Skip to main content
SpringerLink
Log in

DHCP DoS and starvation attacks on SDN controllers and their mitigation

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Software Defined Networking (SDN) technology offers possibilities to improve network administration through a separate central controller for network switching devices. However, security in SDN is a critical issue and SDN faces new challenges due to shared protocols, inherits flaws from traditional networks and control flexibility. Dynamic Host Configuration Protocol (DHCP) is a crucial protocol for SDN, but DHCP itself poses a security risk to SDN. In our study we performed security analysis for DHCP attacks on RYU, OpenDaylight and Floodlight, three popular SDN controllers. Our research demonstrates that they are vulnerable to starvation attacks and denial of service attacks by flooding DHCP discovery messages, slowing down networks and overloading controllers. In order to address these problems, we looked at state-of-the-art DHCP security approaches and evaluated their performance on these SDN controllers. We proposed and implemented a DHCP security algorithm on the RYU controller based on our analysis. Our solution utilize flexibility of SDN controller to identify discovery flood packets and verify authentic hosts to mitigate effects of DHCP attacks. Furthermore, the proposed solution transfers the authentic flows to switch for reduction in controller load. We demonstrate that without significant computational load the suggested method successfully rejects malicious DHCP packets, restores the IP address pool, and mitigates the harmful network consequences of DHCP-related attacks. The proposed solution improves the throughput by 3.6 times, transferred data by 66.8%, CPU usage by 93.9% and packet loss by 95% compared to the conventional RYU controller.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Data availability

Data will be made available upon reasonable request to the authors.

References

  1. Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1093–1110 (2017)

  2. Duangphasuk, S., Kungpisdan, S., Hankla, S.: Design and implementation of improved security protocols for DHCP using digital certificates. In: 2011 17th IEEE International Conference on Networks, pp. 287–292. IEEE (2011)

  3. Al-Ani, A., Anbar, M., Al-Ani, A.K., Hasbullah, I.H.: DHCPv6Auth: a mechanism to improve DHCPv6 authentication and privacy. Sādhanā 45(1), 1–11 (2020)

    Article  Google Scholar 

  4. Aldaoud, M., Al-Abri, D., Al Maashri, A., Kausar, F.: DHCP attacking tools: an analysis. J. Comput. Virol. Hacking Tech. 17(2), 119–129 (2021)

    Article  Google Scholar 

  5. Wang, J.-L., Chen, Y.-C.: An SDN-based defensive solution against DHCP attacks in the virtualization environment. In: 2017 IEEE Conference on Dependable and Secure Computing, pp. 529–530. IEEE (2017)

  6. Tok, M.S., Demirci, M.: Security analysis of SDN controller-based DHCP services and attack mitigation with DHCPguard. Comput. Secur. 109, 102394 (2021)

    Article  Google Scholar 

  7. Tripathi, N., Hubballi, N.: A probabilistic anomaly detection scheme to detect DHCP starvation attacks. In: 2016 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2016)

  8. Nanda, S., Zafari, F., DeCusatis, C., Wedaa, E., Yang, B.: Predicting network attack patterns in SDN using machine learning approach. In: 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 167–172. IEEE (2016)

  9. Li, C., Wu, Y., Yuan, X., Sun, Z., Wang, W., Li, X., Gong, L.: Detection and defense of DDoS attack-based on deep learning in OpenFlow-based SDN. Int. J. Commun. Syst. 31(5), 3497 (2018)

    Article  Google Scholar 

  10. François, J., Festor, O.: Anomaly traceback using software defined networking. In: 2014 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 203–208. IEEE (2014)

  11. Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE Local Computer Network Conference, pp. 408–415. IEEE (2010)

  12. Aldaoud, M., Al-Abri, D., Al Maashri, A., Kausar, F.: Detecting and mitigating DHCP attacks in openflow-based SDN networks: a comprehensive approach. J. Comput. Virol. Hacking Tech., 1–18 (2023)

  13. Krishnan, P., Jain, K., Aldweesh, A., Prabu, P., Buyya, R.: Openstackdp: a scalable network security framework for SDN-based openstack cloud infrastructure. J. Cloud Comput. 12(1), 26 (2023)

    Article  Google Scholar 

  14. Maleh, Y., Qasmaoui, Y., El Gholami, K., Sadqi, Y., Mounir, S.: A comprehensive survey on SDN security: threats, mitigations, and future directions. J. Reliab. Intell. Environ., 1–39 (2022)

