论文信息 - A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows

A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows

A Distributed Denial of Service (DDoS) attack against controllers is one of the key security threats of Software-Defined Networking (SDN). The breakdown of a controller may disrupt a whole SDN network. Nowadays, a novel DDoS means is that the attackers may generate vast new low-traffic flows to trigger malicious flooding requests to overload the controllers. It is difficult to prevent this attack, as the attackers may connect to any interface of any switch in an SDN network. In this paper, we propose an effective detection method, which is designed to detect the DDoS attack and to further locate the compromised interfaces the malicious attackers have connected. We first classify the flow events associated with an interface, then make a decision using Sequential Probability Ratio Test (SPRT), which has bounded false negative and false positive error rates. In addition, we evaluate the performance of the proposed method using DARPA Intrusion Detection Data Sets. We also discuss and compare our method to three other detection methods, which are based on the percentage, count, and entropy of the flows, respectively, and demonstrate the superiority of our method in terms of promptness, versatility and accuracy.

[1] Yasuo Okabe,et al. A packet-in message filtering mechanism for protection of control plane in openflow networks , 2014, 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[2] Benoit Claise,et al. Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[3] Ejaz Ahmed,et al. Securing software defined networks: taxonomy, requirements, and open issues , 2015, IEEE Communications Magazine.

[4] Saman Taghavi Zargar,et al. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[5] Guofei Gu,et al. Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[6] Fernando M. V. Ramos,et al. Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[7] Kevin Benton,et al. OpenFlow vulnerability assessment , 2013, HotSDN '13.

[8] Wesley M. Eddy,et al. TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[9] F. Richard Yu,et al. Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.