Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges

Distributed Denial of Service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.

[1]  Gabi Dreo Rodosek,et al.  Improving network security through SDN in cloud scenarios , 2014, 10th International Conference on Network and Service Management (CNSM) and Workshop.

[2]  David Hausheer,et al.  Software-Defined Networking: Standardization for Cloud Computing's Second Wave , 2014, Computer.

[3]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[4]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[5]  Douglas Jacobson,et al.  Attribution of Fraudulent Resource Consumption in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[6]  Xin Jiang,et al.  Cloud computing-based forensic analysis for collaborative network security management system , 2013 .

[7]  F. Richard Yu,et al.  A Survey of Green Information-Centric Networking: Research Issues and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[8]  Deborah Estrin,et al.  Named Data Networking (NDN) Project , 2010 .

[9]  Sasu Tarkoma,et al.  Software defined networking for security enhancement in wireless mobile networks , 2014, Comput. Networks.

[10]  Victor C. M. Leung,et al.  Advances in Mobile Cloud Computing Systems , 2015 .

[11]  Ramin Yahyapour,et al.  SDN-based cloud computing networking , 2013, 2013 15th International Conference on Transparent Optical Networks (ICTON).

[12]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[13]  Nick McKeown,et al.  Where is the debugger for my software-defined network? , 2012, HotSDN '12.

[14]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[15]  F. Richard Yu,et al.  Wireless Network Virtualization: A Survey, Some Research Issues and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[16]  Chi-Cheng Chuang,et al.  A Service-Oriented Cloud Computing Network Management Architecture for Wireless Sensor Networks , 2014, Ad Hoc Sens. Wirel. Networks.

[17]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[18]  Anees Shaikh,et al.  Meridian: an SDN platform for cloud network services , 2013, IEEE Communications Magazine.

[19]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[20]  Chunming Rong,et al.  Multi-tenant Network Monitoring Based on Software Defined Networking , 2013, OTM Conferences.

[21]  Ganesh Chandra Deka,et al.  Handbook of Research on Cloud Infrastructures for Big Data Analytics , 2014 .

[22]  Aleksey Kolupaev,et al.  CAPTCHAs: Humans vs. Bots , 2008, IEEE Security & Privacy.

[23]  Bing Wang,et al.  Malware Detection for Mobile Devices Using Software-Defined Networking , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[24]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[25]  Alysson Neves Bessani,et al.  OS diversity for intrusion tolerance: Myth or reality? , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[26]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[27]  R. Lua,et al.  Mitigating DDoS attacks with transparent and intelligent fast-flux swarm network , 2011, IEEE Network.

[28]  Sharath Chandra Guntuku,et al.  Big Data Analytics framework for Peer-to-Peer Botnet detection using Random Forests , 2014, Inf. Sci..

[29]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[30]  Sujata Banerjee,et al.  meSDN: mobile extension of SDN , 2014, MCS '14.

[31]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[32]  Gene Tsudik,et al.  DoS and DDoS in Named Data Networking , 2012, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[33]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[34]  Victor C. M. Leung,et al.  Enhancing security using mobility-based anomaly detection in cellular mobile networks , 2006, IEEE Trans. Veh. Technol..

[35]  Jennifer Rexford,et al.  Scalable Network Virtualization in Software-Defined Networks , 2013, IEEE Internet Computing.

[36]  F. Richard Yu,et al.  Software-Defined Device-to-Device (D2D) Communications in Virtual Wireless Networks With Imperfect Network State Information (NSI) , 2016, IEEE Transactions on Vehicular Technology.

[37]  Mourad Debbabi,et al.  A Survey and a Layered Taxonomy of Software-Defined Networking , 2014, IEEE Communications Surveys & Tutorials.

[38]  Ryan Shea,et al.  Performance of Virtual Machines Under Networked Denial of Service Attacks: Experiments and Analysis , 2013, IEEE Systems Journal.

[39]  Sushil Jajodia,et al.  Secure Cloud Computing , 2014, Springer New York.

[40]  S VivinSandar,et al.  Economic Denial of Sustainability (EDoS) in Cloud Services using HTTP and XML based DDoS Attacks , 2012 .

