow tables.

computer science, theory & methods,engineering, electrical & electronic

Ying Zeng,Yong Wang,Yuming Liu

DOI: https://doi.org/10.1109/access.2024.3383877

IF: 3.9

2024-04-09

IEEE Access

Abstract:In Software-Defined Networks (SDN), the ternary content addressable memory (TCAM) capacity in switches is limited, making them vulnerable to low-rate flow table overflow attacks. Most existing research in this field has not focused on the influence of flow entry eviction mechanisms on the effectiveness of such attacks. This paper proposes an adaptive low-rate flow table overflow attack (ALFO), which can adopt corresponding attack modes under different flow entry eviction mechanisms, significantly degrading network service quality. Due to the different features of ALFO under different attack modes, the existing attack detection methods are ineffective in this attack. Therefore, this paper proposes a detection and mitigation framework, which is called adaptive low-rate flow table overflow attack guard framework (ALFO-Guard). It extracts flow features from flow entry information in the switch and aggregates them into a current-time graph model. Then, combining graph neural networks, it performs graph anomaly detection and flow entry classification to identify attack flow entries. Finally, the attack can be eliminated by deleting the identified attack flow entries and blocking the attack flows. The effectiveness of ALFO and ALFO-Guard is validated through extensive experiments, and the experimental results demonstrate that ALFO-Guard can effectively defend against ALFO.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Zehua Guo,Ruoyan Liu,Yang Xu,Andrey Gushchin,Anwar Walid,H. Jonathan Chao

DOI: https://doi.org/10.1016/j.comnet.2017.04.046

IF: 5.493

2017-01-01

Computer Networks

Abstract:The emerging Software-Defined Networking (SDN) enables network innovation and flexible control for network operations. A key component of SDN is the flow table at each switch, which stores flow entries that define how to process the received flows. In a network that has a large number of active flows, flow tables at switches can be easily overflowed, which could cause blocking of new flows or eviction of entries of some active flows. The eviction of active flow entries, however, can severely degrade the network performance and overload the SDN controller. In this paper, we propose SofTware-defined Adaptive Routing (STAR), an online routing scheme that efficiently utilizes limited flow-table resources to maximize network performance. In particular, STAR detects real-time flow-table utilization of each switch, intelligently evicts expired flow entries when needed to accommodate new flows, and selects routing paths for new flows based on flow-table utilizations of switches across the network. Simulation results based on the Spanish backbone network show that, STAR outperforms existing schemes by decreasing the controller’s workload for routing new flows by about 87%, reducing packet delay by 49%, and increasing average throughput by 123% on average when the flow-table resource is scarce.

Yazhe TANG,Yongqi ZHANG,Zijian YAN,Guiying ZHU

DOI: https://doi.org/10.7652/xjtuxb201802002

2018-01-01

Abstract:A new multilevel flow table architecture based on Bloom Filter is proposed to solve the problem of the explosive growth of the flow table's space occupation and look-up overhead due to the fine grained flow matching mechanism in SDN networks.This architecture follows the hybrid flow table paradigm and uses a Bloom Filter pipeline to store flow entries.The motivation is to construct secondary flow tables with very high capacity and to speed up the matching speed of flow table items.An intermediate adaptation layer between controllers and OpenFlow switches is designed to transform the corresponding messages and to avoid possible semantic conflicts.Experiments results show that when the flow table becomes more fine-grained,the space occupation of the proposed scheme is more effectively reduced,up to 90.7％,and when the number of the flow entries increases,the packet matching time is greatly reduced and the maximum reduction of matching time is 99.4％.The solution of the problem is expected to lay a solid foundation in data plane for the large-scale practical deployment of SDN networks.

Xiang-yang ZHU,Bing CHEN

DOI: https://doi.org/10.3969/j.issn.1673-629X.2016.12.003

2017-01-01

Abstract:The timeout mechanism and capacity limitation of flow table in OpenFlow switches,together with the traffic characteristics in data centers,have brought scalability problems in the application of Software-Defined Network ( SDN) . Due to the frequent and repeat-able routing request invocations by mice flows and flow table timeouts,the SDN control plane and OpenFlow secure channel will become the performance bottleneck of whole SDN architecture,and thus cannot provide QoS guaranteed services according to network resources and business requests. Two improvement measures are put forward from two aspects. The switches are configured with destination address oriented wildcard flow table entries for mice flows,making that most of mice flows are handled by forwarding plane directly without ask-ing control plane. A dynamic-index hash cache layer is added between the control plane and the forwarding plane,and flow table entries will be put into the cache layer when they are evicted from flow table because of timeout or other reasons,which can avoid repeatable rou-ting calculations. Experimental results show that wildcard flow table entries can effectively reduce the network delay and the number of flow table entries,and the cache strategy proposed has higher hit rate and looking up speed.

