A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions

Highlights

• Identified high quality research articles in the field of SDN-aimed DDoS attacks using a systematic literature review protocol.

• Revealed vulnerable points exploited by the attacker to launch DDoS attacks on SDN architecture so that root cause of the problem can be identified.

• Presented the taxonomy of DDoS defense solutions that classified the reviewed articles based on the attack targets, DDoS defense approaches, testing environment, and traffic generation mechanism.

• Performed critical analysis of existing literature based on attack targets and highlighted key research challenges in the SDN paradigm.

Abstract

The recent emergence of technologies such as Network Functions Virtualization (NFV), Intent based Networking, Internet of Things (IoT), 5G, and Cloud Computing have led to the rapid growth of networks. The inflexibility and vendor-specific nature of traditional network devices are unable to fulfill the requirements of modern data centers. Software-Defined Networking (SDN) has captured data center space due to its innovative features viz. vendor neutrality, programmability, and centralized management. However, SDN is also facing various security threats due to weaknesses in its inherent architecture. This article has attempted to identify various vulnerable points in the SDN framework and has classified the SDN-aimed DDoS attacks based on their impacts. This article presents a systematic literature review on various DDoS defense mechanisms to protect the control plane, data plane, and data-control plane communication channel. In this study, a well-defined methodology is used to select the high-quality research articles of DDoS defense mechanisms in the SDN framework. Among numerous articles published in the last few years, the authors have selected 75 articles with the highest impact factor and citation. Moreover, we present the taxonomy of DDoS defense solutions that classify the reviewed articles based on the attack targets, DDoS defense approaches, testing environment, and traffic generation mechanism. Finally, we identified the research gaps and highlighted various research challenges for future research. This study is intended to serve as a ready reference for the research community to develop more efficient and reliable DDoS defense solutions in the SDN networks.

Introduction

The rapid development of next-generation technologies explicit the need for reconfiguration of network policies and device up-gradation. The conventional networks are not able to fulfill these requirements due to their static architecture. In a conventional network, there is tight coupling between the control plane (Network Operating System), forwarding plane (hardware) and application plane in network devices such as load balancer, firewall, Intrusion Detection System(IDS), Intrusion Prevention System(IPS), as shown in Fig. 1. This property makes the dynamic management of network difficult because introducing new features and up-gradation of existing features requires manual reconfiguration of all the network devices (Kreutz et al., 2015). This is a very tedious and costly process. Moreover, these devices are vendor specific and the network administrator needs to configure all the devices separately. In addition to that, the cost of these network devices is too high. The major part of the cost is not due to the hardware but due to the software, which is called a network operating system.

SDN solves the above mentioned problems in the conventional networks by simplifying and logically centralized the network management (Braun, Menth, 2014, Nunes, Mendonca, Nguyen, Obraczka, Turletti, 2014). The most promising advantages of SDN are programmability, vendor neutrality, greater agility, centralized network supervision, and network automation. This produces many positive outcomes. Firstly, administrators can now manage multiple network devices from a logically centralized controller instead of configuring each device individually. Secondly, it allows easy separation between experimental and production network traffic, ensuing that both does not affect each other. Due to this, researchers can experiment with new ideas on a production network and achieve accurate results. Finally, SDN is inexpensive as compared to the traditional network for many reasons. In SDN, single centralized controller can manage all network devices while in traditional network, administrator need to configure each device individually. This reduces deployment time and management expenses in SDN. In addition, it also fixes the problem of the shortage of human resources because one person can manage all network devices using centralized controller. Moreover, SDN devices are cheaper as compared to proprietary and vendor specific devices as SDN have an open-source network operating system. It is the revolutionary technology that makes the network dynamic and programmable to meet the requirements of modern data centers. SDN came into existence at Stanford University in the early 2000s. Due to its programmable and flexible nature, it is one of the most adopted technologies by both academia and industry.

According to the report of MarketsandMarkets Analysis, the SDN market could grow to USD 28.9 billion in 2023 from USD 8.8 billion in 2018. It represents 26.8% Compound Annual Growth Rate (CAGR) during the forecast period (MARKETSANDMARKETS, 2019). The major growth factor for the market is the requirement of an advanced network management system to handle the increasing network traffic and complexities. Moreover, rising demands for cloud solutions and intent-based networking have a positive impact on the overall market growth of SDN (RESEARCHANDMARKES, 2019). However, with the speedy adoption of the SDN architecture, several security threats are also introduced to interrupt its regular working. SDN is vulnerable to the Distributed Denial of Service Attack (DDoS) as it is easily targeted by the attackers due to the centralized control plane and dumb forwarding devices in the data plane (ROCHAK SWAMI, MAYANK DAVE, 2019). The main purpose of the DDoS attack is to consume the memory, processing, and bandwidth resources of the SDN components which ultimately lead to network performance degradation.

