Abstract
A distributed denial of service (DDoS) attack on any of the major components (e.g., controller, switches, and southbound channel) of software defined networking (SDN) architecture is a critical security threat. For example, the breakdown of controller could disrupt the data communication in the whole SDN network. A possible way to perform DoS is to generate a large number of new, but short length traffic flows. These flows will trigger malicious flooding requests to overload the controller and causes overflow in flow tables at SDN switches. In this paper, we propose two lightweight and practically feasible countermeasures against two different types of DDoS attacks called Route Spoofing and Resource Exhaustion in SDN networks. For Route Spoofing attack, we introduce a technique called “selective blocking”, which stops an adversary node from maliciously using other users active communication routes. To countermeasure Resource Exhaustion attack, we propose a solution called “periodic monitoring”, which detects adversary nodes based on the traffic analysis statistics that are gathered within a time window. We implement and perform result analysis of the attacks and their proposed countermeasures. When using our proposed countermeasures in the target SDN scenarios, the simulation results indicate an adequate reduction in bandwidth consumption and processing delay of new request, and it also depicts substantial gain in packet delivery rate. Additionally, we present the receiver operating characteristic curve, which shows the sensitivity and specificity of our countermeasures along with their detection accuracy.
Similar content being viewed by others
Notes
We use the term “new message” for the packets for which the OF-switch does not find a matching rule in its forwarding table.
Use of lower values for n might increase the number of false positives, and use of higher values will increase the detection time for the attack.
A mice flow is a data flow that contains less than 3 packets.
References
Kreutz, D., Ramos, F. M. V., Veríssimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1), 14–76.
Conti, M., Kaliyar, P., & Lal C. (2018). CENSOR: Cloud-enabled secure IoT architecture over SDN paradigm. Concurrency and Computation: Practice and Experience, 31(8), e4978.
Du, J., Gelenbe, E., Jiang, C., Zhang, H., & Ren, Y. (2017). Contract design for traffic offloading and resource allocation in heterogeneous ultra-dense networks. IEEE Journal on Selected Areas in Communications, 35(11), 2457–2467.
Yan, Q., Yu, F. R., Gong, Q., & Li, J. (2016). Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Communications Surveys & Tutorials, 18(1), 602–622.
Wickboldt, J. A., Jesus, W. P. D., Isolani, P. H., Both, C. B., Rochol, J., & Granville, L. Z. (2015). Software-defined networking: Management requirements and challenges. IEEE Communications Magazine, 53(1), 278–285.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., et al. (2008). Openflow: Enabling innovation in campus networks. SIGCOMM Computer Communication Review, 38(2), 69–74.
Zhang, P., Wang, H., Hu, C., & Lin, C. (2016). On denial of service attacks in software defined networks. IEEE Network, 30(6), 28–33.
Mohammadi, R., Javidan, R., & Conti, M. (2017). Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Transactions on Network and Service Management, 14, 487–497.
Wang, R., Jia, Z., & Ju, L. (2015). An entropy-based distributed DDoS detection mechanism in software-defined networking. In 2015 IEEE Trustcom/BigDataSE/ISPA (pp. 310–317). Helsinki.
Kalkan, K., Gur, G., & Alagoz, F. (2017). Defense mechanisms against ddos attacks in sdn environment. IEEE Communications Magazine, 55(9), 175–179.
Zheng, J., Li, Q., Gu, G., Cao, J., Yau, D. K. Y., & Wu, J. (2018). Realtime ddos defense using cots sdn switches via adaptive correlation analysis. IEEE Transactions on Information Forensics and Security, 13(7), 1838–1853.
Kang, M. S., Lee, S. B., & Gligor, V. D. (2013). The crossfire attack. In 2013 IEEE symposium on security and privacy (pp. 127–141).
Mohammadi, R., Javidan, R., Keshtgary, M., Conti, M., & Lal, C. (2017). Practical extensions to countermeasure dos attacks in software defined networking. In 2017 IEEE conference on network function virtualization and software defined networks (NFV-SDN) (pp. 1–6).
François, J., Dolberg, L., Festor, O., & Engel, T. (2014). Network security through software defined networking: A survey. In Proceedings of the conference on principles, systems and applications of IP telecommunications, ser. IPTComm ’14. ACM (pp. 6:1–6:8).
