Abstract
Software defined networking-based cloud has many advantages over traditional network infrastructure, such as improved network flexibility, programmability, and scalability. However, new security concerns and especially new trends of Distributed Denial of Service (DDoS) attacks have been introduced during the integration of Software Defined Networking (SDN) and cloud computing. The good capabilities of SDN, such as software-based traffic analysis, centralized control and dynamic network reconfiguration, can significantly improve DDoS attack detection and mitigation in a cloud environment. However, SDN itself may be targeted by the attackers, which raise the risk of DDoS attacks in the SDN-based cloud environment. In this context, this paper aims to address the DDoS attacks which are intended to harm the scalability and availability of SDN-based cloud environment. We propose an efficient and secure SDN-based cloud architecture based on the Openstack cloud platform, Open Network Operating System (ONOS) controller, and Open vSwitch (OvS). To protect the proposed SDN-based cloud system, we incorporate the lightweight and convenient mitigation mechanism ‘DDoS flooding attack mitigation in Software Defined Networks’ into a reconfigurable data path. Our proposal leverages switch programmability, distributed packet processing, and centralized SDN control, to offer a secure and resilient SDN-based cloud system that can resist DDoS flood attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Openstack. https://www.openstack.org/
Open Network Operating System (ONOS). https://opennetworking.org/onos/
The P4 Language Specification. https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.html
Bernstein, D.J.: SYN Cookies. http://cr.yp.to/syncookies.html
P4-OvS - Bringing the power of P4 to OvS! https://github.com/osinstom/P4-OvS
Open vSwitch (OvS). https://www.openvswitch.org/
Userspace BPF (uBPF). https://github.com/iovisor/ubpf
Extended Berkeley Packet Filter (eBPF). https://ebpf.io/
P4Runtime. https://p4.org/api/p4-runtime-putting-the-control-plane-in-charge-of-the-forwarding-plane.html
RFC 793 (TCP). https://tools.ietf.org/html/rfc793
Simpson, W.: TCP cookie transactions (TCPCT). RFC 6013, January 2011
Wang, B., Zheng, Y., Lou, W., et al.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308–319 (2015)
Bawany, N.Z., Shamsi, J.A., Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 42(2), 425–441 (2017)
Yan, Q., GonG, Q., Yu, F.R.: Effective software-defined networking controller scheduling method to mitigate DDoS attacks. Electron. Lett. 53(7), 469–471 (2017)
Mahrach, S., Haqiq, A.: DDoS defense in SDN-based cyber-physical cloud. In: Cybersecurity and Privacy in Cyber Physical Systems, p. 133 (2019)
Bosshart, P., Daly, D., Gibb, G., et al.: P4: programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)
Moshref, M., Bhargava, A., Gupta, A., et al.: Flow-level state transition as a new switch primitive for SDN. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, pp. 61–66 (2014)
Bianchi, G., Bonola, M., Capone, A., et al.: OpenState: programming platform-independent stateful openflow applications inside the switch. ACM SIGCOMM Comput. Commun. Rev. 44(2), 44–51 (2014)
Pisharody, S., Natarajan, J., Chowdhary, A., et al.: Brew: a security policy analysis framework for distributed SDN-based cloud environments. IEEE Trans. Dependable Secure Comput. 16(6), 1011–1025 (2017)
Zhu, S., Bi, J., Sun, C., et al.: SDPA: enhancing stateful forwarding for software-defined networking. In: 2015 IEEE 23rd International Conference on Network Protocols (ICNP), pp. 323–333. IEEE (2015)
Arashloo, M.T., Koral, Y., Greenberg, M., et al.: SNAP: stateful network-wide abstractions for packet processing. In: Proceedings of the 2016 ACM SIGCOMM Conference, pp. 29–43 (2016)
Bhushan, K., Gupta, B.B.: Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. J. Ambient Intell. Human. Comput. 10(5), 1985–1997 (2019)
Sivaraman, A., Cheung, A., Budiu, M., et al.: Packet transactions: high-level programming for line-rate switches. In: Proceedings of the 2016 ACM SIGCOMM Conference, pp. 15–28 (2016)
Echevarria, J.J., Garaizar, P., Legarda, J.: An experimental study on the applicability of SYN cookies to networked constrained devices. Softw. Pract. Exp. 48(3), 740–749 (2018)
Moura, J., Hutchison, D.: Review and analysis of networking challenges in cloud computing. J. Netw. Comput. Appl. 60, 113–129 (2016)
Azodolmolky, S., Wieder, P., Yahyapour, R.: Cloud computing networking: challenges and opportunities for innovations. IEEE Commun. Mag. 51(7), 54–62 (2013)
Son, J., Dastjerdi, A.V., Calheiros, R.N., et al.: SLA-aware and energy-efficient dynamic overbooking in SDN-based cloud data centers. IEEE Trans. Sustain. Comput. 2(2), 76–89 (2017)
Cziva, R., Jouët, S., Stapleton, D., et al.: SDN-based virtual machine management for cloud data centers. IEEE Trans. Netw. Serv. Manage. 13(2), 212–225 (2016)
Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutor. 8(1), 602–622 (2016)
Somani, G., Gaur, M.S., Sanghi, D., et al.: DDoS attacks in cloud computing: issues, taxonomy, and future directions. Comput. Commun. 107, 30–48 (2017)
D’cruze, H., Wang, P., Sbeit, R.O., et al.: A software-defined networking (SDN) approach to mitigating DDoS attacks. Inf. Technol. New Gener. 141–145 (2018)
Phan, T.V., Park, M.: Efficient distributed denial-of-service attack defense in SDN-based cloud. IEEE Access 7, 18701–18714 (2019)
Son, J., Buyya, R.: A taxonomy of software-defined networking (SDN)-enabled cloud computing. ACM Comput. Surv. (CSUR) 51(3), 1–36 (2018)
Xu, X., Yu, H., Yang, K.: DDoS attack in software defined networks: a survey. ZTE Commun. 15(3), 13–19 (2019)
Chen, Z., Jiang, F., Cheng, Y., et al.: XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In: IEEE International Conference on Big Data and Smart Computing (BigComp). IEEE 2018, pp. 251–256 (2018)
Mahrach, S., Haqiq, A.: DDoS flooding attack mitigation in software defined networks. Int. J. Adv. Comput. Sci. Appl. 11(1), 693–700 (2020)
Dong, S., Abbas, K., Jain, R.: A survey on distributed denial of service (DDoS) attacks in SDN and cloud computing environments. IEEE Access 7, 80813–80828 (2019)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Mahrach, S., Haqiq, A. (2021). DDoS Attack and Defense in SDN-Based Cloud. In: Elbiaze, H., Sabir, E., Falcone, F., Sadik, M., Lasaulce, S., Ben Othman, J. (eds) Ubiquitous Networking. UNet 2021. Lecture Notes in Computer Science(), vol 12845. Springer, Cham. https://doi.org/10.1007/978-3-030-86356-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-86356-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86355-5
Online ISBN: 978-3-030-86356-2
eBook Packages: Computer ScienceComputer Science (R0)