Abstract
In recent time, software defined networking (SDN) has evolved into a new and promising networking paradigm. In the SDN-based cloud, the essential features of SDN, including global view of the whole network, software-based traffic analysis, centralized control over the network, etc. can greatly improve the DDoS attack detection and mitigation capabilities of the cloud. However, integration of SDN in the cloud itself introduces new DDoS attack vulnerabilities. Limited flow-table size is a vulnerability that can be exploited by the adversaries to perform DDoS attacks on the SDN-based cloud. In this paper, we first discuss various essential features of SDN that makes it a suitable networking technology for cloud computing. In addition, we represent the flow table-space of a switch by using a queuing theory based mathematical model. Further, we propose a novel flow-table sharing approach to protect the SDN-based cloud from flow table overloading DDoS attacks. This approach utilizes idle flow-table of other OpenFlow switches in the network to protect the switch’s flow-table from overloading. Our approach increases the resistance of the cloud system against DDoS attacks with minimal involvement of the SDN controller. Thus, it has very low communication overhead. Our claims are well supported by the extensive simulation-based experiments.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Ahmad I, Namal S, Ylianttila M, Gurtov A (2015) Security in software defined networks: a survey. IEEE Commun Surv Tutor 17(4):2317
Azodolmolky S, Wieder P, Yahyapour R (2013) SDN-based cloud computing networking. In: 15th IEEE international conference on transparent optical networks (ICTON), Cartagena, pp 1–4
Bhushan K, Gupta BB (2017) Security challenges in cloud computing: state-of-art. Int J Big Data Intell 4(2):81–107
Bhushan K, Gupta BB (2018) A novel approach to defend multimedia flash crowd in cloud environment. Multimed Tools Appl 77(4):4609–4639
Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE 35th conference on local computer networks (LCN), Denver, pp 408–415
Butler B (2017) Cisco brings its SDN to Amazon, Microsoft and Google’s public cloud. https://www.networkworld.com/article/3218045/lan-wan/cisco-brings-its-sdn-to-amazon-microsoft-and-google-s-public-cloud.html. Accessed 20 Oct 2017
Chonka A, Xiang Y, Zhou W, Bonti A (2011) Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J Netw Comput Appl 34(4):1097–1107
Curtis AR, Mogul JC, Tourrilhes J, Yalagandula P, Sharma P, Banerjee S (2011) DevoFlow: scaling flow management for high-performance networks. ACM SIGCOMM Comput Commun Rev 41(4):254–265
Darwish M, Ouda A, Capretz LF(2013) Cloud-based DDoS attacks and defenses. In: IEEE international conference on information society (i-Society), Toronto, pp 67–71
Dou W, Chen Q, Chen J (2013) A confidence-based filtering method for DDoS attack defense in cloud environment. Future Gener Comput Syst 29(7):1838–1850
Feamster N, Rexford J, Zegura E (2014) The road to SDN: an intellectual history of programmable networks. ACM SIGCOMM Comput Commun Rev 44(2):87–98
Gao CZ, Cheng Q, Li X, Xia SB (2018) Cloud-assisted privacy-preserving profile-matching scheme under multiple keys in mobile social network. Clust Comput:1–9. https://doi.org/10.1007/s10586-017-1649-y
Gupta BB, Misra M, Joshi RC (2008) FVBA: A combined statistical approach for low rate degrading and high bandwidth disruptive DDoS attacks detection in ISP domain. In: 16th IEEE international conference on networks (ICON), New Delhi, pp 1–4
Gupta BB, Joshi RC, Misra M (2009) Defending against distributed denial of service attacks: issues and challenges. Inf Secur J Glob Perspect 18(5):224–247
Hewlett-Packard (2012) Realizing the power of SDN with HP virtual application networks. http://h17007.www1.hpe.com/docs/interopny/4AA4-3871ENW.pdf. Accessed 22 Oct 2017
Jarraya Y, Madi T, Debbabi M (2014) A survey and a layered taxonomy of software-defined networking. IEEE Commun Surv Tutor 16(4):1955–1980
Jing G (2017) Research on application of DDos attack detection technology based on software defined network. Acta Tech CSAV 62(1B):489–498
Jouini M, Rabai LB (2016) A security framework for secure cloud computing environments. IJCAC 6(3):32–44
