Statesec: Stateful monitoring for DDoS protection in software defined networks

Software-Defined Networking (SDN) allows for fast reactions to security threats by dynamically enforcing simple forwarding rules as counter-measures. However, in classic SDN all the intelligence resides at the controller, with the switches only capable of performing stateless forwarding as ruled by the controller. It follows that the controller, in addition to network management and control duties, must collect and process any piece of information required to take advanced (stateful) forwarding decisions. This threatens both to overload the controller and to congest the control channel. On the other hand, stateful SDN represents a new concept, developed both to improve reactivity and to offload the controller and the control channel by delegating local treatments to the switches. In this paper, we adopt this stateful paradigm to protect end-hosts from Distributed Denial of Service (DDoS). We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate DDoS attacks. StateSec monitors packets matching configurable traffic features (e.g., IP src/dst, port src/dst) without resorting to the controller. By feeding an entropy-based algorithm with such monitoring features, StateSec detects and mitigates several threats such as (D)DoS and port scans with high accuracy. We implemented StateSec and compared it with a state-of-the-art approach to monitor traffic in SDN. We show that StateSec is more efficient: it achieves very accurate detection levels, limiting at the same time the control plane overhead.

[1]  Fabio Soldo,et al.  Traffic anomaly detection based on the IP size distribution , 2012, 2012 Proceedings IEEE INFOCOM.

[2]  Aikaterini Mitrokotsa,et al.  DDoS attacks and defense mechanisms: classification and state-of-the-art , 2004, Comput. Networks.

[3]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[4]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[5]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[6]  W. Buck,et al.  MININET , 1979, Prax. Inf.verarb. Kommun..

[7]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[8]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[9]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[10]  Xiangyang Li,et al.  An SDN-supported collaborative approach for DDoS flooding detection and containment , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[11]  Vladimir Braverman,et al.  One Sketch to Rule Them All: Rethinking Network Flow Monitoring with UnivMon , 2016, SIGCOMM.

[12]  Deokjai Choi,et al.  Time-based DDoS detection and mitigation for SDN controller , 2015, 2015 17th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[13]  Yustus Eko Oktian,et al.  Mitigating Denial of Service (DoS) attacks in OpenFlow networks , 2014, 2014 International Conference on Information and Communication Technology Convergence (ICTC).

[14]  Vijay Mann,et al.  Living on the edge: Monitoring network flows at the edge in cloud data centers , 2013, 2013 Fifth International Conference on Communication Systems and Networks (COMSNETS).

[15]  Hidema Tanaka,et al.  Analysis of Slow Read DoS attack , 2014, 2014 International Symposium on Information Theory and its Applications.

[16]  Salvatore Pontarelli,et al.  Open Packet Processor: a programmable architecture for wire speed platform-independent stateful in-network processing , 2016, ArXiv.

[17]  Mathieu Bouet,et al.  Improving SDN with InSPired Switches , 2016, SOSR.

[18]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.