Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Yuwen Xiong,Cong Wang,Chuang Chen,Jiawen Xu,Maode Ma,Tong Zhou

DOI: https://doi.org/10.1007/978-981-97-5609-4_42

2024-01-01

Abstract:Cache Poisoning Attack is a major threat in NDN, impacting network performance. Current solutions are costly and don't fully address router single point failures or repeated router evaluations with producer mobility. To tackle these, we introduce CPA-BT, a Blockchain-based Trust Model. It integrates blockchain, enabling edge routers connected to data producers to operate under a consensus mechanism, treating their evaluation as blockchain transactions. With 2/3 consensus, a leader edge router records the transactions, addressing the mentioned challenges. Simulations show CPA-BT effectively isolates malicious and faulty producers, reducing cache poisoning risks and outperforming other trust models in task failure rate reduction.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Zheng,Xu Mingwei,Li Qi,Zhang Yun

DOI: https://doi.org/10.7544/issn1000-1239.2018.20160740

2018-01-01

Journal of Computer Research and Development

Abstract:Software-defined networking (SDN) is a new network paradigm.Unlike the conventional network,SDN separates the control plane from the data plane.The function of the data plane is enabled in switches while only the controller provides the functions of the control plane.The controller learns topologies of the whole networks and makes the traffic forwarding decisions.However,recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs,which mainly exists in host tracking service and link discovery service.Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers.What's more,attackers can even make the whole network down.Fortunately,researchers have paid some attention to this serious problem and proposed their defense solution.However,the existing countermeasures can be easily evaded by the attackers.In this paper,we propose an effective approach called SecTopo,to defend against the network topology poisoning attacks.Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Xin Wang,Neng Gao,Lingchen Zhang,Zongbin Liu,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-50011-9_35

2016-01-01

Abstract:Software-Defined Networking (SDN) is a new paradigm that offers services and applications great power to manage network. Based on the consideration that the entire network visibility is the foundation of SDN, many attacks emerge in poisoning the network visibility, which lead to severe damage. Meanwhile, many defense approaches are proposed to patch the controller. It is noticed that powerful adversaries can bypass existing approaches to poison topology information and attack security protocols. In this paper, we present a method that the adversary can attack security protocols under existing approaches (e.g. TopoGuard, SPHINX). We also investigate a number of security protocols that may be compromised by our MITM attacks and propose an approach to detect the existence of the adversary. Our evaluation shows that the defense solution can effectively detect the fake link in normal environment. We hope our research can attract more attention on SDN security.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Kuan-Yin Chen,Sen Liu,Yang Xu,Ishant Kumar Siddhrau,Siyu Zhou,Zehua Guo,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2021.3105187

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) is increasingly popular in today's information technology industry, but existing SDN control plane is insufficiently scalable to support on-demand, high-frequency flow requests. Weaknesses along SDN control paths can be exploited by malicious third parties to launch distributed denial-of-service (DDoS) attacks against the SDN control plane. Recently proposed solutions only partially solve the problem, by protecting either the SDN network edges or the centralized controller. We propose SDNShield, a solution based on emerging network function virtualization (NFV) technologies, which enforces more comprehensive defense against potential DDoS attacks on SDN control plane. SDNShield incorporates a three-stage overload control scheme. The first stage statistically identifies legitimate flows with low complexity and performance overhead. The second stage further performs in-depth TCP handshake verification to ensure good flows are eventually served. The third stage intellectually salvages the misclassified legitimate flows that are falsely dropped from the first two stages. Prototype tests and real data-driven simulation results show that SDNShield can achieve high resilience against brute-force attacks, and maintain good flow-level service quality at the same time.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Mingming Chen,Thomas La Porta,Teryl Taylor,Frederico Araujo,Trent Jaeger

DOI: https://doi.org/10.1145/3658644.3690345

2024-10-13

Abstract:Software-defined networking (SDN) is a centralized, dynamic, and programmable network management technology that enables flexible traffic control and scalability. SDN facilitates network administration through a centralized view of the underlying physical topology; tampering with this topology view can result in catastrophic damage to network management and security. To underscore this issue, we introduce Marionette, a new topology poisoning technique that manipulates OpenFlow link discovery packet forwarding to alter topology information. Our approach exposes an overlooked yet widespread attack vector, distinguishing itself from traditional link fabrication attacks that tamper, spoof, or relay discovery packets at the data plane. Unlike localized attacks observed in existing methods, our technique introduces a globalized topology poisoning attack that leverages control privileges. Marionette implements a reinforcement learning algorithm to compute a poisoned topology target, and injects flow entries to achieve a long-lived stealthy attack. Our evaluation shows that Marionette successfully attacks five open-source controllers and nine OpenFlow-based discovery protocols. Marionette overcomes the state-of-the-art topology poisoning defenses, showcasing a new class of topology poisoning that initiates on the control plane. This security vulnerability was ethically disclosed to OpenDaylight, and CVE-2024-37018 has been assigned.

