Abstract
Software-defined networking (SDN) decouples the control plane and data plane through OpenFlow technology and allows flexible network control. It has been widely applied in different areas and has become a focus of attention in the future network. With SDN’s development, its security problem has become a necessary point of research to be solved urgently. In this paper, we propose a novel attack, namely, the packet injection exploiting attack. By maliciously injecting false hosts into SDN network topology, attackers can further use them to launch a denial of service (DoS) attack. The consequences affect the throughput and processing capabilities of the controller, severely consume data plane resources, and ultimately affect the entire network. To prevent the packet-injection exploiting attack, we designed PIEDefender, an efficient, protocol-independent component built on SDN controllers to detect and mitigate attacks effectively. We implement the PIEDefender prototype on the Floodlight controller and assess the effectiveness in the software environment. Experimental results show that PIEDefender achieves a 97.8% injection detection precision and a 97.96% DoS detection precision, incurring an average CPU consumption of 10%. The evaluation demonstrates that the PIEDefender can effectively mitigate the attack against SDN with limited overhead.
Highlights
Software-defined networking (SDN) has arisen as a revolutionary networking paradigm that can meet escalating demands of future networking [1]
We evaluate the PIEDefender in the injection detection precision, denial of service (DoS) detection precision, and defense overhead
We evaluate the effectiveness and performance of PIEDefender from the following aspects: (1) Injection detection effect, (2) DoS detection effect, (3) defense effect on the SDN controller, (4) defense effect on OpenFlow switch, and (5) defense overhead
Summary
Software-defined networking (SDN) has arisen as a revolutionary networking paradigm that can meet escalating demands of future networking [1]. It separates the network’s control plane from the embedded nodes and replaces the classical control plane based on system embedding with an open and programmable soft control plane [2,3]. The idea of separation of logical control and forwarding function expands the attack surface [4], and the control plane, data plane, and application plane will face security challenges. The application plane interacts with the controller through the northbound application rpogramming interface (API), facilitating the rapid advancement of services, such as network configuration and application deployment
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
