ABSTRACT
Using Software-defined Networks in wide area (SDN-WAN) has been strongly emerging in the past years. Due to scalability and economical reasons, SDN-WAN mostly uses an in-band control mechanism, which implies that control and data sharing the same critical physical links. However, the in-band control and centralized control architecture can be exploited by attackers to launch distributed denial of service (DDoS) on SDN control plane by flooding the shared links and/or the Open flow agents. Therefore, constructing a resilient software designed network requires dynamic isolation and distribution of the control flow to minimize damage and significantly increase attack cost. Existing solutions fall short to address this challenge because they require expensive extra dedicated resources or changes in OpenFlow protocol. In this paper, we propose a moving target technique called REsilient COntrol Network architecture (ReCON) that uses the same SDN network resources to defend SDN control plane dynamically against the DDoS attacks. ReCON essentially, (1) minimizes the sharing of critical resources among data and control traffic, and (2) elastically increases the limited capacity of the software control agents on-demand by dynamically using the under-utilized resources from within the same SDN network. To implement a practical solution, we formalize ReCON as a constraints satisfaction problem using Satisfiability Modulo Theory (SMT) to guarantee a correct-by-construction control plan placement that can handle dynamic network conditions.
- Brite topology generator. http://cs.bu.edu/brite/.Google Scholar
- Global onos and sdn-ip deployment. http://onosproject.org/wpcontent/ uploads/2015/06/PoC_global-deploy.pdf.Google Scholar
- Mininet: An instant virtual network on your laptop (or other pc). http://mininet.org/.Google Scholar
- Pox controller. http://openflow.stanford.edu/display/ONL/POX+Wiki.Google Scholar
- Rocketfuel. http://research.cs.washington.edu/networking/rocketfuel/.Google Scholar
- Scapy. http://secdev.org/projects/scapy/.Google Scholar
- Software-defined networking (sdn). http://sdxcentral.com/resources/sdn/whatthedefinition- of-software-defined-networking-sdn/.Google Scholar
- Technical details behind a 400gbps ntp amplification ddos attack. http://blog.cloudflare.com/technical-details-behind-a- 400gbps-ntp-amplification-ddos-attack.Google Scholar
- Z3 theorm prover. http://research.microsoft.com/enus/ um/redmond/projects/z3/.Google Scholar
- Kanak Agarwal, Eric Rozner, Colin Dixon, and John Carter. Sdn traceroute: Tracing sdn forwarding without changing network behavior. In Proceedings of the third workshop on Hot topics in software defined networking, pages 145--150. ACM, 2014. Google ScholarDigital Library
- Andrew R Curtis and et.al. Devoflow: Scaling flow management for highperformance networks. In ACM SIGCOMM Computer Communication Review, 2011. Google ScholarDigital Library
- Mohan Dhawan and et.al. Sphinx: Detecting security attacks in software-defined networks. In Proceedings of NDSS, 2015.Google Scholar
- Fida Gillani, Ehab Al-Shaer, and Basil AsSadhan. Economic metric to improve spam detectors. In Journal of Network and Computer Application, 2016. Google ScholarDigital Library
- Jie Hu and et.al. Scalability of control planes for software defined networks: Modeling and evaluation. In IEEE Symposium on Quality of Service (IWQoS), 2014.Google Scholar
- Sushant Jain, Alok Kumar, Subhasree Mandal, Joon Ong, Leon Poutievski, Arjun Singh, Subbaiah Venkata, Jim Wanderer, Junlan Zhou, Min Zhu, et al. B4: Experience with a globally-deployed software defined wan. ACM SIGCOMM Computer Communication Review, 43(4):3--14, 2013. Google ScholarDigital Library
- Min Suk Kang, Soo Bum Lee, and Virgil D. Gilgor. The crossfire attack. In Proceedings of IEEE Symposium on Security and Privacy, 2013. Google ScholarDigital Library
- Leonardo De Moura and Nikolaj Bjorner. Satisfiability Modulo Theories: Introduction and Applications. CACM, 2011. Google ScholarDigital Library
- Bo Peng and et.al. Qos routing with bandwidth and hop-count consideration: A performance perspective. Journal of Communications, 2006.Google Scholar
- Sterling Perrin and Stan Hubbard. Practical implementation of sdn & nfv in the wan. White paper, Heavy Reading, October, 2013.Google Scholar
- Mahajan Ratul and et.al. Achieving high utilization using software-driven wan (extended version). Technical report, June 2013.Google Scholar
- Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In ACM CCS, 2013. Google ScholarDigital Library
- AnWant and et.al. Scotch: Elastically scaling up sdn control-plane using vswitch based overlay. In Proceedings of the 10th ACM CoNEXT, 2014. Google ScholarDigital Library
- Minlan Yu, Jennifer Rexford, Michael J Freedman, and Jia Wang. Scalable flowbased networking with difane. ACM SIGCOMM Computer Communication Review, 40(4):351--362, 2010. Google ScholarDigital Library
- Yong Zhu and Mostafa Ammar. Algorithms for assigning substrate network resources to virtual network components. In INFOCOM, 2006.Google ScholarCross Ref
Index Terms
- In-design Resilient SDN Control Plane and Elastic Forwarding Against Aggressive DDoS Attacks
Recommendations
Mitigation of DDoS Attack Using Moving Target Defense in SDN
AbstractSoftware-defined networking (SDN) is a trending networking paradigm that focuses on decoupling of the control logic from the data plane. This decoupling brings programmability and flexibility for the network management by introducing centralized ...
On Profiling, Benchmarking and Behavioral Analysis of SDN Architecture Under DDoS Attacks
AbstractSoftware-Defined Networking (SDN) has attracted much attention from research and industrial communities recently as it is more agile and flexible compared to conventional networking technology in offering new network functions and services. By ...
Adversarial Deep Learning approach detection and defense against DDoS attacks in SDN environments
AbstractOver the last few years, Software Defined Networking (SDN) paradigm has become an emerging architecture to design future networks and to meet new application demands. SDN provides resources for improving network control and management ...
Highlights- This work proposes a detection and defense system against adversarial DDoS attacks through an Adversarial Deep Learning approach.
Comments