Control Plane Packet-In Arrival Rate Analysis for Denial-of-Service Saturation Attacks Detection and Mitigation in Software-Defined Networks

Abstract

Software-defined networking (SDN) is an emerging network architecture where a programmable network control is decoupled from forwarding. Greater control of a network through programming, abstraction of the complexity of the underlying physical infrastructure, and emergence of new applications are some benefits of SDN, to name a few. Unfortunately, the idea of centralized control raises new security concerns that have become a research topic among both academia and industry. An attacker can exploit the required extensive communication between the control and data plane to launch a network-wide, type of denial-of-service attack, known as the data-to-control plane saturation attack. Such an attack can have devastating effect on a large part of the network. This paper introduces a new method for data-to-control plane saturation attack detection that is based on dynamically estimating and monitoring the rate of the Packet-In messages arriving to the controller. The proposed detection method is based on adaptive threshold that varies based on the rate of the received Packet-In messages. The detection technique by design allows discovering the protocol exploited to launch the attack. We utilize this feature, to present a simple attack mitigation method that is protocol independent and targets attacking traffic that belong to the identified attacking protocol. Moreover, being protocol independent, the proposed method can protect against flooding attacks based on self-defined protocols recently made possible with the emerging SDN technology. Attack mitigation is based on utilizing only the available OpenFlow commands without any change to the OpenFlow protocol. The results of the conducted experiments under different scenarios show that the presented method is capable of effectively protecting against the control plane saturation attack with an average detection time of ( $$\approx 0.1$$ s) which is comparable to state of the art with similar experimental setup. In addition, the method imposes almost (0%) overhead on legitimate traffic once the attack is mitigated.