Abstract
Software Defined Network (SDN) is a new network architecture that has an operating system. Unlike conventional production networks, SDN allows more flexibility in network management using that operating system that is called the controller. The main advantage of having a controller in the network is the separation of the forwarding and the control planes, which provides central control over the network. Although central control is the major advantage of SDN, it is also a single point of failure if it is made unreachable by a Distributed Denial of Service (DDoS) attack. In this paper, that single point of failure is addressed by utilizing the controller to detect such attacks and protect the SDN architecture of the network in its early stages. The two main objectives of this paper are to (1) make use of the controller’s broad view of the network to detect DDoS attacks and (2) propose a solution that is effective and lightweight in terms of the resources that it uses. To accomplish these objectives, this paper examines the effect of DDoS attacks on the SDN controller and the way it can exhaust controller resources. The proposed solution to detect such attacks is based on the entropy variation of the destination IP address. Based on our experimental setup, the proposed method can detect DDoS within the first 250 packets of the attack traffic.




Similar content being viewed by others
Notes
A new packet in the sense that there is no flow for it in the switch table and it must be sent to the controller to be validated for a new flow.
It is important to note that starting with OpenFlow v1.4.0, an eviction mechanism exists.
References
Open Networking Foundation: www.opennetworking.org (2014)
Feinstein, L., Schnackenberg, D., Balupari, R., Kindred D.: Statistical approaches to DDoS attack detection and response. In: Proceedings of DARPA Information Survivability Conference and Exposition, vol. 1, pp. 303–314 (2003)
SDN Central: http://www.sdncentral.com/announced-sdn-products/ (2014)
Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks, NDSS, pp. 1–15, 2015
Gu G., Shin, S.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?). In: 20th IEEE International conference on Network Protocols, pp. 1–6 (2012)
Su, W., Wu, L., Huang, Y., Kuo, S., Hu, Y.: Design of event-based intrusion detection system on OpenFlow network. In: IEEE International Conference on Dependable Systems and Networks (SDN), pp. 1–2 (2013)
Mota, E., Passito A., Braga, R.: Lightweight DDoS flooding attack detection usingNOX/OpenFlow. In: IEEE 35th Conference on Local Computer Networks, pp. 408–415 (2010)
Ostermann, S., Tjaden B., Ramadas, M.: Detecting anamalous network traffic with self-organizing maps. In: Recent Advances in Intrusion Detection, pp. 36–54 (2003)
Wang, R., Jia, Z., Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: IEEE Trustcom/BigDataSE/ISPA, pp. 310–317 (2015)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security, pp. 413–424 (2013)
Wang, H., Xu, L., Gu, G.: FloodGuard: A DoS attack prevention extension in software-defined networks. In: 45th annual IEEE/IFIP international conference on dependable systems and networks, pp. 239–250 (2015)
Zhang, J., Qin, Z., Ou, L., Jiang, P., Liu, J., Liu, A.X.: An advanced entropy-based DDoS detection scheme. In: International Conference on Information Networking and Automation (ICINA), pp. 67–71 (2010)
No, G., Ra, I.: An efficient and reliable DDoS attack detection using fast entropy computation method. In: International Symposium on Communication and Information Technology, pp. 1223–1228 (2009)
Nakashima, T., Sueyoshi T., Oshima, S.: Early DoS/DDoS detection method using short-term statistics. In: International Conference on Complex, Intelligent and Software Intensive Systems, pp. 168–173 (2010)
Mininet: http://mininet.org (2014)
Open Vswitch: http://openvswitch.org (2014)
McCauley, M.: NOXREPO. http://www.noxrepo.org/ (2014)
Scapy: http://www.secdev.org/projects/scapy (2014)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mousavi, S.M., St-Hilaire, M. Early Detection of DDoS Attacks Against Software Defined Network Controllers. J Netw Syst Manage 26, 573–591 (2018). https://doi.org/10.1007/s10922-017-9432-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-017-9432-1