research-article

In-design Resilient SDN Control Plane and Elastic Forwarding Against Aggressive DDoS Attacks

Authors:
Fida Gillani

University of North Carolina at Charlotte, Charlotte, NC, USA

University of North Carolina at Charlotte, Charlotte, NC, USA
View Profile

,
Ehab Al-Shaer

University of North Carolina at Charlotte, Charlotte, NC, USA

University of North Carolina at Charlotte, Charlotte, NC, USA
View Profile

,
Qi Duan

University of North Carolina at Charlotte, Charlotte, NC, USA

University of North Carolina at Charlotte, Charlotte, NC, USA
View Profile

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target DefenseOctober 2018Pages 80–89https://doi.org/10.1145/3268966.3268968

Published:15 January 2018Publication History

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense

Pages 80–89

ABSTRACT

Using Software-defined Networks in wide area (SDN-WAN) has been strongly emerging in the past years. Due to scalability and economical reasons, SDN-WAN mostly uses an in-band control mechanism, which implies that control and data sharing the same critical physical links. However, the in-band control and centralized control architecture can be exploited by attackers to launch distributed denial of service (DDoS) on SDN control plane by flooding the shared links and/or the Open flow agents. Therefore, constructing a resilient software designed network requires dynamic isolation and distribution of the control flow to minimize damage and significantly increase attack cost. Existing solutions fall short to address this challenge because they require expensive extra dedicated resources or changes in OpenFlow protocol. In this paper, we propose a moving target technique called REsilient COntrol Network architecture (ReCON) that uses the same SDN network resources to defend SDN control plane dynamically against the DDoS attacks. ReCON essentially, (1) minimizes the sharing of critical resources among data and control traffic, and (2) elastically increases the limited capacity of the software control agents on-demand by dynamically using the under-utilized resources from within the same SDN network. To implement a practical solution, we formalize ReCON as a constraints satisfaction problem using Satisfiability Modulo Theory (SMT) to guarantee a correct-by-construction control plan placement that can handle dynamic network conditions.

References

Brite topology generator. http://cs.bu.edu/brite/.Google Scholar
Global onos and sdn-ip deployment. http://onosproject.org/wpcontent/ uploads/2015/06/PoC_global-deploy.pdf.Google Scholar
Mininet: An instant virtual network on your laptop (or other pc). http://mininet.org/.Google Scholar
Pox controller. http://openflow.stanford.edu/display/ONL/POX+Wiki.Google Scholar
Rocketfuel. http://research.cs.washington.edu/networking/rocketfuel/.Google Scholar
Scapy. http://secdev.org/projects/scapy/.Google Scholar
Software-defined networking (sdn). http://sdxcentral.com/resources/sdn/whatthedefinition- of-software-defined-networking-sdn/.Google Scholar
Technical details behind a 400gbps ntp amplification ddos attack. http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack.Google Scholar
Z3 theorm prover. http://research.microsoft.com/enus/ um/redmond/projects/z3/.Google Scholar
Kanak Agarwal, Eric Rozner, Colin Dixon, and John Carter. Sdn traceroute: Tracing sdn forwarding without changing network behavior. In Proceedings of the third workshop on Hot topics in software defined networking, pages 145--150. ACM, 2014. Google ScholarDigital Library
Andrew R Curtis and et.al. Devoflow: Scaling flow management for highperformance networks. In ACM SIGCOMM Computer Communication Review, 2011. Google ScholarDigital Library
Mohan Dhawan and et.al. Sphinx: Detecting security attacks in software-defined networks. In Proceedings of NDSS, 2015.Google Scholar
Fida Gillani, Ehab Al-Shaer, and Basil AsSadhan. Economic metric to improve spam detectors. In Journal of Network and Computer Application, 2016. Google ScholarDigital Library
Jie Hu and et.al. Scalability of control planes for software defined networks: Modeling and evaluation. In IEEE Symposium on Quality of Service (IWQoS), 2014.Google Scholar
Sushant Jain, Alok Kumar, Subhasree Mandal, Joon Ong, Leon Poutievski, Arjun Singh, Subbaiah Venkata, Jim Wanderer, Junlan Zhou, Min Zhu, et al. B4: Experience with a globally-deployed software defined wan. ACM SIGCOMM Computer Communication Review, 43(4):3--14, 2013. Google ScholarDigital Library
Min Suk Kang, Soo Bum Lee, and Virgil D. Gilgor. The crossfire attack. In Proceedings of IEEE Symposium on Security and Privacy, 2013. Google ScholarDigital Library
Leonardo De Moura and Nikolaj Bjorner. Satisfiability Modulo Theories: Introduction and Applications. CACM, 2011. Google ScholarDigital Library
Bo Peng and et.al. Qos routing with bandwidth and hop-count consideration: A performance perspective. Journal of Communications, 2006.Google Scholar
Sterling Perrin and Stan Hubbard. Practical implementation of sdn & nfv in the wan. White paper, Heavy Reading, October, 2013.Google Scholar
Mahajan Ratul and et.al. Achieving high utilization using software-driven wan (extended version). Technical report, June 2013.Google Scholar
Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In ACM CCS, 2013. Google ScholarDigital Library
AnWant and et.al. Scotch: Elastically scaling up sdn control-plane using vswitch based overlay. In Proceedings of the 10th ACM CoNEXT, 2014. Google ScholarDigital Library
Minlan Yu, Jennifer Rexford, Michael J Freedman, and Jia Wang. Scalable flowbased networking with difane. ACM SIGCOMM Computer Communication Review, 40(4):351--362, 2010. Google ScholarDigital Library
Yong Zhu and Mostafa Ammar. Algorithms for assigning substrate network resources to virtual network components. In INFOCOM, 2006.Google ScholarCross Ref

