Top

Arabian Journal for Science and Engineering

Published in:

31-07-2019 | Research Article - Computer Engineering and Computer Science

Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks

Author: Fakhry Khellah

Published in: Arabian Journal for Science and Engineering | Issue 11/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Software-defined networking (SDN) is an emerging network architecture where a programmable network control is decoupled from forwarding. Greater control of a network through programming, abstraction of the complexity of the underlying physical infrastructure, and emergence of new applications are some benefits of SDN, to name a few. Unfortunately, the idea of centralized control raises new security concerns that have become a research topic among both academia and industry. An attacker can exploit the required extensive communication between the control and data plane to launch a network-wide, type of denial-of-service attack, known as the data-to-control plane saturation attack. Such an attack can have devastating effect on a large part of the network. This paper introduces a new method for data-to-control plane saturation attack detection that is based on dynamically estimating and monitoring the rate of the Packet-In messages arriving to the controller. The proposed detection method is based on adaptive threshold that varies based on the rate of the received Packet-In messages. The detection technique by design allows discovering the protocol exploited to launch the attack. We utilize this feature, to present a simple attack mitigation method that is protocol independent and targets attacking traffic that belong to the identified attacking protocol. Moreover, being protocol independent, the proposed method can protect against flooding attacks based on self-defined protocols recently made possible with the emerging SDN technology. Attack mitigation is based on utilizing only the available OpenFlow commands without any change to the OpenFlow protocol. The results of the conducted experiments under different scenarios show that the presented method is capable of effectively protecting against the control plane saturation attack with an average detection time of (\(\approx 0.1\) s) which is comparable to state of the art with similar experimental setup. In addition, the method imposes almost (0%) overhead on legitimate traffic once the attack is mitigated.

previous article A Deep Camouflage: Evaluating Android’s Anti-malware Systems Robustness Against Hybridization of Obfuscation Techniques with Injection Attacks

next article Approximate Proximal Gradient-Based Correlation Filter for Target Tracking in Videos: A Unified Approach

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Shin, S.; Yegneswaran, V.; Porras, P.; Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of ACM CCS, pp. 413–424 (2013)

Ambrosin, M.; Conti, M.; Gaspari, F.; Poovendran, R.: LineSwitch: tracking control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1213 (2017)CrossRef

Deng, S.; Gao, X.; Zlu,; Gao, X.: Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensica Secur. 13(3), 695–705 (2018)CrossRef

Coker, O.; Azodolmolky, S.: Software Defined Networking with OpenFlow. Packt Publishing, Birmingham (2017)

Göransson, P.; Black, C.: Software Defined Networks: A Comprehensive Approach. Morgan Kaufmann, Burlington (2014)

Khan, M.; Salah, K.: IoT security: review, blockchain solutions, and open challenges. Future Gener. Comput. Syst. 82, 395–411 (2018)CrossRef

Farris, I.; Taleb, T.; Khettab, Y.; Song, J.: A survey on emerging SDN and NFV security mechanisms for IoT systems. IEEE Commun. Surv. Tutor. 21(1), 812–837 (2019)CrossRef

Djouani, R.; Boutekkouk, H.; Djouani, K.: A security proposal for IoT integrated with SDN and cloud. In: Proceedings of WINCOM, pp. 1–5 (2018)

Bhushan, K.; Gupta, B.B.: Detecting DDoS attack using software defined network (SDN) in cloud computing environment. In: Proceedings of SPIN, pp. 1–7 (2018)

10.

Zheng, J.; Li, Q.; Gu, G.; Cao, J.; Yau, D.; Wu, J.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans. Inf. Forensica Secur. 13(7), 695–705 (2018)

11.

Al-Haidari1, F.; Sqalli, M.; Salah, K.: Impact of CPU utilization thresholds and scaling size on autoscaling cloud resources. In: Proceedings of IEEE International Conference on Cloud Computing Technology and Science, pp. 256–261 (2013)

12.

Calyam, P.; Rajagopalan, S.; Seetharam, S.; Selvadhurai, A.; Salah, K.; Ramnath, R.: VDC-analyst: design and verification of virtual desktop cloud resource allocations. Comput. Netw. 68, 110–122 (2014)CrossRef

13.

Hong, S.; Xu, L.; Wang, H.; Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of NDSS Symposium, pp. 1–15 (2015)

14.

Xu, T.; Gao, D.; Dong, P.; Foh, C.; Zhang, H.: Mitigating the table-overflow attack in software-defined networking. IEEE Trans. Netw. Serv. Manag. 14(4), 1086–1092 (2017)CrossRef

15.

Varadharajan, V.; Karmakar, K.; Tupakula, T.; Hitchens, M.: A policy-based security architecture for software-defined networks. IEEE Trans. Inf. Forensica Secur. 14(4), 897–912 (2019)CrossRef

16.

Braga, R.; Mota, E.; Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of IEEE LCN, pp. 408–415 (2010)

17.

Afek, Y.; Barr, A.; Feibish, S.; Schiff, L.: Sampling and large flow detection in SDN. In: Proceedings of SIGCOMM Computer Communication, pp. 345–346 (2015)

18.

