Abstract
Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet to a more programmable, configurable, and manageable infrastructure. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one of the critical vulnerabilities in SDNs, the capacity of controller, which is most likely to be attacked. Due to the logical centralized management, the breakdown of a controller may disrupt a whole SDN network, which can be easily occurred by Packet-In messages flooding attack (a network-level DDoS attack). To provide a robust environment in SDN, we propose an effective detection method, which has low overhead and high accuracy. We first classify the potential switches that are compromised using Bayesian Network, which is a supervised learning algorithm. Then, we deploy the anomaly detection on the vulnerable switches to detect the Packet-In messages flooding attack based on fuzzy c-means. Extensive simulations and testbed-based experiments show that the proposed solution can defeat the Packet-In messages flooding attack with low overhead and high accuracy.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.References
Akhunzada A, Ahmed E, Gani A (2015) Securing software defined networks: taxonomy, requirements, and open issues. IEEE Commun Mag 53:36–44
Al-Fares M, Loukissas A, Vahdat A (2008) A scalable, commodity data center network architecture. ACM SIGCOMM Comput Commun Rev 38:63–74
Benson T, Akella A, Maltz D-A (2010) Network traffic characteristics of data centers in the wild. In: ACM SIGCOMM conference on internet measurement, pp 267–280
Borgnat P, Dewaele G, Fukuda K (2009) Seven years and one day: Sketching the evolution of internet traffic. In: IEEE INFOCOM. pp 711–719
Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE conference on local computer networks, pp 408–415
D-ITG [Online]. Available: http://traffic.comics.unina.it/software/ITG/. Accessed 2017
Dong P, Du X, Zhang H (2016) A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows. In: IEEE international conference on communications. pp 1–6
Feng Y, Guo R, Wang D (2009) Research on the active DDoS filtering algorithm based on IP flow. In: International conference on natural computation. pp 628–632
Handigol N, Heller B, Jeyakumar V (2014) I know what your packet did last hop: using packet histories to troubleshoot networks. In: Usenix conference on networked systems design and implementation. pp 71–85
Hong S, Xu L, Wang H (2015) Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Network and distributed system security symposium, pp 1–15
Intrusion detection attacks database [Online]. Available: http://www.ll.mit.edu/ideval/docs/attackDB/. Accessed 2017
Jain S, Kumar A, Mandal S (2013) B4: experience with a globally-deployed software defined wan. ACM SIGCOMM Comput Commun Rev 43:3–14
Jamjoom H, Williams D, Sharma U (2014) Don’t call them middleboxes, call them middlepipes. In: The workshop on hot topics in software defined networking. pp 19–24
Jarraya Y, Madi T, Debbabi M (2014) A survey and a layered taxonomy of software-defined networking. IEEE Commun Surv Tutor 16:1955–1980
Kim H, Feamster N (2013) Improving network management with software defined networking. IEEE Commun Mag 51:114–119
Kluti R, Kotronis V, Smith P (2013) OpenFlow: a security analysis. In: IEEE international conference on network protocols, pp 1–6
Kotani D, Okabe Y (2014) A packet-in message filtering mechanism for protection of control plane in openflow networks. In: Tenth ACM/IEEE symposium on architectures for networking and communications systems. pp 29–40
Kreutz D, Ramos F-M-V, Esteves Verissimo P (2014) Software-defined networking: a comprehensive survey. Proc IEEE 103:10–13
Li J, Mirkovic J, Wang M (2002) SAVE: source address validity enforcement protocol. In: Joint conference of the IEEE computer and communications societies. pp 1557–1566
Mckeown N, Anderson T, Balakrishnan H (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38:69–74
Mininet [Online]. Available: http://mininet.org/. Accessed 2017
Mirkovic J, Reiher P (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev 34:39–53
Mousavi S-M, St-Hilaire M (2015) Early detection of DDoS attacks against SDN controllers. In: International conference on computing, networking and communications. pp 77–81
Open Networking Foundation [Online]. Available: https://www.opennetworking.org/. Accessed 2017
Pal N-R, Bezdek J-C (1995) On cluster validity for the fuzzy c-means model. IEEE Trans Fuzzy Syst 3:370–379
Park K, Lee H (2001) On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. ACM SIGCOMM Comput Commun Rev 31:15–26
Peng T, Leckie C, Ramamohanarao K (2007) Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput Surv 39:3
POX [Online]. Available: http://www.noxrepo.org/pox/about-pox/. Accessed 2017
Sezer S, Scott-Hayward S, Chouhan P-K (2013) Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Commun Mag 51:36–43
Shin S, Yegneswaran V, Porras P (2013) AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM Sigsac conference on computer and communications security, pp 413–424
Silva S, Rgio S-C, Silva R-M-P (2013) Botnets: a survey, computer networks. Int J Comput Telecommun Netw 57:378–403
Viegas E, Santin A, Fanca A (2017) Towards an energy-efficient anomaly-based intrusion detection engine for embedded systems. IEEE Trans Comput 66:163–177
Wang H, Xu L, Gu G (2015) FloodGuard: a DoS attack prevention extension in software-defined networks. In: IEEE international conference on dependable systems and networks, pp 239–250
Xia W, Wen Y, Foh C-H (2015) A survey on software-defined networking. Commun Surv Tutor IEEE 17:27–51
Xu T, Gao D, Dong P (2017) Defending against new-flow attack in SDN-based internet of things, In: IEEE Access, p 99
Xu Y, Liu Y (2016) DDoS attack detection under SDN context. In: IEEE INFOCOM. pp 1–9
Yan Q, Yu F-R, Gong Q (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor 18:602–622
Yu S, Tian Y, Guo S (2014) Can we beat DDoS attacks in clouds. IEEE Trans Parallel Distrib Syst 25:2245–2254
Zargar S-T, Joshi J, Tipper D (2013) A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutor 15:2046–2069
Zheng K, Wang X, Li L (2014) Joint power optimization of data center network and servers with correlation analysis. In: IEEE INFOCOM. pp 2598–2606
Acknowledgements
This work was funded by 973 Program under Grant No. 2013CB329100 and the Fundamental Research Funds for the Central Universities under Grant No. 2015JBM008.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declared that they have no conflicts of interest to this work.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Communicated by G. Yi.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Gao, D., Liu, Z., Liu, Y. et al. Defending against Packet-In messages flooding attack under SDN context. Soft Comput 22, 6797–6809 (2018). https://doi.org/10.1007/s00500-018-3407-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-018-3407-3