Index Terms

In-design Resilient SDN Control Plane and Elastic Forwarding Against Aggressive DDoS Attacks
1. Security and privacy
  1. Network security
    1. Denial-of-service attacks

Recommendations

Mitigation of DDoS Attack Using Moving Target Defense in SDN
Abstract
Software-defined networking (SDN) is a trending networking paradigm that focuses on decoupling of the control logic from the data plane. This decoupling brings programmability and flexibility for the network management by introducing centralized ...
Read More
On Profiling, Benchmarking and Behavioral Analysis of SDN Architecture Under DDoS Attacks
Abstract
Software-Defined Networking (SDN) has attracted much attention from research and industrial communities recently as it is more agile and flexible compared to conventional networking technology in offering new network functions and services. By ...
Read More
Adversarial Deep Learning approach detection and defense against DDoS attacks in SDN environments
Abstract
Over the last few years, Software Defined Networking (SDN) paradigm has become an emerging architecture to design future networks and to meet new application demands. SDN provides resources for improving network control and management ...
Highlights
- This work proposes a detection and defense system against adversarial DDoS attacks through an Adversarial Deep Learning approach.
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense
October 2018
96 pages
ISBN:9781450360036
DOI:10.1145/3268966
Program Chairs:
Massimiliano Albanese
George Mason University, USA
,
Dijiang Huang
Arizona State University, USA
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 January 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
ddos
sdn
Qualifiers
- research-article
Conference

Acceptance Rates
MTD '18 Paper Acceptance Rate5of5submissions,100%Overall Acceptance Rate40of92submissions,43%
More

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 487
  Total Downloads
- Downloads (Last 12 months)25
- Downloads (Last 6 weeks)11
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

In-design Resilient SDN Control Plane and Elastic Forwarding Against Aggressive DDoS Attacks

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense

ABSTRACT

References

Cited By

Index Terms

Recommendations

Mitigation of DDoS Attack Using Moving Target Defense in SDN

On Profiling, Benchmarking and Behavioral Analysis of SDN Architecture Under DDoS Attacks

Adversarial Deep Learning approach detection and defense against DDoS attacks in SDN environments

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

In-design Resilient SDN Control Plane and Elastic Forwarding Against Aggressive DDoS Attacks

MTD '18: Proceedings of the 5th ACM Workshop on Moving Target Defense

ABSTRACT

References

Cited By

Index Terms

Recommendations

Mitigation of DDoS Attack Using Moving Target Defense in SDN

On Profiling, Benchmarking and Behavioral Analysis of SDN Architecture Under DDoS Attacks

Adversarial Deep Learning approach detection and defense against DDoS attacks in SDN environments

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media