nach oben

Arabian Journal for Science and Engineering

Erschienen in:

31.07.2019 | Research Article - Computer Engineering and Computer Science

Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks

verfasst von: Fakhry Khellah

Erschienen in: Arabian Journal for Science and Engineering | Ausgabe 11/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Software-defined networking (SDN) is an emerging network architecture where a programmable network control is decoupled from forwarding. Greater control of a network through programming, abstraction of the complexity of the underlying physical infrastructure, and emergence of new applications are some benefits of SDN, to name a few. Unfortunately, the idea of centralized control raises new security concerns that have become a research topic among both academia and industry. An attacker can exploit the required extensive communication between the control and data plane to launch a network-wide, type of denial-of-service attack, known as the data-to-control plane saturation attack. Such an attack can have devastating effect on a large part of the network. This paper introduces a new method for data-to-control plane saturation attack detection that is based on dynamically estimating and monitoring the rate of the Packet-In messages arriving to the controller. The proposed detection method is based on adaptive threshold that varies based on the rate of the received Packet-In messages. The detection technique by design allows discovering the protocol exploited to launch the attack. We utilize this feature, to present a simple attack mitigation method that is protocol independent and targets attacking traffic that belong to the identified attacking protocol. Moreover, being protocol independent, the proposed method can protect against flooding attacks based on self-defined protocols recently made possible with the emerging SDN technology. Attack mitigation is based on utilizing only the available OpenFlow commands without any change to the OpenFlow protocol. The results of the conducted experiments under different scenarios show that the presented method is capable of effectively protecting against the control plane saturation attack with an average detection time of (\(\approx 0.1\) s) which is comparable to state of the art with similar experimental setup. In addition, the method imposes almost (0%) overhead on legitimate traffic once the attack is mitigated.

Vorheriger Artikel A Deep Camouflage: Evaluating Android’s Anti-malware Systems Robustness Against Hybridization of Obfuscation Techniques with Injection Attacks

Nächster Artikel Approximate Proximal Gradient-Based Correlation Filter for Target Tracking in Videos: A Unified Approach

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Shin, S.; Yegneswaran, V.; Porras, P.; Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of ACM CCS, pp. 413–424 (2013)

Ambrosin, M.; Conti, M.; Gaspari, F.; Poovendran, R.: LineSwitch: tracking control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1213 (2017)CrossRef

Deng, S.; Gao, X.; Zlu,; Gao, X.: Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensica Secur. 13(3), 695–705 (2018)CrossRef

Coker, O.; Azodolmolky, S.: Software Defined Networking with OpenFlow. Packt Publishing, Birmingham (2017)

Göransson, P.; Black, C.: Software Defined Networks: A Comprehensive Approach. Morgan Kaufmann, Burlington (2014)

Khan, M.; Salah, K.: IoT security: review, blockchain solutions, and open challenges. Future Gener. Comput. Syst. 82, 395–411 (2018)CrossRef

Farris, I.; Taleb, T.; Khettab, Y.; Song, J.: A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Commun. Surv. Tutor. 21(1), 812–837 (2019)CrossRef

Djouani, R.; Boutekkouk, H.; Djouani, K.: A security proposal for IoT integrated with SDN and cloud. In: Proceedings of WINCOM, pp. 1–5 (2018)

Bhushan, K.; Gupta, B.B.: Detecting DDoS attack using software defined network (SDN) in cloud computing environment. In: Proceedings of SPIN, pp. 1–7 (2018)

10.

Zheng, J.; Li, Q.; Gu, G.; Cao, J.; Yau, D.; Wu, J.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans. Inf. Forensica Secur. 13(7), 695–705 (2018)

11.

Al-Haidari1, F.; Sqalli, M.; Salah, K.: Impact of CPU utilization thresholds and scaling size on autoscaling cloud resources. In: Proceedings of IEEE International Conference on Cloud Computing Technology and Science, pp. 256–261 (2013)

12.

Calyam, P.; Rajagopalan, S.; Seetharam, S.; Selvadhurai, A.; Salah, K.; Ramnath, R.: VDC-analyst: design and verification of virtual desktop cloud resource allocations. Comput. Netw. 68, 110–122 (2014)CrossRef

13.

Hong, S.; Xu, L.; Wang, H.; Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of NDSS Symposium, pp. 1–15 (2015)

14.

Xu, T.; Gao, D.; Dong, P.; Foh, C.; Zhang, H.: Mitigating the table-overflow attack in software-defined networking. IEEE Trans. Netw. Serv. Manag. 14(4), 1086–1092 (2017)CrossRef

15.

Varadharajan, V.; Karmakar, K.; Tupakula, T.; Hitchens, M.: A policy-based security architecture for software-defined networks. IEEE Trans. Inf. Forensica Secur. 14(4), 897–912 (2019)CrossRef

16.

Braga, R.; Mota, E.; Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of IEEE LCN, pp. 408–415 (2010)

17.

Afek, Y.; Barr, A.; Feibish, S.; Schiff, L.: Sampling and large flow detection in SDN. In: Proceedings of SIGCOMM Computer Communication, pp. 345–346 (2015)

18.

Kotani, D.; Okabe, Y.: A packet-in message filtering mechanism for protection of control plane in OpenFlow networks. In: Proceedings of ACM/IEEE ANCS, pp. 29–40 (2014)

19.