[41]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[42]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[43]  F. Richard Yu,et al.  Dynamic Operations of Cloud Radio Access Networks (C-RAN) for Mobile Cloud Computing Systems , 2016, IEEE Transactions on Vehicular Technology.

[44]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[45]  Katerina J. Argyraki,et al.  Scalable Network-Layer Defense Against Internet Bandwidth-Flooding Attacks , 2009, IEEE/ACM Transactions on Networking.

[46]  R. Esther Raja Pushpa Security Enhancements for Mobile Ad Hoc Networks with Trust Management Using Uncertain Reasoning , 2018 .

[47]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[48]  Qi Hao,et al.  A Survey on Software-Defined Network and OpenFlow: From Concept to Implementation , 2014, IEEE Communications Surveys & Tutorials.

[49]  Supranamaya Ranjan,et al.  DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[50]  F. Richard Yu,et al.  Wireless virtualization for next generation mobile cellular networks , 2015, IEEE Wireless Communications.

[51]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[52]  Kaiqi Xiong,et al.  Quality of Service (QoS)-Guaranteed Network Resource Allocation via Software Defined Networking (SDN) , 2014, 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing.

[53]  Katerina J. Argyraki,et al.  Scalable network-layer defense against internet bandwidth-flooding attacks , 2003, TNET.

[54]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[55]  Anja Feldmann,et al.  OFRewind: Enabling Record and Replay Troubleshooting for Networks , 2011, USENIX Annual Technical Conference.

[56]  Byrav Ramamurthy,et al.  Network Innovation using OpenFlow: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[57]  Zhifeng Xiao,et al.  Security and Privacy in Cloud Computing , 2013, IEEE Communications Surveys & Tutorials.

[58]  Yashar Ganjali,et al.  On scalability of software-defined networking , 2013, IEEE Communications Magazine.

[59]  James Ze Wang,et al.  Exploiting the Human–Machine Gap in Image Recognition for Designing CAPTCHAs , 2009, IEEE Transactions on Information Forensics and Security.

[60]  Wei Ren,et al.  uLeepp: An Ultra-Lightweight Energy-Efficient and Privacy-Protected Scheme for Pervasive and Mobile WBSN-Cloud Communications , 2015, Ad Hoc Sens. Wirel. Networks.

[61]  Xin Li,et al.  Distributed Collaborative Monitoring in Software Defined Networks , 2014, ArXiv.

[62]  Vijay Sivaraman,et al.  Personalizing the home network experience using cloud-based SDN , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[63]  Kalyani Handal,et al.  Security Enhancements for Mobile Ad Hoc Networks with Trust Management Using Uncertain Reasoning , 2018 .

[64]  Charles H.-P. Wen,et al.  Flow-and-VM Migration for Optimizing Throughput and Energy in SDN-Based Cloud Datacenter , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[65]  Xi Zhang,et al.  Information-centric network function virtualization over 5g mobile wireless networks , 2015, IEEE Network.

[66]  Khaled Salah,et al.  EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.

[67]  Tseng-Chang Yen,et al.  An SDN-based cloud computing architecture and its mathematical model , 2014, 2014 International Conference on Information Science, Electronics and Electrical Engineering.

[68]  Xin Li,et al.  Distributed and collaborative traffic monitoring in software defined networks , 2014, HotSDN.

[69]  Mohammad Zulkernine,et al.  Preventing Cache-Based Side-Channel Attacks in a Cloud Environment , 2014, IEEE Transactions on Cloud Computing.

[70]  Andrei V. Gurtov,et al.  Securing the control channel of software-defined mobile networks , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[71]  Chu YuHunag,et al.  A novel design for future on-demand service and security , 2010, 2010 IEEE 12th International Conference on Communication Technology.

[72]  Jun Bi,et al.  An Incrementally Deployable Flow-Based Scheme for IP Traceback , 2012, IEEE Communications Letters.

[73]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[74]  Raouf Boutaba,et al.  Network virtualization: state of the art and research challenges , 2009, IEEE Communications Magazine.

[75]  Simon Oechsner,et al.  Modeling and performance evaluation of an OpenFlow architecture , 2011, 2011 23rd International Teletraffic Congress (ITC).

[76]  F. Richard Yu,et al.  A survey of energy-efficient caching in information-centric networking , 2014, IEEE Communications Magazine.

