A holistic approach to mitigating DoS attacks in SDN networks

Summary Software-defined networking (SDN) has recently emerged as a new networking technology offering an unprecedented programmability that allows network operators to dynamically manage their infrastructures. However, despite these benefits, deny-of-service (DoS) attacks are considered a major threat to such networks, as they can easily overload the SDN controller and flood switch forwarding tables, resulting in a critical degradation of the network performance. To address this issue, we propose SDN-Guard, a novel holistic approach to protect SDN networks against DoS attacks. Software-defined networking–Guard leverages an intrusion detection system (IDS) to detect potential DoS attacks and then efficiently mitigate their impact by dynamically (1) rerouting malicious traffic, (2) adjusting flow time-outs, and (3) aggregating flow rules. This paper extends our previous work by proposing solutions to minimize the switch-to-IDS traffic without impacting the IDS accuracy. We hence propose to use sampling techniques and devise an integer linear program to find the optimal placement for the IDS and to determine the switches that should mirror the flows towards it so as to minimize network bandwidth consumption. Extensive experiments using Mininet show that SDN-Guard maintains network performance during DoS attacks and succeeds in reducing by up to 32% their impact on controller performance, usage of switch forwarding tables, and control plane bandwidth. Furthermore, our results show that carefully placing the IDS and selecting the switches mirroring, the traffic can reduce by up to 90% the switch-to-IDS traffic. They also show that the IDS accuracy remains at 100% by analyzing only 11% of the network traffic.

[1]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[2]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[3]  Mohamed Faten Zhani,et al.  SDN-Guard: DoS Attacks Mitigation in SDN Networks , 2016, 2016 5th IEEE International Conference on Cloud Networking (Cloudnet).

[4]  Zonghua Zhang,et al.  Towards Autonomic DDoS Mitigation using Software Defined Networking , 2015 .

[5]  Dijiang Huang,et al.  SnortFlow: A OpenFlow-Based Intrusion Prevention System in Cloud Environment , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[6]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[7]  Mauro Conti,et al.  SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks , 2017, IEEE Transactions on Network and Service Management.

[8]  Éva Tardos,et al.  Approximation algorithms for facility location problems (extended abstract) , 1997, STOC '97.

[9]  JongWon Kim,et al.  Suspicious traffic sampling for intrusion detection in software-defined networks , 2016, Comput. Networks.

[10]  Xiangyang Li,et al.  Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN) , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops.

[11]  Otto Carlos Muniz Bandeira Duarte,et al.  An elastic intrusion detection system for software networks , 2016, Ann. des Télécommunications.

[12]  Sungrae Cho,et al.  A feasible method to combat against DDoS attack in SDN network , 2015, 2015 International Conference on Information Networking (ICOIN).

[13]  B. B. Gupta,et al.  An efficient analytical solution to thwart DDoS attacks in public domain , 2009, ICAC3 '09.

[14]  Maria Papadaki,et al.  The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset , 2008, TrustBus.

[15]  S. Papavassiliou,et al.  Improving network anomaly detection via selective flow-based sampling , 2008, IET Commun..

[16]  Lei Wei,et al.  FlowRanger: A request prioritizing algorithm for controller DoS attacks in Software Defined Networks , 2015, 2015 IEEE International Conference on Communications (ICC).

[17]  Markku Antikainen,et al.  Denial-of-service attacks in OpenFlow SDN networks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[18]  Shoichiro Asano,et al.  A Study on Detecting Network Anomalies Using Sampled Flow Statistics , 2007, 2007 International Symposium on Applications and the Internet Workshops.