DHCP DoS and starvation attacks on SDN controllers and their mitigation

Abstract

Software Defined Networking (SDN) technology offers possibilities to improve network administration through a separate central controller for network switching devices. However, security in SDN is a critical issue and SDN faces new challenges due to shared protocols, inherits flaws from traditional networks and control flexibility. Dynamic Host Configuration Protocol (DHCP) is a crucial protocol for SDN, but DHCP itself poses a security risk to SDN. In our study we performed security analysis for DHCP attacks on RYU, OpenDaylight and Floodlight, three popular SDN controllers. Our research demonstrates that they are vulnerable to starvation attacks and denial of service attacks by flooding DHCP discovery messages, slowing down networks and overloading controllers. In order to address these problems, we looked at state-of-the-art DHCP security approaches and evaluated their performance on these SDN controllers. We proposed and implemented a DHCP security algorithm on the RYU controller based on our analysis. Our solution utilize flexibility of SDN controller to identify discovery flood packets and verify authentic hosts to mitigate effects of DHCP attacks. Furthermore, the proposed solution transfers the authentic flows to switch for reduction in controller load. We demonstrate that without significant computational load the suggested method successfully rejects malicious DHCP packets, restores the IP address pool, and mitigates the harmful network consequences of DHCP-related attacks. The proposed solution improves the throughput by 3.6 times, transferred data by 66.8%, CPU usage by 93.9% and packet loss by 95% compared to the conventional RYU controller.