Skip to main content
SpringerLink
Log in

Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks

  • Research Article - Computer Engineering and Computer Science
  • Published:
Arabian Journal for Science and Engineering Aims and scope Submit manuscript

Abstract

Software-defined networking (SDN) is an emerging network architecture where a programmable network control is decoupled from forwarding. Greater control of a network through programming, abstraction of the complexity of the underlying physical infrastructure, and emergence of new applications are some benefits of SDN, to name a few. Unfortunately, the idea of centralized control raises new security concerns that have become a research topic among both academia and industry. An attacker can exploit the required extensive communication between the control and data plane to launch a network-wide, type of denial-of-service attack, known as the data-to-control plane saturation attack. Such an attack can have devastating effect on a large part of the network. This paper introduces a new method for data-to-control plane saturation attack detection that is based on dynamically estimating and monitoring the rate of the Packet-In messages arriving to the controller. The proposed detection method is based on adaptive threshold that varies based on the rate of the received Packet-In messages. The detection technique by design allows discovering the protocol exploited to launch the attack. We utilize this feature, to present a simple attack mitigation method that is protocol independent and targets attacking traffic that belong to the identified attacking protocol. Moreover, being protocol independent, the proposed method can protect against flooding attacks based on self-defined protocols recently made possible with the emerging SDN technology. Attack mitigation is based on utilizing only the available OpenFlow commands without any change to the OpenFlow protocol. The results of the conducted experiments under different scenarios show that the presented method is capable of effectively protecting against the control plane saturation attack with an average detection time of (\(\approx 0.1\) s) which is comparable to state of the art with similar experimental setup. In addition, the method imposes almost (0%) overhead on legitimate traffic once the attack is mitigated.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Shin, S.; Yegneswaran, V.; Porras, P.; Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of ACM CCS, pp. 413–424 (2013)

  2. Ambrosin, M.; Conti, M.; Gaspari, F.; Poovendran, R.: LineSwitch: tracking control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1213 (2017)

    Article  Google Scholar 

  3. Deng, S.; Gao, X.; Zlu,; Gao, X.: Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensica Secur. 13(3), 695–705 (2018)

    Article  Google Scholar 

  4. Coker, O.; Azodolmolky, S.: Software Defined Networking with OpenFlow. Packt Publishing, Birmingham (2017)

    Google Scholar 

  5. Göransson, P.; Black, C.: Software Defined Networks: A Comprehensive Approach. Morgan Kaufmann, Burlington (2014)

    Google Scholar 

  6. Khan, M.; Salah, K.: IoT security: review, blockchain solutions, and open challenges. Future Gener. Comput. Syst. 82, 395–411 (2018)

    Article  Google Scholar 

  7. Farris, I.; Taleb, T.; Khettab, Y.; Song, J.: A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Commun. Surv. Tutor. 21(1), 812–837 (2019)

    Article  Google Scholar 

  8. Djouani, R.; Boutekkouk, H.; Djouani, K.: A security proposal for IoT integrated with SDN and cloud. In: Proceedings of WINCOM, pp. 1–5 (2018)

  9. Bhushan, K.; Gupta, B.B.: Detecting DDoS attack using software defined network (SDN) in cloud computing environment. In: Proceedings of SPIN, pp. 1–7 (2018)

  10. Zheng, J.; Li, Q.; Gu, G.; Cao, J.; Yau, D.; Wu, J.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans. Inf. Forensica Secur. 13(7), 695–705 (2018)

    Google Scholar 

  11. Al-Haidari1, F.; Sqalli, M.; Salah, K.: Impact of CPU utilization thresholds and scaling size on autoscaling cloud resources. In: Proceedings of IEEE International Conference on Cloud Computing Technology and Science, pp. 256–261 (2013)

  12. Calyam, P.; Rajagopalan, S.; Seetharam, S.; Selvadhurai, A.; Salah, K.; Ramnath, R.: VDC-analyst: design and verification of virtual desktop cloud resource allocations. Comput. Netw. 68, 110–122 (2014)

    Article  Google Scholar 

  13. Hong, S.; Xu, L.; Wang, H.; Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of NDSS Symposium, pp. 1–15 (2015)

  14. Xu, T.; Gao, D.; Dong, P.; Foh, C.; Zhang, H.: Mitigating the table-overflow attack in software-defined networking. IEEE Trans. Netw. Serv. Manag. 14(4), 1086–1092 (2017)

    Article  Google Scholar 

  15. Varadharajan, V.; Karmakar, K.; Tupakula, T.; Hitchens, M.: A policy-based security architecture for software-defined networks. IEEE Trans. Inf. Forensica Secur. 14(4), 897–912 (2019)

    Article  Google Scholar 

  16. Braga, R.; Mota, E.; Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of IEEE LCN, pp. 408–415 (2010)

  17. Afek, Y.; Barr, A.; Feibish, S.; Schiff, L.: Sampling and large flow detection in SDN. In: Proceedings of SIGCOMM Computer Communication, pp. 345–346 (2015)

