ABSTRACT
Software Defined Networking (SDN) is a new networking architecture that aims to provide better decoupling between network control (control plane) and data forwarding functionalities (data plane). This separation introduces several benefits, such as a directly programmable and (virtually) centralized network control. However, researchers showed that the required communication channel between the control and data plane of SDN creates a potential bottleneck in the system, introducing new vulnerabilities.Indeed, this behavior could be exploited to mount powerful attacks, such as the control plane saturation attack, that can severely hinder the performance of the whole network.
In this paper we present LineSwitch, an efficient and effective solution against control plane saturation attack. LineSwitch combines SYN proxy techniques and probabilistic blacklisting of network traffic. We implemented LineSwitch as an extension of OpenFlow, the current reference implementation of SDN, and evaluate our solution considering different traffic scenarios (with and without attack). The results of our preliminary experiments confirm that, compared to the state-of-the-art, LineSwitch reduces the time overhead up to 30%, while ensuring the same level of protection.
- OpenFlow Switch specificatio, v.1.3.4. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.3.4.pdf.Google Scholar
- OpenFlow whitepaper. https://www.opennetworking.org/sdn-resources/sdn-library/whitepapers.Google Scholar
- Transmission Control Protocol. RFC 793, IETF, September 1981.Google Scholar
- TCP SYN Flooding Attacks and Common Mitigations. RFC 4987, IETF, August 2007.Google Scholar
- Defending against Sequence Number Attacks. RFC 6528, IETF, February 2012.Google Scholar
- K. Benton, L. J. Camp, and C. Small. OpenFlow Vulnerability Assessment. HotSDN '13, pages 151--152, 2013. Google ScholarDigital Library
- D. J. Bernstein. SYN Cookies. http://cr.yp.to/syncookies.html.Google Scholar
- W. Haopei, X. Lei, and G. Guofei. OF-GUARD: A DoS Attack Prevention Extension in Software-Defined Networks. In USENIX Open Network Summit, 2014.Google Scholar
- R. Kloti, V. Kotronis, and P. Smith. Open flow: A security analysis. ICNP '13, pages 1--6, 2013.Google Scholar
- D. Kreutz, F. M. Ramos, and P. Verissimo. Towards Secure and Dependable Software-defined Networks. HotSDN '13, pages 55--60, 2013. Google ScholarDigital Library
- N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. OpenFlow: Enabling Innovation in Campus Networks. SIGCOMM Computer Communications Review, 38(2):69--74, Mar. 2008. Google ScholarDigital Library
- Mininet. http://mininet.org/.Google Scholar
- R. T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software, 1985.Google Scholar
- OpenFlow Software Switch. http://yuba.stanford.edu/git/gitweb.cgi?p=openflow.git;a=summary.Google Scholar
- T. Peng, C. Leckie, and K. Ramamohanarao. Survey of Network-based Defense Mechanisms Countering the DoS and DDoS Problems. ACM Computing Surveys, 39(1), 2007. Google ScholarDigital Library
- POX. http://www.noxrepo.org/pox/about-pox/.Google Scholar
- S. Shin, V. Yegneswaran, P. Porras, and G. Gu. AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-defined Networks. CCS '13, pages 413--424, 2013. Google ScholarDigital Library
Index Terms
- LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks
Recommendations
LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking
Software defined networking SDN is a new networking paradigm that in recent years has revolutionized network architectures. At its core, SDN separates the data plane, which provides data forwarding functionalities, and the control plane, which ...
An Easy Defense Mechanism Against Botnet-based DDoS Flooding Attack Originated in SDN Environment Using sFlow
CFI '16: Proceedings of the 11th International Conference on Future Internet TechnologiesAs today's networks become larger and more complex, the Distributed Denial of Service (DDoS) flooding attack threats may not only come from the outside of networks but also from inside, such as cloud computing network where exists multiple tenants ...
Self-organizing synergetic denial-of-service in underwater named data networking
WUWNet '18: Proceedings of the 13th International Conference on Underwater Networks & SystemsIn recent years, Named Data Networking (NDN) begins to be applied to Underwater Sensor Networks (UWSN). Although Underwater Named Data Networking (UNDN) performs well in data transmission, it still faces some security threats from Denial-of-Service (DoS)...
Comments