HyPASS: Design of hybrid-SDN prevention of attacks of source spoofing with host discovery and address validation

Abstract

SDN (Software-Defined Networking) is a new technology that separates data and control planes; the main components of SDN are OFSwitches and Controller. The traffic flow is monitored by the SDN controller. Initially, OFSwitches lack security rules for packet handling. OFSwitch sends the packet to the controller for examination, creating control messages that favor the packet and establishing necessary flow entry. Host packets are sent to their destination, seeing only the destination host address and not the source host address. The attacker takes advantage of this situation and generates packets with forged source addresses in order to conceal his identity and perform various source address spoofed attacks such as Denial of Service (DoS), man in the middle (MiM), Distributed DoS (DDoS), and so on. This paper proposes a design for discovering hosts proactively, preparing HostTable, configuring flow entry during handshaking, and detecting and preventing source-forged attacks in Hybrid SDN. We called it HyPASS: Design of Hybrid-SDN Prevention of Source Spoofing Attacks with Host Discovery and Address Validation. We used Python for Mininet implementation and tested it on RYU and POX controllers. During the experiment, it identifies and drops 99.99% of packets with the forged source address.