Cryptography and Security,Networking and Internet Architecture

Jiahao Cao,Renjie Xie,Kun Sun,Qi Li,Guofei Gu,Mingwei Xu

DOI: https://doi.org/10.14722/ndss.2020.23040

2020-01-01

Abstract:Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Najmun Nisa,Adnan Shahid Khan,Zeeshan Ahmad,Johari Abdullah

DOI: https://doi.org/10.1002/nem.2258

2024-01-14

International Journal of Network Management

Abstract:This research article proposes a novel system called Two‐Phase Authentication for Attack Detection (TPAAD) that aims to enhance the security of software‐defined networking by mitigating denial‐of‐service attacks. The methodology utilized in our study involves the implementation of packet filtration and ML classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Software‐defined networking (SDN) has received considerable attention and adoption owing to its inherent advantages, such as enhanced scalability, increased adaptability, and the ability to exercise centralized control. However, the control plane of the system is vulnerable to denial‐of‐service (DoS) attacks, which are a primary focus for attackers. These attacks have the potential to result in substantial delays and packet loss. In this study, we present a novel system called Two‐Phase Authentication for Attack Detection that aims to enhance the security of SDN by mitigating DoS attacks. The methodology utilized in our study involves the implementation of packet filtration and machine learning classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Instead of completely deactivating the host, the emphasis lies on preventing harmful communication. Support vector machine and K‐nearest neighbours algorithms were utilized for efficient detection on the CICDoS 2017 dataset. The deployed model was utilized within an environment designed for the identification of threats in SDN. Based on the observations of the banned queue, our system allows a host to reconnect when it is no longer contributing to malicious traffic. The experiments were run on a VMware Ubuntu, and an SDN environment was created using Mininet and the RYU controller. The results of the tests demonstrated enhanced performance in various aspects, including the reduction of false positives, the minimization of central processing unit utilization and control channel bandwidth consumption, the improvement of packet delivery ratio, and the decrease in the number of flow requests submitted to the controller. These results confirm that our Two‐Phase Authentication for Attack Detection architecture identifies and mitigates SDN DoS attacks with low overhead.

computer science, information systems,telecommunications

Abrar Alkhamisi,Iyad Katib,Seyed M. Buhari

DOI: https://doi.org/10.3390/electronics13122279

IF: 2.9

2024-06-12

Electronics

Abstract:A Multi-Controller Software-Defined Network (MC-SDN) is a revolutionary concept comprising multiple controllers and switches separated using programmable features, enhancing network availability, management, scalability, and performance. The MC-SDN is a potential choice for managing large, heterogeneous, complex industrial networks. Despite the rich operational flexibility of MC-SDN, it is imperative to protect the network deployment with proper protection against potential vulnerabilities that lead to misuse and malicious activities on the MC-SDN structure. The security holes in the MC-SDN structure significantly impact network survivability and performance efficiency. Hence, detecting MC-SDN security attacks is crucial to improving network performance. Accordingly, this work intended to design blockchain-based controller security (BCS) that exploits the advantages of immutable and distributed ledger technology among multiple controllers and securely manages the controller communications against various attacks. Thereby, it enables the controllers to maintain consistent network view and accurate flow tables among themselves and also neglects the controller failure issues. Finally, the experimental results of the proposed BCS approach demonstrated superior performance under various scenarios, such as attack detection, number of attackers, number of controllers, and number of compromised controllers, by applying different performance metrics.

engineering, electrical & electronic,computer science, information systems,physics, applied

Qian Wang,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1109/iccsn.2017.8230285

2017-01-01

Abstract:In this paper, we introduce a SDN(Software Defined Network) based DDoS(Distributed Denial of Service) Defense mechanism. Our mechanism employs SDN's flexibility to redirect packets. The traffic between clients and servers is relayed by a group of dynamic proxy node switches. After several shuffles, our mechanism can mitigate DDoS attack as well as quarantine attackers. The simulation results confirm the effectiveness of our mechanism. In order to accelerate the process of segregating, we propose a efficient algorithm replacing enumerative algorithm. Numerical results verify that the performance of efficient algorithm is closed to enumerative one.

