BWManager: Mitigating Denial of Service Attacks in Software-Defined Networks Through Bandwidth Prediction

Software-defined networking (SDN) has emerged as a new networking paradigm that can provide fine-grained network management service. Since the SDN controller makes control decision for the network, it becomes the main target of denial of service (DoS) attacks. In this paper, we propose BWManager to mitigate... which mainly consists mitigate the DoS attacks on the SDN controller with BWManager that mainly consists of four key components: 1) simplified DoS detection module; 2) forecasting engine; 3) priority manager; and 4) scheduler. The simplified DoS detection module calculates a comprehensive judgment score for each switch, which indicates the attacking severity of each switch and is used to decide time slice allocation of the controller. The forecasting engine is the basis of the controller scheduling method and forecasts the bandwidth consumption of users to determine the users’ trust values. The trust values are used by the priority manager to manage multiple buffer queues with different priorities for the users. The scheduler protects the controller and the normal users under DoS attacks by running a weighted Round-Robin algorithm to process flow requests in different priority queues. We evaluate the performance and overhead of BWManager in both hardware and software OpenFlow environments. The results demonstrate that BWManager is effective with a limited overhead.

[1]  Tao Wang,et al.  SGuard: A lightweight SDN safe-guard architecture for DoS attacks , 2017, China Communications.

[2]  Vrizlynn L. L. Thing,et al.  Locating network domain entry and exit point/path for DDoS attack traffic , 2009, IEEE Transactions on Network and Service Management.

[3]  R. Engle Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation , 1982 .

[4]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[5]  H. Jonathan Chao,et al.  STAR: Preventing flow-table overflow in software-defined networks , 2017, Comput. Networks.

[6]  Otto Carlos Muniz Bandeira Duarte,et al.  Flowfence: a denial of service defense system for software defined networking , 2015, 2015 Global Information Infrastructure and Networking Symposium (GIIS).

[7]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[8]  Fatih Alagöz,et al.  Defense Mechanisms against DDoS Attacks in SDN Environment , 2017, IEEE Communications Magazine.

[9]  Jun Bi,et al.  Source address validation solution with OpenFlow/NOX architecture , 2011, 2011 19th IEEE International Conference on Network Protocols.

[10]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[11]  G. Box,et al.  Distribution of Residual Autocorrelations in Autoregressive-Integrated Moving Average Time Series Models , 1970 .

[12]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[13]  P. Phillips Time series regression with a unit root , 1987 .

[14]  Wei-Kuan Shih,et al.  Design a Hash-Based Control Mechanism in vSwitch for Software-Defined Networking Environment , 2015, 2015 IEEE International Conference on Cluster Computing.

[15]  Yun Tian,et al.  FlowSec: DOS Attack Mitigation Strategy on SDN Controller , 2016, 2016 IEEE International Conference on Networking, Architecture and Storage (NAS).

[16]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[17]  Tao Hu,et al.  Adaptive Slave Controller Assignment for Fault-Tolerant Control Plane in Software-Defined Networking , 2018, 2018 IEEE International Conference on Communications (ICC).

[18]  Tao Wang,et al.  SDNManager: A Safeguard Architecture for SDN DoS Attacks Based on Bandwidth Prediction , 2018, Secur. Commun. Networks.

[19]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[20]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[21]  H. Jonathan Chao,et al.  Improving the performance of load balancing in software-defined networks through load variance-based synchronization , 2014, Comput. Networks.

[22]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[23]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[24]  Edjard de Souza Mota,et al.  A replication component for resilient OpenFlow-based networking , 2012, 2012 IEEE Network Operations and Management Symposium.

[25]  Parag Kulkarni,et al.  Intrusion Detection System using Self Organizing Maps , 2009, 2009 International Conference on Intelligent Agent & Multi-Agent Systems.

[26]  S. Thamarai Selvi,et al.  DDoS detection and analysis in SDN-based environment using support vector machine classifier , 2014, 2014 Sixth International Conference on Advanced Computing (ICoAC).

[27]  D. M. Keenan,et al.  A Tukey nonadditivity-type test for time series nonlinearity , 1985 .

[28]  Hyogon Kim,et al.  Controller scheduling for continued SDN operation under DDoS attacks , 2015 .

[29]  Heejo Lee,et al.  An incrementally deployable anti-spoofing mechanism for software-defined networks , 2015, Comput. Commun..

[30]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[31]  Tim Bollerslev,et al.  Quasi-maximum likelihood estimation of dynamic models with time varying covariances , 1988 .

[32]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[33]  T. Bollerslev Generalized autoregressive conditional heteroskedasticity with applications in finance , 1986 .

[34]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[35]  Ali Miri,et al.  Role-based multiple controllers for load balancing and security in SDN , 2015, 2015 IEEE Canada International Humanitarian Technology Conference (IHTC2015).

[36]  Qingxiang Gong,et al.  Detection of DDoS Attacks Against Wireless SDN Controllers Based on the Fuzzy Synthetic Evaluation Decision-making Model , 2016, Ad Hoc Sens. Wirel. Networks.