DDoS attacks on data plane of software-defined network: are they possible?

With software-defined networking (SDN) becoming the leading technology for large-scale networks, it is definitely expected that SDN will suffer various types of distributed denial-of-service (DDoS) attacks because of its centralized control logic. However, almost all of existing works concentrate on the controller overloading DDoS attacks, while vulnerabilities exposed by data plane of SDN for DDoS attacks are largely ignored. In this paper, we firstly investigate a flow rule flooding DDoS attack. By thoroughly analyzing the flow table size and miss rate, we find that attackers are able to inflict significant performance degradation over the system with limited volume of attack resource. We then prove that it is possible for attackers to maximize the performance degradation and minimize the attack rate at the same time. Besides the flooding DDoS attack, we also study a novel DDoS attack targeting data plane of SDN. By utilizing the entry lifetime management mechanism of flow tables, this attack almost never exhibits an intensive controller access behavior. It flies under the radar by inflicting non-notable performance impact on the system, while it creates heavy long-term financial burden on the target application. Finally, we present a potential countermeasure for this stealthy DDoS attack. Through extensive experiments, we conclude that DDoS attacks targeting data plane are possible. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Nevil Brownlee Some Observations of Internet Stream Lifetimes , 2005, PAM.

[2]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[3]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[4]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[5]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[6]  Alan L. Cox,et al.  PAST: scalable ethernet for data centers , 2012, CoNEXT '12.

[7]  Song Guo,et al.  Can we beat legitimate cyber behavior mimicking attacks from botnets? , 2012, 2012 Proceedings IEEE INFOCOM.

[8]  Ulas C. Kozat,et al.  On diagnosis of forwarding plane via static forwarding rules in Software Defined Networks , 2013, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[9]  Isaac Keslassy,et al.  Palette: Distributing tables in software-defined networks , 2013, 2013 Proceedings IEEE INFOCOM.

[10]  Zhifeng Xiao,et al.  Security and Privacy in Cloud Computing , 2013, IEEE Communications Surveys & Tutorials.

[11]  Fang Hao,et al.  Scotch: Elastically Scaling up SDN Control-Plane using vSwitch based Overlay , 2014, CoNEXT.

[12]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[13]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[14]  Song Guo,et al.  Can We Beat DDoS Attacks in Clouds? , 2014, IEEE Transactions on Parallel and Distributed Systems.

[15]  Xing Pu,et al.  Performance Analysis of Network I/O Workloads in Virtualized Data Centers , 2013, IEEE Transactions on Services Computing.

[16]  Joseph Idziorek,et al.  Exploiting Cloud Utility Models for Profit and Ruin , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[17]  Jia Wang,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM '10.

[18]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[19]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[20]  Richard Wang,et al.  OpenFlow-Based Server Load Balancing Gone Wild , 2011, Hot-ICE.

[21]  Albert G. Greenberg,et al.  The nature of data center traffic: measurements & analysis , 2009, IMC '09.

[22]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[23]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM 2011.

[24]  Kim-Kwang Raymond Choo,et al.  Security, Privacy, and Anonymity in Computation, Communication, and Storage , 2017, Lecture Notes in Computer Science.

[25]  Mourad Debbabi,et al.  A Survey and a Layered Taxonomy of Software-Defined Networking , 2014, IEEE Communications Surveys & Tutorials.

[26]  Massimiliano Rak,et al.  Stealthy Denial of Service Strategy in Cloud Computing , 2015, IEEE Transactions on Cloud Computing.

[27]  Raouf Boutaba,et al.  FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks , 2012, IEEE/ACM Transactions on Networking.

[28]  Albert Y. Zomaya,et al.  Customer-Satisfaction-Aware Optimal Multiserver Configuration for Profit Maximization in Cloud Computing , 2019 .

[29]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[30]  Pascal Frossard,et al.  A Poisson Hidden Markov Model for Multiview Video Traffic , 2013, IEEE/ACM Transactions on Networking.

[31]  Thierry Turletti,et al.  A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks , 2014, IEEE Communications Surveys & Tutorials.

[32]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[33]  M. Uysal,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[34]  A. Murat Tekalp,et al.  An Optimization Framework for QoS-Enabled Adaptive Video Streaming Over OpenFlow Networks , 2013, IEEE Transactions on Multimedia.

[35]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[36]  Qi Hao,et al.  A Survey on Software-Defined Network and OpenFlow: From Concept to Implementation , 2014, IEEE Communications Surveys & Tutorials.

[37]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[38]  Amin Vahdat,et al.  A scalable, commodity data center network architecture , 2008, SIGCOMM '08.

[39]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[40]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[41]  Douglas Jacobson,et al.  Detecting fraudulent use of cloud resources , 2011, CCSW '11.

[42]  Raouf Boutaba,et al.  Performance Modeling and Analysis of Network Firewalls , 2012, IEEE Transactions on Network and Service Management.

[43]  Joseph Naor,et al.  On the effect of forwarding table size on SDN network utilization , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.