Kotani, D.; Okabe, Y.: A packet-in message filtering mechanism for protection of control plane in OpenFlow networks. In: Proceedings of ACM/IEEE ANCS, pp. 29–40 (2014)

19.

Moraney, J.; Raz, D.: Efficient detection of flow anomalies with limited monitoring resources. In: Proceedings of IEEE CNSM, pp. 55–63 (2016)

20.

Sivaraman, V.; Narayana, S.; Rottenstreich, O.; Muthukrishnan, S.; Rexford, J.: Heavy-hitter detection entirely in the data plane. In: Proceedings of ACM SOSR, pp. 164–176 (2017)

21.

Li, T.; Salah, H.; Ding, X.; Strufel, T.; itzek, F.; antini, S.: INFAS: in-network flow management scheme for SDN control plane protection. In: Proceedings of IFIP, pp. 367–373 (2019)

22.

Li, Z.; Xing, W.; Dianx, X.: Detecting saturation attacks in software-defined networks. In: Proceedings of ISI, pp. 163–168 (2018)

23.

Zhang, Z.; Bib, J.; Bai, J.B.J.: FloodShield: securing the SDN infrastructure against denial of service attacks. In: IEEE TSPPCC, pp. 686–698 (2018)

24.

Yang, L.; Ng, B.; Seah, W.: Heavy hitter detection and identification in software defined networking. In: Proceedings of IEEE ICCCN, pp. 1–10 (2016)

25.

Li, C.; Yang, J.; Wang, Z.; Li, F.; Yang, Y.: A lightweight DDoS flooding attack detection algorithm based on synchronous long flows. In: Proceedings of IEEE GLOBECOM, pp. 1–6 (2015)

26.

Zhang, P.; Wang, H.; Hu, C.; Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)CrossRef

27.

Taha, S.; Sivaraman, V.; Radford, A.; Jha, S.: A survey of securing networks using software defined networking. IEEE Trans. Reliab. 64(3), 1086–1097 (2015)CrossRef

28.

Bawany, N.; Shamsi, J.; Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 24(2), 425–441 (2017)CrossRef

29.

Wang, H.; Xu, L.; Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of IEEE/IFIP Conference On DSN, pp. 239–250 (2015)

30.

Mohammadi, R.; Javidan, R.; Conti, M.: SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans. Netw. Serv. Manag. 14(2), 487–497 (2017)CrossRef

31.

Kumar, P.; Tripathi, M.; Nehra, A.; Conti, M.; La, C.: SAFETY: early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Trans. Netw. Serv. Manag. 15(4), 1545–1551 (2018)CrossRef

32.

Wang, A.; Gub, Y.; Hao, F.: Scotch: elastically scaling up SDN control-plane using Vswitch based overlay. In: Proceedings of CoNEXT, pp. 403–414 (2014)

33.

N.M. et al.: OpenFlow: enabling innovation in campus networks. In: Proceedings of ACM SIGCOMM Computer Communication, pp. 69–74 (2008)

34.

Welford, B.P.: Note on a method for calculating corrected sums of squares and products. Technometrics 4(3), 419–420 (1962)MathSciNetCrossRef

35.

OpenFlow Software Switch. https://www.openvswitch.org/download/. Accessed 1 Feb 2019

36.

Liu, J.; Zhang, P.; Wang, H.; Hu, C.: CounterMap: towards generic traffic statistics collection and query in software defined network. In: Proceedings of IEEE/ACM IWQoS, pp. 1–5 (2017)

37.

Liu, C.; Malboubi, M.; Chuah, C.: OpenMeasure: adaptive flow measurement and inference with online learning in SDN. In: Proceedings of IEEE Computing and Communication Workshop, pp. 1–6 (2016)

38.

Malboubi, M.; Wang, L.; Nee, C.; Sharma, P.: Intelligent SDN based traffic (de)aggregation and measurement paradigm (iSTAMP). In: Proceedings of IEEE INFOCOM, pp. 934–942 (2014)

39.

Mininet. http://www.Mininet.org/. Accessed 1 May 2017

40.

Pox Network Controller. http://openflow.stanford.edu/display/ONL/POX+Wiki. Accessed 1 May 2017

41.

Tcpreplay tool. http://tcpreplay.appneta.com/wiki/captures.html#bigflows-pcap. Accessed 1 May 2017

42.

Hping3 Tool. https://tools.Kali.org/information-gathering/hping3. Accessed 1 May 2017

Title: Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks
Author: Fakhry Khellah
Publication date: 31-07-2019
Publisher: Springer Berlin Heidelberg
Published in: Arabian Journal for Science and Engineering / Issue 11/2019
Print ISSN: 2193-567X
Electronic ISSN: 2191-4281
DOI: https://doi.org/10.1007/s13369-019-04059-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Other articles of this Issue 11/2019

A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches

Framework for Agile Development Using Cloud Computing: A Survey

Performance Comparison of Multi-objective Algorithms for Test Case Prioritization During Web Application Testing

An Optimal Codebook for Content-Based Image Retrieval in JPEG Compressed Domain

A Deep Camouflage: Evaluating Android’s Anti-malware Systems Robustness Against Hybridization of Obfuscation Techniques with Injection Attacks

Massive Point Cloud Space Management Method Based on Octree-Like Encoding

Premium Partners