  18. Kotani, D.; Okabe, Y.: A packet-in message filtering mechanism for protection of control plane in OpenFlow networks. In: Proceedings of ACM/IEEE ANCS, pp. 29–40 (2014)

  19. Moraney, J.; Raz, D.: Efficient detection of flow anomalies with limited monitoring resources. In: Proceedings of IEEE CNSM, pp. 55–63 (2016)

  20. Sivaraman, V.; Narayana, S.; Rottenstreich, O.; Muthukrishnan, S.; Rexford, J.: Heavy-hitter detection entirely in the data plane. In: Proceedings of ACM SOSR, pp. 164–176 (2017)

  21. Li, T.; Salah, H.; Ding, X.; Strufel, T.; itzek, F.; antini, S.: INFAS: in-network flow management scheme for SDN control plane protection. In: Proceedings of IFIP, pp. 367–373 (2019)

  22. Li, Z.; Xing, W.; Dianx, X.: Detecting saturation attacks in software-defined networks. In: Proceedings of ISI, pp. 163–168 (2018)

  23. Zhang, Z.; Bib, J.; Bai, J.B.J.: FloodShield: securing the SDN infrastructure against denial of service attacks. In: IEEE TSPPCC, pp. 686–698 (2018)

  24. Yang, L.; Ng, B.; Seah, W.: Heavy hitter detection and identification in software defined networking. In: Proceedings of IEEE ICCCN, pp. 1–10 (2016)

  25. Li, C.; Yang, J.; Wang, Z.; Li, F.; Yang, Y.: A lightweight DDoS flooding attack detection algorithm based on synchronous long flows. In: Proceedings of IEEE GLOBECOM, pp. 1–6 (2015)

  26. Zhang, P.; Wang, H.; Hu, C.; Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)

    Article  Google Scholar 

  27. Taha, S.; Sivaraman, V.; Radford, A.; Jha, S.: A survey of securing networks using software defined networking. IEEE Trans. Reliab. 64(3), 1086–1097 (2015)

    Article  Google Scholar 

  28. Bawany, N.; Shamsi, J.; Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 24(2), 425–441 (2017)

    Article  Google Scholar 

  29. Wang, H.; Xu, L.; Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of IEEE/IFIP Conference On DSN, pp. 239–250 (2015)

  30. Mohammadi, R.; Javidan, R.; Conti, M.: SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans. Netw. Serv. Manag. 14(2), 487–497 (2017)

    Article  Google Scholar 

  31. Kumar, P.; Tripathi, M.; Nehra, A.; Conti, M.; La, C.: SAFETY: early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Trans. Netw. Serv. Manag. 15(4), 1545–1551 (2018)

    Article  Google Scholar 

  32. Wang, A.; Gub, Y.; Hao, F.: Scotch: elastically scaling up SDN control-plane using Vswitch based overlay. In: Proceedings of CoNEXT, pp. 403–414 (2014)

  33. N.M. et al.: OpenFlow: enabling innovation in campus networks. In: Proceedings of ACM SIGCOMM Computer Communication, pp. 69–74 (2008)

  34. Welford, B.P.: Note on a method for calculating corrected sums of squares and products. Technometrics 4(3), 419–420 (1962)

    Article  MathSciNet  Google Scholar 

  35. OpenFlow Software Switch. https://www.openvswitch.org/download/. Accessed 1 Feb 2019

  36. Liu, J.; Zhang, P.; Wang, H.; Hu, C.: CounterMap: towards generic traffic statistics collection and query in software defined network. In: Proceedings of IEEE/ACM IWQoS, pp. 1–5 (2017)

  37. Liu, C.; Malboubi, M.; Chuah, C.: OpenMeasure: adaptive flow measurement and inference with online learning in SDN. In: Proceedings of IEEE Computing and Communication Workshop, pp. 1–6 (2016)

  38. Malboubi, M.; Wang, L.; Nee, C.; Sharma, P.: Intelligent SDN based traffic (de)aggregation and measurement paradigm (iSTAMP). In: Proceedings of IEEE INFOCOM, pp. 934–942 (2014)

  39. Mininet. http://www.Mininet.org/. Accessed 1 May 2017

  40. Pox Network Controller. http://openflow.stanford.edu/display/ONL/POX+Wiki. Accessed 1 May 2017

  41. Tcpreplay tool. http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap. Accessed 1 May 2017

  42. Hping3 Tool. https://tools.Kali.org/information-gathering/hping3. Accessed 1 May 2017

Download references

Author information

Authors and Affiliations

  1. Department of Computer Sciences, Prince Sultan University, Riyadh, Saudi Arabia

    Fakhry Khellah

Authors
  1. Fakhry Khellah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fakhry Khellah.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Khellah, F. Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks. Arab J Sci Eng 44, 9349–9362 (2019). https://doi.org/10.1007/s13369-019-04059-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13369-019-04059-3

Keywords

Search

Navigation