Counteracting Attacks From Malicious End Hosts in Software Defined Networks

Abstract

This paper proposes security techniques for counteracting attacks from malicious end hosts in a software defined networking (SDN) environment. This paper describes the design of a security architecture, which comprises a security management application running in the SDN controller for specifying and evaluating security policies, and security components in the switches for enforcing these security policies on network flows. Our proposed security solution helps to detect the attacking end hosts even before the flow requests from the malicious end hosts are forwarded to the SDN controller. Furthermore, if the end hosts become malicious after the interactions with the SDN controller and generate attacks in the data plane, then our architecture has mechanisms to address these attacks that occur after the establishment of routes by the SDN controller. The domain wide network visibility of the SDN controller enables our security architecture to achieve dynamic management of the security policies. The enforcement of security policies in the data plane is tailored to the functionality available in the network switches, making the proposed security solution practical. We describe the implementation of the proposed security architecture and analyze its security and performance characteristics. We also discuss the advantages of the proposed security architecture over existing solutions.