LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking

Software defined networking (SDN) is a new networking paradigm that in recent years has revolutionized network architectures. At its core, SDN separates the data plane, which provides data forwarding functionalities, and the control plane, which implements the network control logic. The separation of these two components provides a virtually centralized point of control in the network, and at the same time abstracts the complexity of the underlying physical infrastructure. Unfortunately, while promising, the SDN approach also introduces new attacks and vulnerabilities. Indeed, previous research shows that, under certain traffic conditions, the required communication between the control and data plane can result in a bottleneck. An attacker can exploit this limitation to mount a new, network-wide, type of denial of service attack, known as the control plane saturation attack. This paper presents LineSwitch, an efficient and effective data plane solution to tackle the control plane saturation attack. LineSwitch employs probabilistic proxying and blacklisting of network traffic to prevent the attack from reaching the control plane, and thus preserve network functionality. We implemented LineSwitch as an extension of the reference SDN implementation, OpenFlow, and run a thorough set of experiments under different traffic and attack scenarios. We compared LineSwitch to the state of the art, and we show that it provides at the same time, the same level of protection against the control plane saturation attack, and a reduced time overhead by up to 30%.

[1]  Fang Hao,et al.  Application-aware data plane processing in SDN , 2014, HotSDN.

[2]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[3]  S. Bellovin Defending Against Sequence Number Attacks , 1996 .

[4]  Van Jacobson,et al.  Congestion avoidance and control , 1988, SIGCOMM '88.

[5]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[6]  Peter Reiher,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2015, SIGCOMM 2015.

[7]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[8]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[9]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[10]  Mauro Conti,et al.  LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks , 2015, AsiaCCS.

[11]  Yasuo Okabe,et al.  A packet-in message filtering mechanism for protection of control plane in openflow networks , 2014, 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[12]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[13]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[14]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[15]  Vitaly Shmatikov,et al.  dFence: Transparent Network-based Denial of Service Mitigation , 2007, NSDI.

[16]  Fang Hao,et al.  Scotch: Elastically Scaling up SDN Control-Plane using vSwitch based Overlay , 2014, CoNEXT.

[17]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[18]  Sally Floyd,et al.  TCP Selective Acknowledgment Options , 1996, RFC.

[19]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[20]  Jun Li,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2014, SIGCOMM.

[21]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[22]  Yin Zhang,et al.  On the characteristics and origins of internet flow rates , 2002, SIGCOMM '02.

[23]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.