Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yinghao Su,Dapeng Xiong,Kechang Qian,Yu Wang

DOI: https://doi.org/10.3390/electronics13040807

IF: 2.9

2024-02-20

Electronics

Abstract:The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Lei Guo,Shan Jing,Chuan Zhao

DOI: https://doi.org/10.1007/978-3-031-20099-1_4

2022-01-01

Abstract:Software Defined Network (SDN) has been developed and applied gradually in recent years. SDN decouples the data plane from the control plane to implement centralized control, improving network operation efficiency and simplifying network management. However, SDN is vulnerable to Distributed Denial of Service (DDoS) attacks, especially on the control plane, which affects the whole network. In this paper, DDoS attack detection and defense under SDN are comprehensively reviewed, mainly classified according to different detection methods. On this basis, different methods are analyzed and compared in detail, which involves the advantages and disadvantages of different methods, application scenarios and specific DDoS attack types targeted by the methods. After analyzing and comparing different kinds of methods, this paper also points out the current difficulties in the field of DDoS detection and defense under the SDN architecture, and provides ideas for future research.

XU Xiaoqiong,YU Hongfang,YANG Kun

DOI: https://doi.org/10.3969/j.issn.1673-5188.2017.03.003

2019-01-01

Abstract:Distributed Denial of Service（DDoS） attacks have been one of the most destructive threats to Internet security. By decoupling the network control and data plane, software defined networking（SDN） offers a flexible network management paradigm to solve DDoS attack in traditional networks. However, the centralized nature of SDN is also a potential vulnerability for DDo S attack. In this paper, we first provide some SDN-supported mechanisms against DDoS attack in traditional networks. A systematic review of various SDN-self DDo S threats are then presented as well as the existing literatures on quickly DDoS detection and defense in SDN. Finally, some promising research directions in this field are introduced.

Shibo Luo,Jun Wu,Jianhua Li,Bei Pei

DOI: https://doi.org/10.1109/FCST.2015.11

2015-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to Internet based killer applications, such as independent news web sites, e-business and online games. Detecting and blocking such clever attacks has become difficult. Software-Defined Networks (SDN) has emerged as a future communication network architecture which decouples network control and forwarding. It has some particular features such as central control and programmability to combat against DDoS attack. In this paper, we survey DDoS attacks and existing defense mechanisms, and draw a conclusion of the needs of defense mechanism for successful combating against DDoS. Then, we analyze the particular features of SDN and conclude it is conducive to countermeasure DDoS attack. According the analysis, we construct a defense mechanism for DDoS in SDN. At last, we illustrate how this mechanism could combat against DDoS attacks through a working example.

Weidong Zhu,Xiujuan Yi

DOI: https://doi.org/10.2991/msmi-17.2017.33

2017-01-01

Abstract:Software definition network (SDN) is a new network architecture, which can realize centralized control of the network by separating the control plane and the data plane. With the introduction of the control plane as a manager of the network, a single point of failure is introduced too. When the network device cannot get access to the SDN controller, the entire network will breakdown. The controller is vulnerable to distributed denial of service (DDOS) attacks, resulting in resource exhaustion, so that the switch cannot get the services of controller. In this paper, different DDOS attack methods are classified according to the different levels of attack and detection positions, and the methods are analyzed and compared. Finally, the problems of DDOS attack detection in SDN are discussed and the potentials for further research are presented.

Pengfei Zhai,Yanbo Song,Xiaoming Zhu,Lihui Cao,Jiaming Zhang,Chungang Yang

DOI: https://doi.org/10.1109/iccc49849.2020.9238872

2020-01-01

Abstract:Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network,and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat,we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address,and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

Ankit Kumar Jain,Hariom Shukla,Diksha Goel

DOI: https://doi.org/10.1007/s10586-024-04596-z

2024-06-23

Cluster Computing

Abstract:Software Defined Networking (SDN) has become increasingly prevalent in cloud computing, Internet of Things (IoT), and various environments to optimize network efficiency. While it provides a flexible network infrastructure, it also faces security threats, particularly from Distributed Denial of Service (DDoS) attacks due to its centralized design. This survey comprehensively reviews the efforts of various researchers in safeguarding SDN against DDoS attacks and analyzes different detection and mitigation strategies employed in SDN environments. Furthermore, the survey explores various types of DDoS attacks that can occur across different planes and communication links in SDN. Additionally, emerging security measures for preventing DDoS attacks in SDN are examined. The survey also reviews the datasets, tools, and simulators used for detecting DDoS attacks in SDN. Moreover, the survey identifies various open challenges in detecting and mitigating DDoS attacks in SDN and outlines potential future research directions. Lastly, the survey provides a comprehensive comparative analysis of various DDoS detection techniques based on various essential parameters.

computer science, information systems, theory & methods

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Yajie Jiang,Xiaoning Zhang,Quan Zhou,Zijing Cheng

DOI: https://doi.org/10.1007/978-3-319-66625-9_17

2017-01-01

Abstract:The issue on defensing against Distributed Denial of Service (DDoS) attacks in Software Defined Networks (SDN) has been highly concerned by academe and industry. The existing studies cannot eliminate the false positives by using the simple classification algorithms. In this paper, we analyze the essential difference between DDoS attacks and flash crowds which causes some similar consequences to DDoS. Accordingly we design a novel effective Entropy-based DDoS Defense Mechanism (EDDM) running on the SDN controller, which including a two-stage DDoS detection method. Compared with the existing works, the EDDM avoids the dropping of legitimate packets and minimizes the losses of legitimate users. Simulations demonstrate that the EDDM can distinguish the DDoS attacks from flash crowds, find the locations of bots, and block attack packets at source effectively.

