Early Prevention and Mitigation of Link Flooding Attacks in Software Defined Networks

Abstract

Software-Defined Networks (SDNs) are increasingly gaining prominence in the networking domain, enabling programmable control and management of network infrastructure within data centers. This programmability offers the advantage of dynamically adjusting the routing paths depending upon on the network’s requirements and capabilities. Computer networks have been vulnerable to denial of service attacks, particularly link flooding attacks, which have gained notoriety for their ability to isolate network segments precisely without affecting the rest of the network and evading detection. In this work, we introduce a security framework designed to prevent and mitigate link flooding attacks in Software Defined Networks. Our approach involves limiting the network reconnaissance probes used by attackers to gather knowledge about network topology. We prevent the attackers from obtaining an accurate network topology, limiting their ability to launch an attack. Our framework utilizes alternate paths and hop count manipulation to hinder the reconnaissance process. To further strengthen our claims, we evaluate our framework on real world topologies from the Topology Zoo dataset. Our analysis demonstrates that the majority of real world topologies already exhibit network path diversity and along with TTL manipulation we can hinder the mapping process, causing the attacker to infer an incorrect network topology.