Skip to main content
SpringerLink
Log in

Lightweight solutions to counter DDoS attacks in software defined networking

  • Published:
Wireless Networks Aims and scope Submit manuscript

Abstract

A distributed denial of service (DDoS) attack on any of the major components (e.g., controller, switches, and southbound channel) of software defined networking (SDN) architecture is a critical security threat. For example, the breakdown of controller could disrupt the data communication in the whole SDN network. A possible way to perform DoS is to generate a large number of new, but short length traffic flows. These flows will trigger malicious flooding requests to overload the controller and causes overflow in flow tables at SDN switches. In this paper, we propose two lightweight and practically feasible countermeasures against two different types of DDoS attacks called Route Spoofing and Resource Exhaustion in SDN networks. For Route Spoofing attack, we introduce a technique called “selective blocking”, which stops an adversary node from maliciously using other users active communication routes. To countermeasure Resource Exhaustion attack, we propose a solution called “periodic monitoring”, which detects adversary nodes based on the traffic analysis statistics that are gathered within a time window. We implement and perform result analysis of the attacks and their proposed countermeasures. When using our proposed countermeasures in the target SDN scenarios, the simulation results indicate an adequate reduction in bandwidth consumption and processing delay of new request, and it also depicts substantial gain in packet delivery rate. Additionally, we present the receiver operating characteristic curve, which shows the sensitivity and specificity of our countermeasures along with their detection accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16

Similar content being viewed by others

Notes

  1. We use the term “new message” for the packets for which the OF-switch does not find a matching rule in its forwarding table.

  2. Use of lower values for n might increase the number of false positives, and use of higher values will increase the detection time for the attack.

  3. A mice flow is a data flow that contains less than 3 packets.

References

  1. Kreutz, D., Ramos, F. M. V., Veríssimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1), 14–76.

    Article  Google Scholar 

  2. Conti, M., Kaliyar, P., & Lal C. (2018). CENSOR: Cloud-enabled secure IoT architecture over SDN paradigm. Concurrency and Computation: Practice and Experience, 31(8), e4978.

    Article  Google Scholar 

  3. Du, J., Gelenbe, E., Jiang, C., Zhang, H., & Ren, Y. (2017). Contract design for traffic offloading and resource allocation in heterogeneous ultra-dense networks. IEEE Journal on Selected Areas in Communications, 35(11), 2457–2467.

    Article  Google Scholar 

  4. Yan, Q., Yu, F. R., Gong, Q., & Li, J. (2016). Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Communications Surveys & Tutorials, 18(1), 602–622.

    Article  Google Scholar 

  5. Wickboldt, J. A., Jesus, W. P. D., Isolani, P. H., Both, C. B., Rochol, J., & Granville, L. Z. (2015). Software-defined networking: Management requirements and challenges. IEEE Communications Magazine, 53(1), 278–285.

    Article  Google Scholar 

  6. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., et al. (2008). Openflow: Enabling innovation in campus networks. SIGCOMM Computer Communication Review, 38(2), 69–74.

    Article  Google Scholar 

  7. Zhang, P., Wang, H., Hu, C., & Lin, C. (2016). On denial of service attacks in software defined networks. IEEE Network, 30(6), 28–33.

    Article  Google Scholar 

  8. Mohammadi, R., Javidan, R., & Conti, M. (2017). Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Transactions on Network and Service Management, 14, 487–497.

    Article  Google Scholar 

  9. Wang, R., Jia, Z., & Ju, L. (2015). An entropy-based distributed DDoS detection mechanism in software-defined networking. In 2015 IEEE Trustcom/BigDataSE/ISPA (pp. 310–317). Helsinki.

  10. Kalkan, K., Gur, G., & Alagoz, F. (2017). Defense mechanisms against ddos attacks in sdn environment. IEEE Communications Magazine, 55(9), 175–179.

    Article  Google Scholar 

  11. Zheng, J., Li, Q., Gu, G., Cao, J., Yau, D. K. Y., & Wu, J. (2018). Realtime ddos defense using cots sdn switches via adaptive correlation analysis. IEEE Transactions on Information Forensics and Security, 13(7), 1838–1853.

    Article  Google Scholar 

  12. Kang, M. S., Lee, S. B., & Gligor, V. D. (2013). The crossfire attack. In 2013 IEEE symposium on security and privacy (pp. 127–141).

  13. Mohammadi, R., Javidan, R., Keshtgary, M., Conti, M., & Lal, C. (2017). Practical extensions to countermeasure dos attacks in software defined networking. In 2017 IEEE conference on network function virtualization and software defined networks (NFV-SDN) (pp. 1–6).

  14. François, J., Dolberg, L., Festor, O., & Engel, T. (2014). Network security through software defined networking: A survey. In Proceedings of the conference on principles, systems and applications of IP telecommunications, ser. IPTComm ’14. ACM (pp. 6:1–6:8).

  15. Fayaz, S. K., Tobioka, Y., Sekar, V., & Bailey, M. (2015). Bohatei: Flexible and elastic ddos defense. In 24th USENIX security symposium (USENIX Security 15) (pp. 817–832). Washington, DC: USENIX Association.