Xuya Jia,Qing Li,Yong Jiang,Zehua Guo,Jie Sun

DOI: https://doi.org/10.1016/j.comnet.2017.06.009

IF: 5.493

2017-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) allows flexible and efficient management of networks. However, the limited capacity of flow tables in SDN switches hinders the deployment of SDN. In this paper, we propose a novel routing scheme to improve the efficiency of flow tables in SDNs. To efficiently use the routing scheme, we formulate an optimization problem with the objective to maximize the number of flows in the network, constrained by the limited flow table space in SDN switches. The problem is NP-hard, and we propose the K Similar Greedy Tree (KSGT) algorithm to solve it. We evaluate the performance of KSGT against traditional SDN solutions with real-world topologies and traffic. The results show that, compared to the existing solutions, KSGT can reduce about 60% of flow entries when processing the same amount of flows, and improve about 25% of the successful installation and forwarding flows under the same flow table space.

Siyi Qiao,Chengchen Hu,Xiaohong Guan,Jianhua Zou

DOI: https://doi.org/10.1145/2934872.2959063

2018-01-01

Abstract:SDN has become the wide area network technology, which the academic and industry most concerned about.The limited table sizes of today’s SDN switches has turned to the most prominent short planks in the network design implementation. TCAM based flow table can provide an excellent matching performance while it really costs much. Even the flow table overflow cannot be prevented by a fixed-capacity flow table. In this paper, we design FTS(Flow Table Sharing) mechanism that can improve the performance disaster caused by overflow. We demonstrate that FTS reduces both control messages quantity and RTT time by two orders of magnitude compared to current state-of-the-art OpenFlow table-miss handler.

Xuya Jia,Yong Jiang,Zehua Guo,Zhenwei Wu

DOI: https://doi.org/10.1109/lcn.2016.96

2016-01-01

Abstract:Software-Defined Networking (SDN) allows flexible and efficient management of networks. However, the limited capacity of flow tables in SDN switches hinders the deployment of SDN. In this paper, we propose a novel routing scheme to improve the efficiency of flow tables in SDNs. To efficiently use the routing scheme, we formulate an optimization problem with the objective to maximize the number of flows in the network, constrained by the limited flow table space in SDN switches. The problem is NP-hard, and we propose the K Similar Greedy Tree (KSGT) algorithm to solve it. We evaluate the performance of KSGT against "traditional" SDN solutions with real-world topologies and traffic. The results show that, compared to the existing solutions, KSGT can reduce about 60% of flow entries when processing the same amount of flows, and improve about 25% of the successful installation and forwarding flows under the same flow table space.

zehua guo,yang xu,marco cello,junjie zhang,zicheng wang,mingjian liu,h jonathan chao

DOI: https://doi.org/10.1016/j.comnet.2015.09.030

IF: 5.493

2015-01-01

Computer Networks

Abstract:The forwarding scheme in Software-Defined Networking (SDN) is usually coupled with flow table management. To reduce the redundancy in the flow tables of OpenFlow switches, some recent studies propose forwarding flows using stacked MPLS labels, in which each label in the stack indicates the forwarding decision at one hop of the forwarding route. However, using multiple MPLS labels in each packet introduces significant transmission overhead, especially in networks with large diameters.

Jiahao Cao,Mingwei Xu,Li Q.,Kun Sun,Yuan Yang,Jing Zheng

DOI: https://doi.org/10.1007/978-3-319-78813-5_18

2017-01-01

Abstract:The emerging Software-Defined Networking (SDN) is being adopted by data centers and cloud service providers to enable flexible control. Meanwhile, the current SDN design brings new vulnerabilities. In this paper, we explore a stealthy data plane based attack that uses a minimum rate of attack packet to disrupt SDN. To achieve this, we propose the LOFT attack that computes the lower bound of attack rate to overflow flow tables based on the inferred network configurations. Particularly, each attack packet always triggers or maintains consumption of one flow rule. LOFT can ensure the attack effect with various network configurations while reducing the possibility of being captured. We demonstrate its feasibility and effectiveness in a real SDN testbed consisting of commercial hardware switches. The experiment results show that LOFT can incur significant network performance degradation and potential network DoS at an attack rate of only tens of Kbps.

Zehua Guo,Yang Xu,Ruoyan Liu,Andrey Gushchin,Kuan-yin Chen,Anwar Walid,H. Jonathan Chao

DOI: https://doi.org/10.1016/j.future.2018.06.011

2018-01-01

Abstract:Software-Defined Networking (SDN) employs a centralized control with a global network view and provides great opportunities to improve network performance. However, due to the limitation of flow-table space at the switches and unbalanced traffic allocation on links, an SDN may suffer from flow-table overflow and inefficient bandwidth allocation among flows, increasing the controller’s burden and degrading network performance. In this paper, we present a dynamic routing scheme named DIFF that differentiates flows based on their impact on network resource and adaptively selects routing paths for them to mitigate the problems of flow-table overflow and inefficient bandwidth allocation. DIFF pre-generates a set of paths for each pair of source–destination edge switches and intelligently selects the paths from the pre-generated path-sets for new flows with an objective to balance flow-table utilizations. It adaptively reroutes some elephant flows to achieve maximum throughput under the rule of max–min fair bandwidth allocation. Simulation results show that DIFF simultaneously balances the flow-table and link utilizations, reduces the controller’s workload and packet delay, while increasing network throughput, compared with baseline schemes.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1109/infocom.2018.8486230

2018-01-01

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. FlowCloak imposes only a 0.3 ms packet processing delay on middleboxes and no obvious delay on the egress switch.