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Quamar Niyaz,Weiqing Sun,Ahmad Y Javaid

DOI: https://doi.org/10.4108/eai.28-12-2017.153515

2016-11-23

Abstract:Distributed Denial of Service (DDoS) is one of the most prevalent attacks that an organizational network infrastructure comes across nowadays. We propose a deep learning based multi-vector DDoS detection system in a software-defined network (SDN) environment. SDN provides flexibility to program network devices for different objectives and eliminates the need for third-party vendor-specific hardware. We implement our system as a network application on top of an SDN controller. We use deep learning for feature reduction of a large set of features derived from network traffic headers. We evaluate our system based on different performance metrics by applying it on traffic traces collected from different scenarios. We observe high accuracy with a low false-positive for attack detection in our proposed system.

Networking and Internet Architecture

Jie Cui,Mingjun Wang,Yonglong Luo,Hong Zhong

DOI: https://doi.org/10.1016/j.future.2019.02.037

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Software-defined networking (SDN) provides a promising architecture for future networks, and can provide advantages as central control programmability and global view. However, it faces numerous security challenges. Distributed denial of service (DDoS) is a security threat to SDN. Most existing schemes only perform DDoS attack detection and do not address how to defend and recover after detecting DDoS. In this paper, a DDoS attack detection and defense mechanism based on cognitive-inspired computing with dual address entropy is proposed. The flow table characteristics of the switch are extracted, and a DDoS attack model is built by incorporating the support vector machine classification algorithm. This mechanism can realize real-time detection and defense at the preliminary stage of the DDoS attack and can restore normal communication in time. The experiment shows that our mechanism not only detects attacks quickly but also has a high detection rate and low false positive rate. More importantly, it can take appropriate defense and recovery measures in the time after the attack has been identified.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Jie Cui,Jing Zhang,Jiantao He,Hong Zhong,Yao Lu

DOI: https://doi.org/10.1109/ucc48980.2020.00062

2020-01-01

Abstract:Software-defined networks (SDNs) are key parts of the next generation networks owing to their high programmability and agility that traditional networks lack. However, the SDN controller is vulnerable to Distributed Denial-of-Service (DDoS) attacks. Once the SDN controller was unavailable due to the DDoS attack, all real-time services will be down immediately. Since the advantage of SDN is to process massive network data much faster, we need a real-time detecting algorithm to reduce the impact caused by the attack. To ensure the security of both the users and the SDN, we proposed a detection and defense mechanism against DDoS attacks in Software-defined networking (SDN) environments. The implementation of detection was based on the unbalance in the traffic distribution. The traffic unbalance can be detected by a clustering algorithm such as the K-Means algorithm. Furthermore, we used a Packet IN message register to filter malicious packets and experimentally evaluated the performance of our scheme in terms of detection accuracy, defense effect, communication delay, and packet loss rate. The results show that our detection method is adaptable to defend against attacks of different scales and types and ensures the least possible decline in the quality of services.

Ma Zhao-hui,Zhao Gan-sen,Li Wei-wen,Mo Ze-feng,Wang Xin-ming,Chen Bing-chuan,Lin Cheng-chuang

DOI: https://doi.org/10.1109/iccbb.2018.8756439

2018-01-01

Abstract:Software Defined Network (SDN) is a new network construction. But due to its construction, SDN is vulnerable to be attacked by Distributed Denial of Service (DDoS) attack. So it is important to detect DDoS attack in SDN network. This paper presents a DDoS detection scheme based on k-means algorithm in SDN environment. The establishment of this scheme is based on the two hypotheses that the daily network works normally most of the time, and there is a significant difference between the data characteristics of normal situation and abnormal situation. At the same time, these two hypotheses are also true to the daily network condition. After demonstrating the validity of k-means clustering algorithm, the paper proposes 5 flow table features that can be used to detect DDoS attacks. Finally, the DDoS detection scheme was tested by simulation experiment. The test results showed that the method proposed by the author could effectively detect DDoS, with an average success rate of 97.78%.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Dingwen Hu,Peilin Hong,Yixin Chen

DOI: https://doi.org/10.1109/glocom.2017.8254023

2017-01-01

Abstract:Distributed Denial-of-Service (DDoS) flooding attack is one of the most serious threats to network security. Software-Defined Networking (SDN) has recently emerged as a new network management platform, and its centralized control architecture brings many new opportunities for defending against network attacks. In this paper, we propose FADM, an efficient and lightweight framework to detect and mitigate DDoS attacks in SDN. Firstly, the network traffic information is collected through the SDN controller and sFlow agents. Then an entropy-based method is used to measure network features, and the SVM classifier is applied to identify network anomalies. By adopting these methods together, the timeliness and accuracy of attack detection are effectively improved. To keep the major network functionality working, we propose an efficient attack mitigation mechanism based on the white-list and traffic migration. By introducing the mitigation agent to the network, attack traffic can be timely blocked while benign traffic can be forwarded as usual, which prevents the controller resources from being exhausted and ensures that legitimate users can access the network normally. The experimental results show that multiple DDoS attacks can be accurately detected and effectively mitigated by FADM, which enables the network to recover in a short time.