Defending Against New-Flow Attack in SDN-Based Internet of Things

Recently, the Internet of Things (IoT) is attracting significant attention from both academia and industry. To connect the huge amount of IoT devices effectively, software-defined networking (SDN) is considered as a promising way because of its centralized network management and programmable routing logic. However, due to the limited resources in both the data plane and the control plane, SDN is vulnerable to the new-flow attack, which can disable the SDN-based IoT by exhausting the switches or the controller. Therefore, in this paper, we propose a smart security mechanism (SSM) to defend against the new-flow attack. The SSM uses the standard southbound and northbound interfaces of SDN, and it includes a low-cost method that monitors the new-flow attack by reusing the asynchronous messages on the control link. The monitor method can differentiate the new-flow attack from the normal flow burst by checking the hit rate of the flow entries. Based on the monitoring result, the SSM uses a dynamic access control method to mitigate the new-flow attack by perceiving the behavior of the security middleware in the IoT. The dynamic access control method can intercept the attack flows at their access switch. Extensive simulations and testbed-based experiments are conducted and the corresponding results verify the feasibility of our claims.

[1]  Yong Xiang,et al.  Software-Defined Wireless Networking Opportunities and Challenges for Internet-of-Things: A Review , 2016, IEEE Internet of Things Journal.

[2]  Jin Kwak,et al.  Enhanced SDIoT Security Framework Models , 2016, Int. J. Distributed Sens. Networks.

[3]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[4]  David E. Culler,et al.  Transmission of IPv6 Packets over IEEE 802.15.4 Networks , 2007, RFC.

[5]  Vangelis Metsis,et al.  IoT Middleware: A Survey on Issues and Enabling Technologies , 2017, IEEE Internet of Things Journal.

[6]  Daniel W. Engels,et al.  Black SDN for the Internet of Things , 2015, 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems.

[7]  Julie A. McCann,et al.  UbiFlow: Mobility management in urban-scale software defined IoT , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[8]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[9]  Peter Bull,et al.  Pre-emptive Flow Installation for Internet of Things Devices within Software Defined Networks , 2015, 2015 3rd International Conference on Future Internet of Things and Cloud.

[10]  Olivier Flauzac,et al.  SDN Based Architecture for IoT and Improvement of the Security , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications Workshops.

[11]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[12]  Min Chen,et al.  Software-defined internet of things for smart urban sensing , 2015, IEEE Communications Magazine.

[13]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[14]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[15]  Richard Watson,et al.  Flow Based Security for IoT Devices Using an SDN Gateway , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

[16]  Hai Jin,et al.  Defending Against Flow Table Overloading Attack in Software-Defined Networks , 2019, IEEE Transactions on Services Computing.

[17]  Carsten Bormann,et al.  Problem Statement and Requirements for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Routing , 2012, RFC.

[18]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[19]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[20]  Aniruddha S. Gokhale,et al.  Publish/subscribe-enabled software defined networking for efficient and scalable IoT communications , 2015, IEEE Communications Magazine.

[21]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[22]  Lei Wei,et al.  FlowRanger: A request prioritizing algorithm for controller DoS attacks in Software Defined Networks , 2015, 2015 IEEE International Conference on Communications (ICC).

[23]  Tariq Javid,et al.  A layer2 firewall for software defined network , 2014, 2014 Conference on Information Assurance and Cyber Security (CIACS).

[24]  Fernando A. Kuipers,et al.  SDN and Virtualization Solutions for the Internet of Things: A Survey , 2016, IEEE Access.

[25]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[26]  Subhasis Banerjee,et al.  Compact TCAM: Flow Entry Compaction in TCAM for Power Aware SDN , 2013, ICDCN.

[27]  Chih-Hao Lin,et al.  Heterogeneous Flow Table Distribution in Software-Defined Networks , 2016, IEEE Transactions on Emerging Topics in Computing.

[28]  Markku Antikainen,et al.  Denial-of-service attacks in OpenFlow SDN networks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[29]  Mahmoud Al-Ayyoub,et al.  SDIoT: a software defined based internet of things framework , 2015, Journal of Ambient Intelligence and Humanized Computing.

[30]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[31]  Béla Genge,et al.  Resilience in the Internet of Things: The Software Defined Networking approach , 2015, 2015 IEEE International Conference on Intelligent Computer Communication and Processing (ICCP).

[32]  Xiaojiang Du,et al.  A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows , 2016, 2016 IEEE International Conference on Communications (ICC).

[33]  Siobhán Clarke,et al.  Middleware for Internet of Things: A Survey , 2016, IEEE Internet of Things Journal.

[34]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[35]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[36]  William Emmanuel Yu,et al.  Development of a distributed firewall using software defined networking technology , 2014, 2014 4th IEEE International Conference on Information Science and Technology.

[37]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[38]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).