SFTO-Guard: Real-time detection and mitigation system for slow-rate flow table overflow attacks

Abstract

The simplified data plane of Software-Defined Network (SDN) should be able to process packets from the entire network. However, the flow table size constrains the data plane forwarding capacity and may cause malicious attacks. In this paper, we study the slow-rate flow table overflow (SFTO) attack, which causes flow table overflow by sending unmatched packets at a slow rate to trigger flow entry installation, occupying the flow table space. To protect the availability of flow tables and the forwarding efficiency of normal flows, we propose a real-time SFTO attack detection and mitigation system based on rule number prediction and adaptive eviction proportion called SFTO-Guard. The SFTO-Guard consists of three modules: rule prediction module, attack detection module and attack mitigation module. Rule prediction module monitors the rule number in the flow tables and makes real-time predictions. When the predicted value reaches the attack threshold, the module collects the rules in flow tables and extracts features, then starts the attack detection module. When SFTO attack is detected, the attack mitigation module adaptively calculates the rule eviction proportion based on the predicted rule number and the attack detection results, and evicts suspected flow entries to prevent flow table overflow. Experiments on SFTO-Guard show that the proposed system can mitigate SFTO attacks effectively with low system overhead and short response time, it can limit malicious rules in flow tables to less than 10% and it is practicable in SDN deployments.