  16. Rebecchi, F., Boite, J., Nardin, P., Bouet, M., & Conan, V. (2017). Traffic monitoring and ddos detection using stateful sdn. In 2017 IEEE conference on network softwarization (NetSoft) (pp. 1–2).

  17. Chen, C., Chen, Y., Lu, W., Tsai, S., & Yang, M. (2017). Detecting amplification attacks with software defined networking. In 2017 IEEE conference on dependable and secure computing (pp. 195–201).

  18. D’Cruze, H., Wang, P., Sbeit, R . O., & Ray, A. (2018). A software-defined networking (SDN) approach to mitigating DDoS attacks. In S. Latifi (Ed.), Information technology—New generations. Cham: Springer.

    Google Scholar 

  19. Dhawan, M., Poddar, R., Mahajan, K., & Mann, V. (2015). Sphinx: Detecting security attacks in software-defined networks. In NDSS.

  20. Felipe, A., Piedrahita, M., Rueda, S., Mattos, D. M. F., Carlos, O., & Duarte, M. B. (2015). Flowfence: A denial of service defense system for software defined networking. In Global information infrastructure and networking symposium (GIIS).

  21. Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, ser. CCS ’13.

  22. Sungmin, L. Hong, Xu, H., Wang, G., & Gu (2015). Poisoning network visibility in software-defined networks: New attacks and countermeasures. In NDSS.

  23. Ambrosin, M., Conti, M., Gaspari, F. D., & Poovendran, R. (2017). Lineswitch: Tackling control plane saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking, 25(2), 1206–1219.

    Article  Google Scholar 

  24. Wang, H., Xu, L., & Gu, G. (2015). Floodguard: A dos attack prevention extension in software-defined networks. In Proceedings of the 2015 45th annual IEEE/IFIP international conference on dependable systems and networks, ser. DSN ’15.

  25. Chin, T., Mountrouidou, X., Li, X., & Xiong, K. (2015). Selective packet inspection to detect dos flooding using software defined networking (sdn). In 2015 IEEE 35th international conference on distributed computing systems workshops (pp. 95–99).

  26. Park, Y., Chang, S. Y., & Krishnamurthy, L. M. (2016). Watermarking for detecting freeloader misbehavior in software-defined networks. In 2016 International conference on computing, networking and communications (ICNC) (pp. 1–6).

  27. Liu, J., Lai, Y., & Zhang, S. (2017). Fl-guard: A detection and defense system for DDoS attack in sdn. In Proceedings of the 2017 international conference on cryptography, security and privacy, ser. ICCSP ’17 (pp. 107–111) ACM. [Online]. Available: http://doi.acm.org/10.1145/3058060.3058074.

  28. Wang, T., & Chen, H. (2017). Sguard: A lightweight sdn safe-guard architecture for dos attacks. China Communications, 14(6), 113–125.

    Article  MathSciNet  Google Scholar 

  29. Guo, F., & Chiueh, T-c. (2006). Sequence number-based MAC address spoof detection (pp. 309–329). Berlin: Springer.

    Google Scholar 

  30. Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.

    Article  Google Scholar 

  31. Zhu, H., Du, S., Gao, Z., Dong, M., & Cao, Z. (2014). A probabilistic misbehavior detection scheme toward efficient trust establishment in delay-tolerant networks. IEEE Transactions on Parallel and Distributed Systems, 25(1), 22–32.

    Article  Google Scholar 

  32. Wang, S., Zhang, Z., & Kadobayashi, Y. (2013). Exploring attack graph for cost-benefit security hardening: A probabilistic approach. Computer Security, 32, 158–169.

    Article  Google Scholar 

  33. http://www.mininet.org/.

  34. http://www.opendaylight.org.

  35. Openflow.org. openflow switching reference system. http://www.openflow.org/wp/downloads/.

  36. http://www.hping.org.

Download references

Acknowledgements

Chhagan Lal and Mauro Conti are supported in part by EU LOCARD Project under Grant H2020-SU-SEC-2018-832735, and in part by Huawei Project “Secure Remote OTA Updates for In-Vehicle Software Systems” under Grant HIRPO 2018040400359-2018. The work of M. Conti was supported by the Marie Curie Fellowship through European Commission under Agreement PCIG11-GA-2012-321980.

Author information

Authors and Affiliations

  1. Department of Mathematics, University of Padova, Padua, Italy

    Mauro Conti & Chhagan Lal

  2. Computer Engineering Department, Bu-Ali Sina University, Hamedan, Islamic Republic of Iran

    Reza Mohammadi

  3. Manipal University Jaipur, Jaipur, India

    Chhagan Lal & Umashankar Rawat

Authors
  1. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chhagan Lal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Reza Mohammadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Umashankar Rawat
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chhagan Lal.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Conti, M., Lal, C., Mohammadi, R. et al. Lightweight solutions to counter DDoS attacks in software defined networking. Wireless Netw 25, 2751–2768 (2019). https://doi.org/10.1007/s11276-019-01991-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11276-019-01991-y

Keywords

Search

Navigation