Abstract
Software-defined networking (SDN) is an emerging network architecture where a programmable network control is decoupled from forwarding. Greater control of a network through programming, abstraction of the complexity of the underlying physical infrastructure, and emergence of new applications are some benefits of SDN, to name a few. Unfortunately, the idea of centralized control raises new security concerns that have become a research topic among both academia and industry. An attacker can exploit the required extensive communication between the control and data plane to launch a network-wide, type of denial-of-service attack, known as the data-to-control plane saturation attack. Such an attack can have devastating effect on a large part of the network. This paper introduces a new method for data-to-control plane saturation attack detection that is based on dynamically estimating and monitoring the rate of the Packet-In messages arriving to the controller. The proposed detection method is based on adaptive threshold that varies based on the rate of the received Packet-In messages. The detection technique by design allows discovering the protocol exploited to launch the attack. We utilize this feature, to present a simple attack mitigation method that is protocol independent and targets attacking traffic that belong to the identified attacking protocol. Moreover, being protocol independent, the proposed method can protect against flooding attacks based on self-defined protocols recently made possible with the emerging SDN technology. Attack mitigation is based on utilizing only the available OpenFlow commands without any change to the OpenFlow protocol. The results of the conducted experiments under different scenarios show that the presented method is capable of effectively protecting against the control plane saturation attack with an average detection time of (\(\approx 0.1\) s) which is comparable to state of the art with similar experimental setup. In addition, the method imposes almost (0%) overhead on legitimate traffic once the attack is mitigated.
Similar content being viewed by others
References
Shin, S.; Yegneswaran, V.; Porras, P.; Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of ACM CCS, pp. 413–424 (2013)
Ambrosin, M.; Conti, M.; Gaspari, F.; Poovendran, R.: LineSwitch: tracking control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1213 (2017)
Deng, S.; Gao, X.; Zlu,; Gao, X.: Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensica Secur. 13(3), 695–705 (2018)
Coker, O.; Azodolmolky, S.: Software Defined Networking with OpenFlow. Packt Publishing, Birmingham (2017)
Göransson, P.; Black, C.: Software Defined Networks: A Comprehensive Approach. Morgan Kaufmann, Burlington (2014)
Khan, M.; Salah, K.: IoT security: review, blockchain solutions, and open challenges. Future Gener. Comput. Syst. 82, 395–411 (2018)
Farris, I.; Taleb, T.; Khettab, Y.; Song, J.: A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Commun. Surv. Tutor. 21(1), 812–837 (2019)
Djouani, R.; Boutekkouk, H.; Djouani, K.: A security proposal for IoT integrated with SDN and cloud. In: Proceedings of WINCOM, pp. 1–5 (2018)
Bhushan, K.; Gupta, B.B.: Detecting DDoS attack using software defined network (SDN) in cloud computing environment. In: Proceedings of SPIN, pp. 1–7 (2018)
Zheng, J.; Li, Q.; Gu, G.; Cao, J.; Yau, D.; Wu, J.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans. Inf. Forensica Secur. 13(7), 695–705 (2018)
Al-Haidari1, F.; Sqalli, M.; Salah, K.: Impact of CPU utilization thresholds and scaling size on autoscaling cloud resources. In: Proceedings of IEEE International Conference on Cloud Computing Technology and Science, pp. 256–261 (2013)
Calyam, P.; Rajagopalan, S.; Seetharam, S.; Selvadhurai, A.; Salah, K.; Ramnath, R.: VDC-analyst: design and verification of virtual desktop cloud resource allocations. Comput. Netw. 68, 110–122 (2014)
Hong, S.; Xu, L.; Wang, H.; Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of NDSS Symposium, pp. 1–15 (2015)
Xu, T.; Gao, D.; Dong, P.; Foh, C.; Zhang, H.: Mitigating the table-overflow attack in software-defined networking. IEEE Trans. Netw. Serv. Manag. 14(4), 1086–1092 (2017)
