Skip to main content

Advertisement

Defending against Packet-In messages flooding attack under SDN context

  • Focus
  • Published:
Soft Computing Aims and scope Submit manuscript

Abstract

Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet to a more programmable, configurable, and manageable infrastructure. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one of the critical vulnerabilities in SDNs, the capacity of controller, which is most likely to be attacked. Due to the logical centralized management, the breakdown of a controller may disrupt a whole SDN network, which can be easily occurred by Packet-In messages flooding attack (a network-level DDoS attack). To provide a robust environment in SDN, we propose an effective detection method, which has low overhead and high accuracy. We first classify the potential switches that are compromised using Bayesian Network, which is a supervised learning algorithm. Then, we deploy the anomaly detection on the vulnerable switches to detect the Packet-In messages flooding attack based on fuzzy c-means. Extensive simulations and testbed-based experiments show that the proposed solution can defeat the Packet-In messages flooding attack with low overhead and high accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  • Akhunzada A, Ahmed E, Gani A (2015) Securing software defined networks: taxonomy, requirements, and open issues. IEEE Commun Mag 53:36–44

    Article  Google Scholar 

  • Al-Fares M, Loukissas A, Vahdat A (2008) A scalable, commodity data center network architecture. ACM SIGCOMM Comput Commun Rev 38:63–74

    Article  Google Scholar 

  • Benson T, Akella A, Maltz D-A (2010) Network traffic characteristics of data centers in the wild. In: ACM SIGCOMM conference on internet measurement, pp 267–280

  • Borgnat P, Dewaele G, Fukuda K (2009) Seven years and one day: Sketching the evolution of internet traffic. In: IEEE INFOCOM. pp 711–719

  • Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE conference on local computer networks, pp 408–415

  • D-ITG [Online]. Available: http://traffic.comics.unina.it/software/ITG/. Accessed 2017

  • Dong P, Du X, Zhang H (2016) A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows. In: IEEE international conference on communications. pp 1–6

  • Feng Y, Guo R, Wang D (2009) Research on the active DDoS filtering algorithm based on IP flow. In: International conference on natural computation. pp 628–632

  • Handigol N, Heller B, Jeyakumar V (2014) I know what your packet did last hop: using packet histories to troubleshoot networks. In: Usenix conference on networked systems design and implementation. pp 71–85

  • Hong S, Xu L, Wang H (2015) Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Network and distributed system security symposium, pp 1–15

  • Intrusion detection attacks database [Online]. Available: http://www.ll.mit.edu/ideval/docs/attackDB/. Accessed 2017

  • Jain S, Kumar A, Mandal S (2013) B4: experience with a globally-deployed software defined wan. ACM SIGCOMM Comput Commun Rev 43:3–14

    Article  Google Scholar 

  • Jamjoom H, Williams D, Sharma U (2014) Don’t call them middleboxes, call them middlepipes. In: The workshop on hot topics in software defined networking. pp 19–24

  • Jarraya Y, Madi T, Debbabi M (2014) A survey and a layered taxonomy of software-defined networking. IEEE Commun Surv Tutor 16:1955–1980

    Article  Google Scholar 

  • Kim H, Feamster N (2013) Improving network management with software defined networking. IEEE Commun Mag 51:114–119

    Article  Google Scholar 

  • Kluti R, Kotronis V, Smith P (2013) OpenFlow: a security analysis. In: IEEE international conference on network protocols, pp 1–6

  • Kotani D, Okabe Y (2014) A packet-in message filtering mechanism for protection of control plane in openflow networks. In: Tenth ACM/IEEE symposium on architectures for networking and communications systems. pp 29–40

  • Kreutz D, Ramos F-M-V, Esteves Verissimo P (2014) Software-defined networking: a comprehensive survey. Proc IEEE 103:10–13

    Google Scholar 

  • Li J, Mirkovic J, Wang M (2002) SAVE: source address validity enforcement protocol. In: Joint conference of the IEEE computer and communications societies. pp 1557–1566

  • Mckeown N, Anderson T, Balakrishnan H (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38:69–74

    Article  Google Scholar 

  • Mininet [Online]. Available: http://mininet.org/. Accessed 2017

  • Mirkovic J, Reiher P (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev 34:39–53

    Article  Google Scholar 

  • Mousavi S-M, St-Hilaire M (2015) Early detection of DDoS attacks against SDN controllers. In: International conference on computing, networking and communications. pp 77–81

  • Open Networking Foundation [Online]. Available: https://www.opennetworking.org/. Accessed 2017

  • Pal N-R, Bezdek J-C (1995) On cluster validity for the fuzzy c-means model. IEEE Trans Fuzzy Syst 3:370–379

    Article  Google Scholar 

  • Park K, Lee H (2001) On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. ACM SIGCOMM Comput Commun Rev 31:15–26

    Article  Google Scholar 

  • Peng T, Leckie C, Ramamohanarao K (2007) Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput Surv 39:3

    Article  Google Scholar 

  • POX [Online]. Available: http://www.noxrepo.org/pox/about-pox/. Accessed 2017

  • Sezer S, Scott-Hayward S, Chouhan P-K (2013) Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Commun Mag 51:36–43

    Article  Google Scholar 

  • Shin S, Yegneswaran V, Porras P (2013) AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM Sigsac conference on computer and communications security, pp 413–424

  • Silva S, Rgio S-C, Silva R-M-P (2013) Botnets: a survey, computer networks. Int J Comput Telecommun Netw 57:378–403

    Article  Google Scholar 

  • Viegas E, Santin A, Fanca A (2017) Towards an energy-efficient anomaly-based intrusion detection engine for embedded systems. IEEE Trans Comput 66:163–177

    Article  MathSciNet  Google Scholar 

  • Wang H, Xu L, Gu G (2015) FloodGuard: a DoS attack prevention extension in software-defined networks. In: IEEE international conference on dependable systems and networks, pp 239–250

  • Xia W, Wen Y, Foh C-H (2015) A survey on software-defined networking. Commun Surv Tutor IEEE 17:27–51

    Article  Google Scholar 

  • Xu T, Gao D, Dong P (2017) Defending against new-flow attack in SDN-based internet of things, In: IEEE Access, p 99

  • Xu Y, Liu Y (2016) DDoS attack detection under SDN context. In: IEEE INFOCOM. pp 1–9

  • Yan Q, Yu F-R, Gong Q (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor 18:602–622

    Article  Google Scholar 

  • Yu S, Tian Y, Guo S (2014) Can we beat DDoS attacks in clouds. IEEE Trans Parallel Distrib Syst 25:2245–2254

    Article  Google Scholar 

  • Zargar S-T, Joshi J, Tipper D (2013) A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutor 15:2046–2069

    Article  Google Scholar 

  • Zheng K, Wang X, Li L (2014) Joint power optimization of data center network and servers with correlation analysis. In: IEEE INFOCOM. pp 2598–2606

Download references

Acknowledgements

This work was funded by 973 Program under Grant No. 2013CB329100 and the Fundamental Research Funds for the Central Universities under Grant No. 2015JBM008.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Deyun Gao.

Ethics declarations

Conflict of interest

The authors declared that they have no conflicts of interest to this work.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Communicated by G. Yi.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gao, D., Liu, Z., Liu, Y. et al. Defending against Packet-In messages flooding attack under SDN context. Soft Comput 22, 6797–6809 (2018). https://doi.org/10.1007/s00500-018-3407-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00500-018-3407-3

Keywords