With the speedy growth in internet traffic, there is a significant increase in both the quality and quantity of DDoS attacks. For the last few months, the personal and professional life of people has become more dependent on the internet due to COVID-19. Now almost everybody is using internet for studying, shopping, working from home, entertainment etc. This is a unique phenomena since the inception of the internet. As per the Kaspersky’s report (Oleg Kupreev, 2020), the DDoS attacks in Q1 2020 have doubled as compared to Q4 2019, and have increased by 80% compared to Q1 2019. Since most of the telecommunication companies (AT&T, Verizon Communications, Deutsche Telekom), cloud providers (Google, Amazon AWS, Microsoft Azure) social media platforms (Facebook, Twitter) have started using the SDN technology in their data centers, its security has become a key area of research.

After a extensive review of the existing literature, a few studies have been found which focus on DDoS defense mechanism in SDN. Bawany et al. (2017) exploited the characteristics of SDN to defend against DDoS attacks in a conventional network. One another related study Neelam Dayal, Prasenjit Maity, Shashank Srivastava (0000) identified various security threats on different layers in the SDN framework. Joëlle and Park (2018) highlighted various DDoS defense solutions in SDN framework. Imran et al. (2019c) classified the DDoS defense mechanisms based on the attack detection methodology. Swami and Dave (ROCHAK SWAMI, MAYANK DAVE, 2019) presented the detailed study of DDoS attacks in the SDN. They analysed the conflicting connection between DDoS attacks and SDN. On the one hand, SDN is used to defend against DDoS attacks in traditional networks due to its features of centralized traffic monitoring, dynamic updating of flow rules, and network programmability. The centralized controller keeps the complete information of a network; therefore, it can monitor the network traffic in a more efficient way than the conventional networks. In addition, when a controller identifies any abnormal traffic in the network, defense algorithm configured on a control plane insert rules into SDN switches to drop the attack traffic. On the other hand, SDN is itself suffering from DDoS attacks due to the centralized controller and dumb switches in the data plane. The centralized SDN controller becomes the primary target of attackers because they can downgrade the whole network by overloading the control plane. Besides, due to the lack of intelligence in the forwarding devices, they need to send each new packet to the controller for decision making. It exhausts the memory, processing and network resources of the controller. To make it worse, limited memory available in the forwarding devices makes it vulnerable to DDoS attacks.

Dong et al. (2019) presented the DDoS attacks in the SDN and the cloud environment. Singh and Bhandari (2020) presented the taxonomy of new flow based SDN-aimed DDoS attacks and explored various defense solutions to mitigate these attacks. The latest survey paper (Singh and Behal, 2020) classified the DDoS defense solutions based on the type of detection mechanism. However, the existing survey papers do not follow the systematic review process; therefore such studies fail to provide the in-depth coverage of available literature. Table 1 shows the comparison of proposed study with the existing survey papers in recent years.

The proposed study is different from other related studies as it follows a well-defined methodology and is more focused. An attempt is made to follow a comprehensive approach in the field of DDoS defense in the SDN framework. The traditional review process considered only the part of available literature with the possibility of omitting some high quality research articles. In contrast to traditional review process, a Systematic Literature Review (SLR) provides an extensive coverage of the work related to the specific problem statement. A well-defined search strategy in the SLR, help to reduce the bias related to the final selection of research articles. The first step of SLR is to define the search strategy to increase the probability of finding related research studies. This follows a study selection process in which only those research articles were selected which can answer the defined research questions. At this stage, irrelevant studies are eliminated based on the analysis of title, abstract, and full text. Furthermore, the quality assessment check is performed to extract high quality research articles. The final list of research articles represents the current state-of-the-art research in the specified area. Moreover, the in-depth analysis of these articles helps us to identify the research gaps which provide the future research directions for further analysis. Below are some of the key benefits of SLR over the traditional review process:

• Well-defined methodology eliminates bias against selection of research articles.

• Comprehensive search strategy.

• Extensive coverage of the literature available on a specific problem statement.

• Digital libraries, websites, and other sources of included research articles are listed.

• Well-defined inclusion and exclusion criteria.

The systematic review process is quite popular in the area of medicine, educational research, sociology, etc. In computer science, it is widely used in software engineering (Kitchenham, Pretorius, Budgen, Brereton, Turner, Niazi, Linkman, 2010, Tahir, MacDonell, 2012). A limited number of such studies exists in the area of cloud computing (Patel et al., 2013) and traditional networking (Singh et al., 2016). As far as we know, this survey is the first of its kind in the context of SDN security. The main contributions of the paper are:

• Identified high quality research articles in the field of SDN-aimed DDoS attacks using a systematic literature review protocol.

• Revealed vulnerable points exploited by the attacker to launch DDoS attacks on SDN architecture so that root cause of the problem can be identified.

• Presented the taxonomy of DDoS defense solutions that classified the reviewed articles based on the attack targets, DDoS defense approaches, testing environment, and traffic generation mechanism.

• Performed critical analysis of existing literature based on attack targets and highlighted key research challenges in the SDN paradigm.

The outlines of the paper are: Section 2 explains the steps involved in the systematic review process. Section 3 provides a brief overview of the SDN framework. This section also discusses various vulnerable points for DDoS attacks in SDN framework. Section 4 critically analyzes the various DDoS defense mechanisms to protect the components of the SDN framework. Section 5 identifies various research gaps in the reviewed research studies. Section 6 discusses different research challenges in the SDN environment and Section 7 concludes the paper.