SGuard: A lightweight SDN safe-guard architecture for DoS attacks

Software Defined Networking (SDN) is a revolutionary networking paradigm towards the future network, experiencing rapid development nowadays. However, its main characteristic, the separation of control plane and data plane, also brings about new security challenges, i.e., Denial-of-Service (DoS) attacks specific to OpenFlow SDN networks to exhaust the control plane bandwidth and overload the buffer memory of OpenFlow switch. To mitigate the DoS attacks in the OpenFlow networks, we design and implement SGuard, a security application on top of the NOX controller that mainly contains two modules: Access control module and Classification module. We employ novel six-tuple as feature vector to classify traffic flows, meanwhile optimizing classification by feature ranking and selecting algorithms. All the modules will cooperate with each other to complete a series of tasks such as authorization, classification and so on. At the end of this paper, we experimentally use Mininet to evaluate SGuard in a software environment. The results show that SGuard works efficiently and accurately without adding more overhead to the SDN networks.

[1]  Tuomas Aura,et al.  Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch , 2014, NordSec.

[2]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[3]  Otto Carlos Muniz Bandeira Duarte,et al.  XenFlow: Seamless migration primitive and quality of service for virtual networks , 2014, GLOBECOM.

[4]  Shanzhi Chen,et al.  Virtual Machine Migration across L3 Network , 2014, NAS 2014.

[5]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2015, SIGCOMM 2015.

[6]  Prajwal Gaikwad,et al.  Passive IP Traceback: Disclosing the Locations of IP Spoofers from Path Backscatter , 2017 .

[7]  Rui Guo,et al.  Research on the Active DDoS Filtering Algorithm Based on IP Flow , 2009, 2009 Fifth International Conference on Natural Computation.

[8]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[9]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[10]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[11]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[12]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM 2011.

[13]  Heejo Lee,et al.  An incrementally deployable anti-spoofing mechanism for software-defined networks , 2015, Comput. Commun..

[14]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[15]  Minlan Yu,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM 2010.

[16]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[17]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[18]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[19]  Teuvo Kohonen,et al.  The self-organizing map , 1990 .

[20]  Neeli R. Prasad,et al.  New client puzzle approach for DoS resistance in ad hoc Networks , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[21]  Juan Sebastian Silva Delgado,et al.  Automatic network reconfiguration because of security events , 2014, 2014 IEEE Colombian Conference on Communications and Computing (COLCOM).