FEAROL: Aging Flow Entries Based on Local Staircase Randomized Response for Secure SDN Flow Tables

Abstract

Software-Defined Networking (SDN) systems are sensitive to the lifespans of flow entries in flow tables as such lifespans affect the overall network-forwarding latency and the flow table space usage, particularly when the systems are under cyber attack. Instead of developing extra approaches to reactively detect the attacks and mitigate the impact of the attacks, this paper views the lifespans of flow entries as the privacy of the SDN systems and proposes a Flow-Entry Aging RandOmization Layer (FEAROL), which applies the staircase randomized response mechanism in the flow-entry-aging process at switches. FEAROL locally perturbs the lifespan of each flow entry in the flow table. Since the true lifespan of each flow entry is different from the lifespan set in the entry by the controller and dynamically perturbed by FEAROL, Low-rate Denial-of-Service (LDoS) attacks based on the sniffed flow-entry timeouts cannot be effectively organized. FEAROL proactively prevents LDoS attacks from overflowing the flow tables and legitimate flow packets from being dropped due to the broken synchronization between attack flows and the network settings. FEAROL can adjust its aging policies and privacy budget based on the real-time monitored network performance. FEAROL is prototyped in an open-source soft switch (OpenVSwitch) and evaluated through simulations on real network traces. The results show that FEAROL increases the overhead of aging a flow entry. However, this overhead can be significantly reduced by adjusting the interval at which the aging process is triggered. FEAROL also effectively defends against flow table overflow LDoS attacks by significantly reducing the table usage of LDoS attack flows. When the aging strategy is carefully chosen, the table space used by attack flow entries can be reduced to 0.