SDNManager: A Safeguard Architecture for SDN DoS Attacks Based on Bandwidth Prediction

Software-Defined Networking (SDN) has quickly emerged as a promising technology for future networks and gained much attention. However, the centralized nature of SDN makes the system vulnerable to denial-of-services (DoS) attacks, especially for the currently widely deployed multicontroller system. Due to DoS attacks, SDN multicontroller model may additionally face the risk of the cascading failures of controllers. In this paper, we propose SDNManager, a lightweight and fast denial-of-service detection and mitigation system for SDN. It has five components: monitor, forecast engine, checker, updater, and storage service. It typically follows a control loop of reading flow statistics, forecasting flow bandwidth changes based on the statistics, and accordingly updating the network. It is worth noting that the forecast engine employs a novel dynamic time-series (DTS) model which greatly improves bandwidth prediction accuracy. What is more, to further optimize the defense effect, we also propose a controller dynamic scheduling strategy to ensure the global network state optimization and improve the defense efficiency. We evaluate SDNManager through a prototype implementation tested in a real SDN network environment. The results show that SDNManager is effective with adding only a minor overhead into the entire SDN/OpenFlow infrastructure.

[1]  Jian Guo,et al.  eBA: Efficient Bandwidth Guarantee Under Traffic Variability in Datacenters , 2017, IEEE/ACM Transactions on Networking.

[2]  Tao Wang,et al.  SGuard: A lightweight SDN safe-guard architecture for DoS attacks , 2017, China Communications.

[3]  John A. Cornell Fitting a Slack-Variable Model to Mixture Data: Some Questions Raised , 2000 .

[4]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[5]  D. M. Keenan,et al.  A Tukey nonadditivity-type test for time series nonlinearity , 1985 .

[6]  Qingxiang Gong,et al.  Detection of DDoS Attacks Against Wireless SDN Controllers Based on the Fuzzy Synthetic Evaluation Decision-making Model , 2016, Ad Hoc Sens. Wirel. Networks.

[7]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[8]  Hong Xu,et al.  An Efficient Online Algorithm for Dynamic SDN Controller Assignment in Data Center Networks , 2017, IEEE/ACM Transactions on Networking.

[9]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[10]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[11]  F. Diebold,et al.  The dynamics of exchange rate volatility: a multivariate latent factor ARCH model , 1986 .

[12]  Jiannong Cao,et al.  A Distributed TCAM Coprocessor Architecture for Integrated Longest Prefix Matching, Policy Filtering, and Content Filtering , 2013, IEEE Transactions on Computers.

[13]  Yong Zeng,et al.  ARCH-Based Traffic Forecasting and Dynamic Bandwidth Provisioning for Periodically Measured Nonstationary Traffic , 2007, IEEE/ACM Transactions on Networking.

[14]  Kim-Kwang Raymond Choo,et al.  Security, Privacy, and Anonymity in Computation, Communication, and Storage , 2017, Lecture Notes in Computer Science.