Abstract
Software-defined networking (SDN) is a new networking paradigm that realizes the fast management and optimal configuration of network resources by decoupling control logic and forwarding functions. However, centralized network architecture brings new security problems, and denial-of-service (DoS) attacks are among the most critical threats. Due to the lack of an effective message-verification mechanism in SDN, attackers can easily launch a DoS attack by faking the source address information. This paper presents DoSGuard, an efficient and protocol-independent defense framework for SDN networks to detect and mitigate such attacks. DoSGuard is a lightweight extension module on SDN controllers that mainly consists of three key components: a monitor, a detector, and a mitigator. The monitor maintains the information between the switches and the hosts for anomaly detection. The detector utilizes OpenFlow message and flow features to detect the attack. The mitigator protects networks by filtering malicious packets. We implement a prototype of DoSGuard in the floodlight controller and evaluate its effectiveness in a simulation environment. Experimental results show the DoSGuard achieves 98.72% detecion precision, and the average CPU utilization of the controller is only around 8%. The results demonstrate that DoSGuard can effectively mitigate DoS attacks against SDN with limited overhead.
Highlights
Software-defined networking (SDN) is a new network technology and architecture
This paper focuses on the detection and defense methods of DoS attacks implemented by forging source address information in SDN
We propose an attack-detection mechanism that consists of anomaly detection by maintaining information between the switches and the hosts, and attack-detection based on OpenFlow message and flow features, effectively reducing the false-alerts attack in the SDN environment; Sensors 2022, 22, 1061
Summary
Software-defined networking (SDN) is a new network technology and architecture It has been widely recognized by academia and industry and has been successfully applied to various fields, such as enterprise networks and data centers [1]. The controller processes Packet-In messages from the switch and sends flow rules to the switch in the form of Flow-Mod messages [4]. Since the SDN switch sends all packets with unknown flows to the controller [5], a DoS attacker can exploit this fact and send a stream of unmatched flows. The flow table of the switches with scarce resources can overflow These unmatched flows would consume the controller CPU, the bandwidth between the data plane and control plane, and the switch’s CPU resources
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
