Distributed Denial of Service Attacks in SDN Context

Abstract

In recent years, SDN has evolved as a promising alternative to the traditional networking paradigm. This is because the traditional network is decentralized, making it difficult to manage and provide trouble-shooting. SDN is an approach to network management whereby the forwarding process of the data plane (DP) is disassociated from the control plane (CP). The CP is responsible for decision-making. SDN centrally control the network infrastructure and make it programmable. Communication between the two planes (data and control) is carried out by the OpenFlow (OF) protocol. The deployment of SDN was initiated by Mr. Matrin Casado and his research team in 2008. The original projects developed at Stanford University were SANE and ETHANE. Security reports and web articles suggest that SDN (Software Defined Network) has the caliber to defend DDoS attacks. The year 2017 has been declared as the year of SDN adaption and DDoS mitigation. The initial effort in the direction of compiling the detection and mitigation approaches has been done in (Dayal et al., 2016). Recently a similar effort has been done in (Rochak et al., 2019). The CP of SDN has a complete visibility of the network which makes traffic monitoring feasible. Moreover, SDN open flow switches contain forwarding logic only; decision-making capability is softwarized at 58controller. This helps the controller to instruct and configure the switches with new flow rules which the switches follow. This facilitates the network admins to detect and mitigate these attacks easily. SDN have gained momentum among the possible solutions of DDoS attacks due to its decentralized nature of network management, but solutions come with its repercussions. The centralization and open architecture framework makes SDN difficult for widespread adaptation. The chapter begins with an introduction to DDoS attacks and its classification such as volumetric attack, protocol exploitation attack and application attack. In the next section, we discuss the possible DDoS attacks over SDN framework. We have categorized the vulnerability into three classes: DDoS attack on data, control, and application planes (APs). The DDoS attack on DP can further be classified into TCAM exhaustion, switch DDoS, ICMP flood, TCP flood, TCP_SYN flood, etc. We would discuss Resource depletion, OF bandwidth exhaustion, amplification attacks in DDoS attack over CP. HTTP flooding and Slowloris attack has been discussed in DDoS attack over AP. The next section highlights the working of attack tools used in performing DDoS attacks. Various DDoS tools have been widely exploited to render DDoS attacks and facilitate attackers to carry out dangerous attack on target; here target may be network resources, server resources, or applications. The fourth section focuses on the state-of-the-art for detection and mitigation approaches of DDoS attacks. Detection approaches are classified into statistical, policy, and machine learning-based approaches. DDoS mitigation OF switches, including Alcatel Lucent’s OmniSwitch, Brocade’s MLXe series routers, and applications such as DefensePro by Radware that are available in market; also depend on the statistical threshold to detect the DDoS attack. In addition, this section also incorporates a brief analysis of the previous defense mechanism of the last 10 years and analyzes and compares the products of different security vendors like Cloudflare, Radware, Akamai, Arbor, Nexusguard, etc.