Moraney, J.; Raz, D.: Efficient detection of flow anomalies with limited monitoring resources. In: Proceedings of IEEE CNSM, pp. 55–63 (2016)

20.

Sivaraman, V.; Narayana, S.; Rottenstreich, O.; Muthukrishnan, S.; Rexford, J.: Heavy-hitter detection entirely in the data plane. In: Proceedings of ACM SOSR, pp. 164–176 (2017)

21.

Li, T.; Salah, H.; Ding, X.; Strufel, T.; itzek, F.; antini, S.: INFAS: in-network flow management scheme for SDN control plane protection. In: Proceedings of IFIP, pp. 367–373 (2019)

22.

Li, Z.; Xing, W.; Dianx, X.: Detecting saturation attacks in software-defined networks. In: Proceedings of ISI, pp. 163–168 (2018)

23.

Zhang, Z.; Bib, J.; Bai, J.B.J.: FloodShield: securing the SDN infrastructure against denial of service attacks. In: IEEE TSPPCC, pp. 686–698 (2018)

24.

Yang, L.; Ng, B.; Seah, W.: Heavy hitter detection and identification in software defined networking. In: Proceedings of IEEE ICCCN, pp. 1–10 (2016)

25.

Li, C.; Yang, J.; Wang, Z.; Li, F.; Yang, Y.: A lightweight DDoS flooding attack detection algorithm based on synchronous long flows. In: Proceedings of IEEE GLOBECOM, pp. 1–6 (2015)

26.

Zhang, P.; Wang, H.; Hu, C.; Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)CrossRef

27.

Taha, S.; Sivaraman, V.; Radford, A.; Jha, S.: A survey of securing networks using software defined networking. IEEE Trans. Reliab. 64(3), 1086–1097 (2015)CrossRef

28.

Bawany, N.; Shamsi, J.; Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 24(2), 425–441 (2017)CrossRef

29.

Wang, H.; Xu, L.; Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of IEEE/IFIP Conference On DSN, pp. 239–250 (2015)

30.

Mohammadi, R.; Javidan, R.; Conti, M.: SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans. Netw. Serv. Manag. 14(2), 487–497 (2017)CrossRef

31.

Kumar, P.; Tripathi, M.; Nehra, A.; Conti, M.; La, C.: SAFETY: early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Trans. Netw. Serv. Manag. 15(4), 1545–1551 (2018)CrossRef

32.

Wang, A.; Gub, Y.; Hao, F.: Scotch: elastically scaling up SDN control-plane using Vswitch based overlay. In: Proceedings of CoNEXT, pp. 403–414 (2014)

33.

N.M. et al.: OpenFlow: enabling innovation in campus networks. In: Proceedings of ACM SIGCOMM Computer Communication, pp. 69–74 (2008)

34.

Welford, B.P.: Note on a method for calculating corrected sums of squares and products. Technometrics 4(3), 419–420 (1962)MathSciNetCrossRef

35.

OpenFlow Software Switch. https://www.openvswitch.org/download/. Accessed 1 Feb 2019

36.

Liu, J.; Zhang, P.; Wang, H.; Hu, C.: CounterMap: towards generic traffic statistics collection and query in software defined network. In: Proceedings of IEEE/ACM IWQoS, pp. 1–5 (2017)

37.

Liu, C.; Malboubi, M.; Chuah, C.: OpenMeasure: adaptive flow measurement and inference with online learning in SDN. In: Proceedings of IEEE Computing and Communication Workshop, pp. 1–6 (2016)

38.

Malboubi, M.; Wang, L.; Nee, C.; Sharma, P.: Intelligent SDN based traffic (de)aggregation and measurement paradigm (iSTAMP). In: Proceedings of IEEE INFOCOM, pp. 934–942 (2014)

39.

Mininet. http://www.Mininet.org/. Accessed 1 May 2017

40.

Pox Network Controller. http://openflow.stanford.edu/display/ONL/POX+Wiki. Accessed 1 May 2017

41.

Tcpreplay tool. http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap. Accessed 1 May 2017

42.

Hping3 Tool. https://tools.Kali.org/information-gathering/hping3. Accessed 1 May 2017

Titel: Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks
verfasst von: Fakhry Khellah
Publikationsdatum: 31.07.2019
Verlag: Springer Berlin Heidelberg
Erschienen in: Arabian Journal for Science and Engineering / Ausgabe 11/2019
Print ISSN: 2193-567X
Elektronische ISSN: 2191-4281
DOI: https://doi.org/10.1007/s13369-019-04059-3

Premium Partner

Marktübersichten

Die im Laufe eines Jahres in der „adhäsion“ veröffentlichten Marktübersichten helfen Anwendern verschiedenster Branchen, sich einen gezielten Überblick über Lieferantenangebote zu verschaffen.

Zur Marktübersicht

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 11/2019

Bayesian Versus Convolutional Networks for Arabic Handwriting Recognition

Hybrid Cascade Forward Neural Network with Elman Neural Network for Disease Prediction

Framework for Agile Development Using Cloud Computing: A Survey

Non-singular Terminal Sliding Mode Control of Robot Manipulators with Trajectory Tracking Performance

Cognitive Framework for HIV-1 Protease Cleavage Site Classification Using Evolutionary Algorithm

An Effective Mechanism for Selection of a Cloud Service Provider Using Cosine Maximization Method

Premium Partner

Marktübersichten