Kanizo Y, Hay D, Keslassy I (2013) Palette: distributing tables in software-defined networks. In: IEEE INFOCOM, Turin, pp 545–549
Katta NP, Rexford J, Walker D (2013) Incremental consistent updates. In: 2nd ACM SIGCOMM workshop on Hot topics in software defined networking, Hong Kong, pp 49–54
Kleinrock L (1975) Queueing systems, vol 1. Wiley, New York
Kreutz D, Ramos FM, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76
Li J, Li J, Chen X, Jia C, Lou W (2015a) Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans Comput 64(2):425–437
Li J, Li YK, Chen X, Lee PP, Lou W (2015b) A hybrid cloud approach for secure authorized deduplication. IEEE Trans Parallel Distrib Syst 26(5):1206–1216
Li P, Li J, Huang Z, Gao CZ, Chen WB, Chen K (2017a). Privacy-preserving outsourced classification in cloud computing. Clust Comput:1–10. https://doi.org/10.1007/s10586-017-0849-9
Li P, Li J, Huang Z, Li T, Gao CZ, Yiu SM, Chen K (2017b) Multi-key privacy-preserving deep learning in cloud computing. Future Gener Comput Syst 74:76–85
Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 72:1–12
Lin YD, Pitt D, Hausheer D, Johnson E, Lin YB (2014) Software-defined networking: standardization for cloud computing’s second wave. Computer 47(11):19–21
Lo CC, Huang CC, Ku J (2010) A cooperative intrusion detection system framework for cloud computing networks. In: 39th international conference on parallel processing workshops (ICPPW), San Diego, pp 280–284
McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74
Mell P, Grance T (2011) The NIST definition of cloud computing. National Institute of Standards and Technology, Gaithersburg
Mininet (2017) http://mininet.org/. Accessed 26 Oct 2017
ONF (2015) OpenFlow Switch Specification. Version-1.5.1. https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf. Accessed 20 Oct 2017
ONF (2017). https://www.opennetworking.org. Accessed 20 Oct 2017
Ouf S, Nasr M (2015) Cloud computing: the future of big data management. IJCAC 5(2):53–61
POX (2017), https://github.com/noxrepo/pox. Accessed 26 Oct 2017
Ratten V (2015) Cloud computing technology innovation advances: a set of research propositions. IJCAC 5(1):69–76
Srivastava A, Gupta BB, Tyagi A, Sharma A, Mishra A (2011) A recent survey on DDoS attacks and defense mechanisms. In: Advances in parallel distributed computing, Heidelberg, pp 570–580
Wang B, Zheng Y, Lou W, Hou YT (2015) DDoS attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319
Wen X, Chen Y, Hu C, Shi C, Wang Y (2013) Towards a secure controller platform for openflow applications. In: 2nd ACM SIGCOMM workshop on Hot topics in software defined networking, Hong Kong, pp 171–172
Xie H, Tsou T, Lopez D, Yin H (2012) Use cases for ALTO with software defined networks. https://tools.ietf.org/html/draft-xie-alto-sdn-use-cases-01. Accessed 27 Oct 2017
Xing T, Huang D, Xu L, Chung CJ, Khatkar P (2013) Snortflow: a openflow-based intrusion prevention system in cloud environment. In: IEEE Research and Educational Experiment Workshop (GREE), pp 89–92
Yan Q, Yu FR (2015) Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun Mag 53(4):52–59
Yan Q, Yu FR, Gong Q, Li J (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor 18(1):602–622
Yan Q, Gong Q, Yu FR (2017) Effective software-defined networking controller scheduling method to mitigate DDoS attacks. Electron Lett 53(7):469–471
Yeganeh SH, Tootoonchian A, Ganjali Y (2013) On scalability of software-defined networking. IEEE Commun Mag 51(2):136–141
Yu S, Tian Y, Guo S, Wu DO (2014) Can we beat DDoS attacks in clouds? IEEE Trans Parallel Distrib Syst 25(9):2245–2254
Yuan B, Zou D, Yu S, Jin H, Qiang W, Shen J (2016) Defending against flow table overloading attack in software-defined networks. IEEE Trans Serv Comput. https://doi.org/10.1109/TSC.2016.2602861
Acknowledgements
This research work is being supported by Project Grant (SB/FTP/ETA-131/2014) from SERB, DST, Government of India.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Bhushan, K., Gupta, B.B. Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. J Ambient Intell Human Comput 10, 1985–1997 (2019). https://doi.org/10.1007/s12652-018-0800-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-018-0800-9