Detection and mitigation of DoS attacks in software defined networks

Shang Gao, Zhe Peng, Bin Xiao*, Aiqun Hu, Yubo Song, Kui Ren

*Corresponding author for this work

Research output: Contribution to journalJournal articlepeer-review

63 Citations (Scopus)

Abstract

The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Original languageEnglish
Article number9068479
Pages (from-to)1419-1433
Number of pages15
JournalIEEE/ACM Transactions on Networking
Volume28
Issue number3
DOIs
Publication statusPublished - Jun 2020

Scopus Subject Areas

  • Software
  • Computer Science Applications
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

User-Defined Keywords

  • attack detection
  • flow rule management
  • packet filter
  • SDN
  • SDN-aimed DoS attacks
  • table-miss engineering

Fingerprint

Dive into the research topics of 'Detection and mitigation of DoS attacks in software defined networks'. Together they form a unique fingerprint.

Cite this