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz

DOI: https://doi.org/10.1016/j.future.2022.11.008

IF: 7.307

2022-11-19

Future Generation Computer Systems

Abstract:Software-defined networking (SDN) has increased the need for security due to the participation of illegitimate packets resulting from poor processing times and inadequate resource utilizations. In recent days, wireless 5G users, e.g., Internet of Things (IoT) users, have accessed networks from great distances due to their mobility, which requires multiple handovers between communication technologies. However, the process generates illegitimate packets due to connectivity changes. This paper addresses the security issue by using a modified blockchain and handover authentication. The access points (APs) in the infrastructure plane authenticate the 5G users with a hash generation using their identities and pseudo IDs with a lightweight QUARK algorithm. If an excessive number of users are connected with the same AP, then the users' handover is performed by edge servers based on probabilities. In the data plane, OpenFlow switches perform a flow rule validation and a honeypot implementation for performing the packet validation. Classification of packets into normal, malicious and suspicious packets is also performed at the edge server using a capsule neural network (CapsNet). Deployment of NFV-enabled virtual switches (vSwitch) reduces switch overloading based on the load threshold. For faster validation, a directed acyclic graph (DAG) is implemented at the control plane to store the hashed credentials of the users for authentication and the hashed flow rules for flow rule validation. Suspicious packet validation is performed at the control plane by the controller using the Soft Actor-Critic (SAC) algorithm, and the Honey Badger Optimization algorithm (HBO) is used to select an optimal underloaded controller for efficient load balancing. This model is developed in NS-3, and the results show that our model outperforms the existing approaches in terms of QoS metrics such as bandwidth, response time, delay and packet loss, and security metrics such as detection accuracy and authentication time.

Renjie Xie,Jiahao Cao,Qi Li,Kun Sun,Guofei Gu,Mingwei Xu,Yuan Yang

DOI: https://doi.org/10.1109/tnet.2022.3169136

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-Defined Networking (SDN) enables network innovations with a centralized controller controlling the whole network through the control channel. Because the control channel delivers all network control traffic, its security and reliability are of great importance. For the first time in the literature, we propose the CrossPath attack that disrupts the SDN control channel by exploiting the shared links in paths of control traffic and data traffic. In this attack, crafted data traffic can implicitly disrupt the forwarding of control traffic in the shared links. As the data traffic does not enter the control channel, the attack is stealthy and cannot be easily perceived by the controller. In order to identify the target paths containing the shared links to attack, we develop a novel technique called adversarial path reconnaissance. Both theoretic analysis and experimental results demonstrate its feasibility and efficiency of identifying the target paths. We systematically study the impacts of the attack on various network applications in a real SDN testbed. Experiments show the attack significantly degrades the performance of existing network applications and causes serious network anomalies, e.g., routing blackhole, flow table resetting, and even network-wide DoS.

Liming Fang,Yang Li,Xinyu Yun,Zhenyu Wen,Shouling Ji,Weizhi Meng,Zehong Cao,M. Tanveer

DOI: https://doi.org/10.1109/jiot.2019.2944301

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:SDN has provided significant convenience for network providers and operators in cloud computing. Such a great advantage is extending to the Internet of Things network. However, it also increases the risk if the security of an SDN network is compromised. For example, if the network operator’s permission is illegally obtained by a hacker, he/she can control the entry of the SDN network. Therefore, an effective authentication scheme is needed to fit various application scenarios with high-security requirements. In this article, we design, implement, and evaluate a new authentication scheme called the hidden pattern (THP), which combines graphics password and digital challenge value to prevent multiple types of authentication attacks at the same time. We examined THP in the perspectives of both security and usability, with a total number of 694 participants in 63 days. Our evaluation shows that THP can provide better performance than the existing schemes in terms of security and usability.

Dongbin Wang,Yu Zhao,Hui Zhi,Dongzhe Wu,Weihan Zhuo,Yueming Lu,Xu Zhang

DOI: https://doi.org/10.3390/s23125426

IF: 3.9

2023-06-08

Sensors

Abstract:The limited computation resource of the centralized controller and communication bandwidth between the control and data planes become the bottleneck in forwarding the packets in Software-Defined Networking (SDN). Denial of Service (DoS) attacks based on Transmission Control Protocol (TCP) can exhaust the resources of the control plane and overload the infrastructure of SDN networks. To mitigate TCP DoS attacks, DoSDefender is proposed as an efficient kernel-mode TCP DoS prevention framework in the data plane for SDN. It can prevent TCP DoS attacks from entering SDN by verifying the validity of the attempts to establish a TCP connection from the source, migrating the connection, and relaying the packets between the source and the destination in kernel space. DoSDefender conforms to the de facto standard SDN protocol, the OpenFlow policy, which requires no additional devices and no modifications in the control plane. Experimental results show that DoSDefender can effectively prevent TCP DoS attacks in low computing consumption while maintaining low connection delay and high packet forwarding throughput.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation