Abstract
AbstractWith software‐defined networking (SDN) becoming the leading technology for large‐scale networks, it is definitely expected that SDN will suffer various types of distributed denial‐of‐service (DDoS) attacks because of its centralized control logic. However, almost all of existing works concentrate on the controller overloading DDoS attacks, while vulnerabilities exposed by data plane of SDN for DDoS attacks are largely ignored. In this paper, we firstly investigate a flow rule flooding DDoS attack. By thoroughly analyzing the flow table size and miss rate, we find that attackers are able to inflict significant performance degradation over the system with limited volume of attack resource. We then prove that it is possible for attackers to maximize the performance degradation and minimize the attack rate at the same time. Besides the flooding DDoS attack, we also study a novel DDoS attack targeting data plane of SDN. By utilizing the entry lifetime management mechanism of flow tables, this attack almost never exhibits an intensive controller access behavior. It flies under the radar by inflicting non‐notable performance impact on the system, while it creates heavy long‐term financial burden on the target application. Finally, we present a potential countermeasure for this stealthy DDoS attack. Through extensive experiments, we conclude that DDoS attacks targeting data plane are possible. Copyright © 2016 John Wiley & Sons, Ltd.
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.