[77]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[78]  Seyed Mostafa Mirhosseini,et al.  A Survey on Methods to Defend against DDoS Attack in Cloud Computing , 2013 .

[79]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[80]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[81]  Pekka Nikander,et al.  Developing Information Networking Further: From PSIRP to PURSUIT , 2010, BROADNETS.

[82]  Peter Xiaoping Liu,et al.  Structural Results for Combined Continuous User Authentication and Intrusion Detection in High Security Mobile Ad-Hoc Networks , 2011, IEEE Transactions on Wireless Communications.

[83]  Peter Xiaoping Liu,et al.  Distributed Combined Authentication and Intrusion Detection With Data Fusion in High-Security Mobile Ad Hoc Networks , 2010, IEEE Transactions on Vehicular Technology.

[84]  Anumula Satheesh,et al.  Joint Cloud and Wireless Networks Operations in Mobile Cloud Computing Environments With Telecom Operator Cloud , 2016 .

[85]  Yanghee Choi,et al.  Implementation of Content-oriented Networking Architecture ( CONA ) : A Focus on DDoS Countermeasure , 2010 .

[86]  Anat Bremler-Barr,et al.  Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks , 2013, IEEE Transactions on Computers.

[87]  Jun Bi,et al.  Source address validation solution with OpenFlow/NOX architecture , 2011, 2011 19th IEEE International Conference on Network Protocols.

[88]  Mario Gerla,et al.  Software-Defined Mobile Cloud: Architecture, services and use cases , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[89]  Edjard de Souza Mota,et al.  AgNOS: A Framework for Autonomous Control of Software-Defined Networks , 2014, 2014 IEEE 28th International Conference on Advanced Information Networking and Applications.

[90]  I. Baldine,et al.  Network Virtualization: Technologies, Perspectives, and Frontiers , 2013, Journal of Lightwave Technology.

[91]  George Pallis,et al.  Cloud Computing: The New Frontier of Internet Computing , 2010, IEEE Internet Computing.

[92]  P. Sujatha,et al.  Mitigating Economic Denial of Sustainability (EDoS) in Cloud Computing Using In-cloud Scrubber Service , 2012, 2012 Fourth International Conference on Computational Intelligence and Communication Networks.

[93]  Moses Garuba,et al.  Cloud Computing Vulnerability: DDoS as Its Main Security Threat, and Analysis of IDS as a Solution Model , 2014, 2014 11th International Conference on Information Technology: New Generations.

[94]  Lin Jun,et al.  Some Special Issues of Network Security Monitoring on Big Data Environments , 2013, 2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing.

[95]  Alysson Neves Bessani From Byzantine fault tolerance to intrusion tolerance (a position paper) , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[96]  Fei Wang,et al.  A hierarchical identity based key management scheme in tactical Mobile Ad Hoc Networks , 2009 .

[97]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[98]  Tarik Taleb,et al.  Toward carrier cloud: Potential, challenges, and solutions , 2014, IEEE Wireless Communications.

[99]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[100]  Song Guo,et al.  Byzantine-resilient secure software-defined networks with multiple controllers , 2014, 2014 IEEE International Conference on Communications (ICC).

[101]  Thierry Turletti,et al.  A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks , 2014, IEEE Communications Surveys & Tutorials.

[102]  Seyed Mohammad Mousavi,et al.  Early Detection of DDoS Attacks in Software Defined Networks Controller , 2014 .

[103]  Ralf Steinmetz,et al.  Threat as a Service?: Virtualization's Impact on Cloud Security , 2012, IT Professional.

[104]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[105]  Ilir Gashi,et al.  6th workshop on recent advances in intrusion tolerance and reSilience (WRAITS 2012) , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[106]  Tariq Mahmood,et al.  Security Analytics: Big Data Analytics for cybersecurity: A review of trends, techniques and tools , 2013, 2013 2nd National Conference on Information Assurance (NCIA).

[107]  Dijiang Huang,et al.  SnortFlow: A OpenFlow-Based Intrusion Prevention System in Cloud Environment , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[108]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[109]  Supranamaya Ranjan,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[110]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[111]  Masayuki Murata,et al.  OpenFlow-based content-centric networking architecture and router implementation , 2013, 2013 Future Network & Mobile Summit.

[112]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.