Varadharajan, V.; Karmakar, K.; Tupakula, T.; Hitchens, M.: A policy-based security architecture for software-defined networks. IEEE Trans. Inf. Forensica Secur. 14(4), 897–912 (2019)
Braga, R.; Mota, E.; Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of IEEE LCN, pp. 408–415 (2010)
Afek, Y.; Barr, A.; Feibish, S.; Schiff, L.: Sampling and large flow detection in SDN. In: Proceedings of SIGCOMM Computer Communication, pp. 345–346 (2015)
Kotani, D.; Okabe, Y.: A packet-in message filtering mechanism for protection of control plane in OpenFlow networks. In: Proceedings of ACM/IEEE ANCS, pp. 29–40 (2014)
Moraney, J.; Raz, D.: Efficient detection of flow anomalies with limited monitoring resources. In: Proceedings of IEEE CNSM, pp. 55–63 (2016)
Sivaraman, V.; Narayana, S.; Rottenstreich, O.; Muthukrishnan, S.; Rexford, J.: Heavy-hitter detection entirely in the data plane. In: Proceedings of ACM SOSR, pp. 164–176 (2017)
Li, T.; Salah, H.; Ding, X.; Strufel, T.; itzek, F.; antini, S.: INFAS: in-network flow management scheme for SDN control plane protection. In: Proceedings of IFIP, pp. 367–373 (2019)
Li, Z.; Xing, W.; Dianx, X.: Detecting saturation attacks in software-defined networks. In: Proceedings of ISI, pp. 163–168 (2018)
Zhang, Z.; Bib, J.; Bai, J.B.J.: FloodShield: securing the SDN infrastructure against denial of service attacks. In: IEEE TSPPCC, pp. 686–698 (2018)
Yang, L.; Ng, B.; Seah, W.: Heavy hitter detection and identification in software defined networking. In: Proceedings of IEEE ICCCN, pp. 1–10 (2016)
Li, C.; Yang, J.; Wang, Z.; Li, F.; Yang, Y.: A lightweight DDoS flooding attack detection algorithm based on synchronous long flows. In: Proceedings of IEEE GLOBECOM, pp. 1–6 (2015)
Zhang, P.; Wang, H.; Hu, C.; Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)
Taha, S.; Sivaraman, V.; Radford, A.; Jha, S.: A survey of securing networks using software defined networking. IEEE Trans. Reliab. 64(3), 1086–1097 (2015)
Bawany, N.; Shamsi, J.; Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 24(2), 425–441 (2017)
Wang, H.; Xu, L.; Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of IEEE/IFIP Conference On DSN, pp. 239–250 (2015)
Mohammadi, R.; Javidan, R.; Conti, M.: SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans. Netw. Serv. Manag. 14(2), 487–497 (2017)
Kumar, P.; Tripathi, M.; Nehra, A.; Conti, M.; La, C.: SAFETY: early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Trans. Netw. Serv. Manag. 15(4), 1545–1551 (2018)
Wang, A.; Gub, Y.; Hao, F.: Scotch: elastically scaling up SDN control-plane using Vswitch based overlay. In: Proceedings of CoNEXT, pp. 403–414 (2014)
N.M. et al.: OpenFlow: enabling innovation in campus networks. In: Proceedings of ACM SIGCOMM Computer Communication, pp. 69–74 (2008)
Welford, B.P.: Note on a method for calculating corrected sums of squares and products. Technometrics 4(3), 419–420 (1962)
OpenFlow Software Switch. https://www.openvswitch.org/download/. Accessed 1 Feb 2019
Liu, J.; Zhang, P.; Wang, H.; Hu, C.: CounterMap: towards generic traffic statistics collection and query in software defined network. In: Proceedings of IEEE/ACM IWQoS, pp. 1–5 (2017)
Liu, C.; Malboubi, M.; Chuah, C.: OpenMeasure: adaptive flow measurement and inference with online learning in SDN. In: Proceedings of IEEE Computing and Communication Workshop, pp. 1–6 (2016)
Malboubi, M.; Wang, L.; Nee, C.; Sharma, P.: Intelligent SDN based traffic (de)aggregation and measurement paradigm (iSTAMP). In: Proceedings of IEEE INFOCOM, pp. 934–942 (2014)
Mininet. http://www.Mininet.org/. Accessed 1 May 2017
Pox Network Controller. http://openflow.stanford.edu/display/ONL/POX+Wiki. Accessed 1 May 2017
Tcpreplay tool. http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap. Accessed 1 May 2017
Hping3 Tool. https://tools.Kali.org/information-gathering/hping3. Accessed 1 May 2017
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Khellah, F. Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks. Arab J Sci Eng 44, 9349–9362 (2019). https://doi.org/10.1007/s13369-019-04059-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13369-019-04059-3