INFAS: In-Network Flow mAnagement Scheme for SDN Control Plane Protection

The work that we present in this paper is motivated by a systematic vulnerability of SDN, a current technology that is expected to dominate the Internet. In particular, we focus on the Control Plane Saturation (CPS) attack, a very harmful, yet easy to implement, DoS attack. In CPS, the adversary generates a massive amount of flow packets that will not match switches’ flow rules. As a result, the switches flood the control channels and the controller with malicious control packets. Previously proposed solutions mainly rely on the controller-side detection and filtering, thus still consume the control plane bandwidth resources and cannot achieve quick response due to the switch-controller delay.We present INFAS, a system that runs on commodity servers installed near network devices, for protecting SDN against CPS. The switches send flow packets that do not match concrete flow rules in their flow tables to INFAS, which is tasked to analyze the packets and to subsequently decide on sending them back to the switches or not. This results in reducing the number of generated control packets by up to 80%, which we show through extensive evaluations.

[1]  K. K. Ramakrishnan,et al.  NetVM: High Performance and Flexible Networking Using Virtualization on Commodity Platforms , 2014, IEEE Transactions on Network and Service Management.

[2]  Lei Wei,et al.  FlowRanger: A request prioritizing algorithm for controller DoS attacks in Software Defined Networks , 2015, 2015 IEEE International Conference on Communications (ICC).

[3]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[4]  Gunjan Tank,et al.  Software-Defined Networking-The New Norm for Networks , 2012 .

[5]  Song Wang,et al.  SECO: SDN sEcure COntroller algorithm for detecting and defending denial of service attacks , 2017, 2017 5th International Conference on Information and Communication Technology (ICoIC7).

[6]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[7]  Georgios Xilouris,et al.  Enhancing VNF performance by exploiting SR-IOV and DPDK packet processing acceleration , 2015, 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN).

[8]  Ahmed Toumanari,et al.  Survey of Security in Software-Defined Network , 2017 .

[9]  Shang Gao,et al.  FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks , 2017, INFOCOM.

[10]  Kadangode K. Ramakrishnan,et al.  OpenNetVM: Flexible, high performance NFV (Demo) , 2016, LANMAN.

[11]  Sungrae Cho,et al.  A feasible method to combat against DDoS attack in SDN network , 2015, 2015 International Conference on Information Networking (ICOIN).

[12]  Mohamed Faten Zhani,et al.  SDN-Guard: DoS Attacks Mitigation in SDN Networks , 2016, 2016 5th IEEE International Conference on Cloud Networking (Cloudnet).

[13]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[14]  Ayman M. Bahaa-Eldin,et al.  Protecting openflow switches against denial of service attacks , 2017, 2017 12th International Conference on Computer Engineering and Systems (ICCES).