New-flow based DDoS attacks in SDN: Taxonomy, rationales, and research challenges

Abstract

Software-defined Networking (SDN) is an emerging technology that revolves around the fundamental notion of setting up a network with a decoupled control plane and data plane. It brings numerous benefits such as improved network manageability, flexibility, and programmability to measure up to the enormous demands of future networking. However, it also comes with security concerns that are intrinsically present in SDN’s architecture. In classic SDN, a switch acts as a forwarding device that has to forward a packet towards the centralized controller for every new flow that comes into the network. Out of this design philosophy, a new-flow based distributed denial-of-service (DDoS) attack is born, which presents this internal flow-based policy as a critical security vulnerability to confiscate the scarce resources of the control plane and data plane in an SDN network. In this paper, we propose a classification of such security vulnerabilities exposed by SDN architecture and leveraged by a new-flow based DDoS attack. We also provide an analysis of the latest developments made in recent years on DDoS detection and mitigation research works to overcome these security vulnerabilities. Finally, we discuss SDN security-related research challenges that can be valuable for the research community and academics for carrying out further research and investigation.