Fayaz, S. K., Tobioka, Y., Sekar, V., & Bailey, M. (2015). Bohatei: Flexible and elastic ddos defense. In 24th USENIX security symposium (USENIX Security 15) (pp. 817–832). Washington, DC: USENIX Association.
Rebecchi, F., Boite, J., Nardin, P., Bouet, M., & Conan, V. (2017). Traffic monitoring and ddos detection using stateful sdn. In 2017 IEEE conference on network softwarization (NetSoft) (pp. 1–2).
Chen, C., Chen, Y., Lu, W., Tsai, S., & Yang, M. (2017). Detecting amplification attacks with software defined networking. In 2017 IEEE conference on dependable and secure computing (pp. 195–201).
D’Cruze, H., Wang, P., Sbeit, R . O., & Ray, A. (2018). A software-defined networking (SDN) approach to mitigating DDoS attacks. In S. Latifi (Ed.), Information technology—New generations. Cham: Springer.
Dhawan, M., Poddar, R., Mahajan, K., & Mann, V. (2015). Sphinx: Detecting security attacks in software-defined networks. In NDSS.
Felipe, A., Piedrahita, M., Rueda, S., Mattos, D. M. F., Carlos, O., & Duarte, M. B. (2015). Flowfence: A denial of service defense system for software defined networking. In Global information infrastructure and networking symposium (GIIS).
Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, ser. CCS ’13.
Sungmin, L. Hong, Xu, H., Wang, G., & Gu (2015). Poisoning network visibility in software-defined networks: New attacks and countermeasures. In NDSS.
Ambrosin, M., Conti, M., Gaspari, F. D., & Poovendran, R. (2017). Lineswitch: Tackling control plane saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking, 25(2), 1206–1219.
Wang, H., Xu, L., & Gu, G. (2015). Floodguard: A dos attack prevention extension in software-defined networks. In Proceedings of the 2015 45th annual IEEE/IFIP international conference on dependable systems and networks, ser. DSN ’15.
Chin, T., Mountrouidou, X., Li, X., & Xiong, K. (2015). Selective packet inspection to detect dos flooding using software defined networking (sdn). In 2015 IEEE 35th international conference on distributed computing systems workshops (pp. 95–99).
Park, Y., Chang, S. Y., & Krishnamurthy, L. M. (2016). Watermarking for detecting freeloader misbehavior in software-defined networks. In 2016 International conference on computing, networking and communications (ICNC) (pp. 1–6).
Liu, J., Lai, Y., & Zhang, S. (2017). Fl-guard: A detection and defense system for DDoS attack in sdn. In Proceedings of the 2017 international conference on cryptography, security and privacy, ser. ICCSP ’17 (pp. 107–111) ACM. [Online]. Available: http://doi.acm.org/10.1145/3058060.3058074.
Wang, T., & Chen, H. (2017). Sguard: A lightweight sdn safe-guard architecture for dos attacks. China Communications, 14(6), 113–125.
Guo, F., & Chiueh, T-c. (2006). Sequence number-based MAC address spoof detection (pp. 309–329). Berlin: Springer.
Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.
Zhu, H., Du, S., Gao, Z., Dong, M., & Cao, Z. (2014). A probabilistic misbehavior detection scheme toward efficient trust establishment in delay-tolerant networks. IEEE Transactions on Parallel and Distributed Systems, 25(1), 22–32.
Wang, S., Zhang, Z., & Kadobayashi, Y. (2013). Exploring attack graph for cost-benefit security hardening: A probabilistic approach. Computer Security, 32, 158–169.
Openflow.org. openflow switching reference system. http://www.openflow.org/wp/downloads/.
Acknowledgements
Chhagan Lal and Mauro Conti are supported in part by EU LOCARD Project under Grant H2020-SU-SEC-2018-832735, and in part by Huawei Project “Secure Remote OTA Updates for In-Vehicle Software Systems” under Grant HIRPO 2018040400359-2018. The work of M. Conti was supported by the Marie Curie Fellowship through European Commission under Agreement PCIG11-GA-2012-321980.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Conti, M., Lal, C., Mohammadi, R. et al. Lightweight solutions to counter DDoS attacks in software defined networking. Wireless Netw 25, 2751–2768 (2019). https://doi.org/10.1007/s11276-019-01991-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11276-019-01991-y