  15. Khalid, H.Y., Ismael, P.M., Al-Khalil, A.B.: Efficient mechanism for securing software defined network against ARP spoofing attack. J. Duhok Univ. 22(1), 124–131 (2019)

    Article  Google Scholar 

  16. Rietz, R., Cwalinski, R., König, H., Brinner, A.: An SDN-based approach to ward off LAN attacks. J. Comput. Netw. Commun. 2018 (2018)

  17. Tripathi, N., Hubballi, N.: Detecting stealth DHCP starvation attack using machine learning approach. J. Comput. Virol. Hacking Tech. 14(3), 233–244 (2018)

    Article  Google Scholar 

  18. Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Sphinx: detecting security attacks in software-defined networks. In: NDSS, vol. 15, pp. 8–11. IEEE (2015)

  19. Alharbi, T., Durando, D., Pakzad, F., Portmann, M.: Securing ARP in software defined networks. In: 2016 IEEE 41st Conference on Local Computer Networks (LCN), pp. 523–526. IEEE (2016)

  20. Shete, A., Lahade, A., Patil, T., Pawar, R.: DHCP protocol using OTP based two-factor authentication. In: 2018 2nd International Conference on Trends in Electronics and Informatics (ICOEI), pp. 136–141. IEEE (2018)

  21. Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against SDN controllers. In: 2015 International Conference on Computing, Networking and Communications, pp. 77–81 (2015). IEEE (ICNC)

  22. Ye, J., Cheng, X., Zhu, J., Feng, L., Song, L.: A DDoS attack detection method based on SVM in software defined network. Secur. Commun. Netw. 2018 (2018)

  23. Cox Jr, J.H., Clark, R.J., Owen III, H.L.: Leveraging SDN to improve the security of DHCP. In: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, pp. 35–38. ACM (2016)

  24. Alshamrani, A., Chowdhary, A., Pisharody, S., Lu, D., Huang, D.: A defense system for defeating DDoS attacks in SDN based networks. In: Proceedings of the 15th ACM International Symposium on Mobility Management and Wireless Access, pp. 83–92. ACM (2017)

  25. Ajaeiya, G.A., Adalian, N., Elhajj, I.H., Kayssi, A., Chehab, A.: Flow-based intrusion detection system for SDN. In: 2017 IEEE Symposium on Computers and Communications (ISCC), pp. 787–793. IEEE (2017)

  26. Birkinshaw, C., Rouka, E., Vassilakis, V.G.: Implementing an intrusion detection and prevention system using software-defined networking: defending against port-scanning and denial-of-service attacks. J. Netw. Comput. Appl. 136, 71–85 (2019)

    Article  Google Scholar 

  27. Gudmundsson, O., Droms, R.: Security Requirements for the DHCP protocol. Technical report, Internet Draft, March (1998)

  28. Sanchez, R., Enrique, J.: International Standard ISO/IEC Information technology-Security techniques-Information security. ISO vol (2016)

  29. Lin, T.-Y., Wu, J.-P., Hung, P.-H., Shao, C.-H., Wang, Y.-T., Cai, Y.-Z., Tsai, M.-H.: Mitigating SYN flooding attack and ARP spoofing in SDN data plane. In: 2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 114–119. IEEE (2020)

  30. Bhardwaj, S., Panda, S.N.: Performance evaluation using RYU SDN controller in software-defined networking environment. Wirel. Pers. Commun. 122(1), 701–723 (2022)

    Article  Google Scholar 

  31. Joshi, R., Pilli, E.S.: Fundamentals of Network Forensics. Springer, New York (2016)

    Book  Google Scholar 

  32. Barroso, D., Anders, A.: Yersinia: framework for layer 2 attacks. Black Hat Brief. (2005)

Download references

Funding

The authors did not receive support from any organization for the submitted work.

Author information

Authors and Affiliations

  1. Department of Computer Science, Information Technology University, Lahore, Pakistan

    Hafiz Usama Ishtiaq, Areeb Ahmed Bhutta & Adnan Noor Mian

Authors
  1. Hafiz Usama Ishtiaq
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Areeb Ahmed Bhutta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adnan Noor Mian
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adnan Noor Mian.

Ethics declarations

Conflict of interest

The authors have no competing interests to declare that are relevant to the content of this article.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ishtiaq, H.U., Bhutta, A.A. & Mian, A.N. DHCP DoS and starvation attacks on SDN controllers and their mitigation. J Comput Virol Hack Tech 20, 15–25 (2024). https://doi.org/10.1007/s11416-023-00483-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-023-00483-0

Keywords

Search

Navigation