SAHAR: An Architecture to Strengthen the Control Plane of the Software-Defined Network Against Denial of Service Attacks
Subject Areas : electrical and computer engineeringmehran shetabi 1 , Ahmad Akbari 2 *
1 - University of Science and Technology
2 -
Keywords: OpenFlow protocolSoftware-defined network (SDN)denial of service (DoS) attack,
Abstract :
Software-defined network (SDN) is the next generation of network architecture thatby separating the data plane and the control plane enables centralized control with the aim of improving network management and compatibility. However, due to the centralized control policy, this type of network is prone to Inaccessibility of control plane against a denial of service (DoS) attack. In the reactive mode, a significant increase in events due to the entry of new flows into the network puts a lot of pressure on the control plane. Also, the presence of recurring events such as the collection of statistical information from the network, which severely interferes with the basic functionality of the control plane, can greatly affect the efficiency of the control plane. To resist attack and prevent network paralysis, this paper introduces a new architecture called SAHAR, which consists of a control box consisting of a coordinator controller, a primary flow setup controller, and one or more (as needed) secondary flow setup controller(s). Assigning monitoring and managing tasks to the coordinator controller reduces the load of flow setup controllers. In addition, dividing the incoming traffic between the flow setup controllers by the coordinator controller distributes the load at the control plane. Thus, by assigning the traffic load resulting from a denial-of-service attack to one or more secondary flow setup controller(s), the SAHAR architecture can prevent the primary flow setup controller from impairment and resist DoS attacks. Tests show that SAHAR performs better in the face of a DoS attack than existing solutions.
[1] N. McKeown, et al., "OpenFlow: enabling innovation in campus networks," SIGCOMM Comput Commun Rev., vol. 38, no. 2, pp. 69-74, Apr. 2008.
[2] H. Farhady, H. Lee, and N. Akihiro, "Software-defined networking: a survey," Computer Networks, vol. 81, pp. 79-95, 2015.
[3] I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov, "Security in software defined networks: a survey," IEEE Commun Surveys Tutorials, vol. 17, no. 4, pp. 2317-2346, 4th Quarter 2015.
[4] W. Li, W. Meng, and L. F. Kwok, "A survey on OpenFlow-based software defined networks: security challenges and countermeasures," J. Network Comput Appl., vol. 68, pp. 126-139, 2016.
[5] J. Benabbou, K. Elbaamrani, and N. Idboufker, "Security in OpenFlow-based SDN, opportunities and challenges," Photon Netw Commun, vol. 37, no. 1, pp. 1-23, 2019.
[6] S. Shin and G. Gu, "Attacking software-defined networks: a first feasibility study," in Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN '13, pp. 165-166, New York, NY, USA, Aug. 2013.
[7] S. Dong, K. Abbas, and R. Jain, "A survey on distributed denial of service (DDoS) attacks in SDN and cloud computing environments," IEEE Access, vol. 7, pp. 80813-80828, 2019.
[8] R. Swami, M. Dave, and V. Ranga, "Software defined networking based DDoS defense mechanisms," ACM Computing Surveys, vol. 52, no. 2, Article No.: 28, May 2019.
[9] Open Networking Foundation, OpenFlow Switch Specification, version 1.2, Dec. 2011.
[10] H. Wang, L. Xu, and G. Gu, OF-GUARD: a DoS attack prevention extension in software-defined networks. Poster presented at: The Open Networking Summit 2014; 2014; Santa Clara, CA.
[11] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks," in Proc. ACM SIGSAC Conf. on Computer & Communications Security, CCS'13, pp. 413-424, New York, NY, USA, Nov. 2013.
[12] M. Ambrosin, M. Conti, F. De Gaspari, and R. Poovendran, "LineSwitch: tackling control plane saturation attacks in software-defined networking," IEEE/ACM Trans. Networking, vol. 25, no. 2, pp. 1206-1219, Apr. 2017.
[13] K. Y. Chen, A. R. Junuthula, I. K. Siddhrau, Y. Xu, and H. J. Chao, "SDNShield: towards more comprehensive defense against DDoS attacks on SDN control plane," in Proc. IEEE Conf. on Communications and Network Security, CNS'16, pp. 28-36, Philadelphia, PA, USA, 17-19 Oct. 2016.
[14] H. Wang, L. Xu, and G. Gu, "FloodGuard: a DoS attack prevention extension in software-defined networks," in Proc. 45th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp. 239-250, Rio de Janeiro, Brazil, 22-25 Jun. 2015.
[15] L. Wei and C. Fung, "FlowRanger: a request prioritizing algorithm for controller DoS attacks in software defined networks," in Proc. IEEE Int. Conf. on Communications, ICC'15, pp. 5254-5259, London, UK, 8-12 Jun. 2015.
[16] T. Wang and H. Chen, "SGuard: a lightweight SDN safe-guard architecture for DoS attacks," China Commun., vol. 14, no. 6, pp. 113-125, 2017.
[17] S. Lim, S. Yang, Y. Kim, S. Yang, and H. Kim, "Controller scheduling for continued SDN operation under DDoS attacks," Electron Lett., vol. 51, no. 16, pp. 1259-1261, Aug. 2015.
[18] P. Zhang, H. Wang, C. Hu, and C. Lin, "On denial of service attacks in software defined networks," IEEE Network, vol. 30, no. 6, pp. 28-33, Nov./Dec. 2016.
[19] S. Gao, Z. Peng, B. Xiao, A. Hu, and K. Ren, "FloodDefender: protecting data and control plane resources under SDN-aimed DoS attacks," in Proc. INFOCOM IEEE Conf. on Computer Communications, 9 pp., Atlanta, GA, USA, 1-4 May 2017.
[20] P. Wu, L. Yao, C. Lin, G. Wu, and M. S. Obaidat, "FMD: a DoS mitigation scheme based on flow migration in software-defined-networking," Int. J. Commun. Syst., vol. 31, no. 9, Article No.: e3543, Jun. 2018.
[21] Y. Wang, T. Hu, G. Tang, J. Xie, and J. Lu, "SGS: safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking," IEEE Access, vol. 7, pp. 34699-34710, 2019.
[22] Open Networking Foundation, OpenFlow Switch Specification, Version 1.3.5, Mar. 2015.
[23] https://se.mathworks.com/products/new_products/release2018b.html (Accessed Apr. 2019)
[24] Y. Han, J. H. Yoo, and J. Won-Ki Hong, "Poisson shot-noise process based flow-level traffic matrix generation for data center networks," in Proc. IFIP/IEEE Int. Symp. on Integrated Network Management, IM'15, pp. 450-457, Ottawa, Canada, 11-15 May 2015.
[25] B. Y. Yu, G. Yang, and C. Yoo, "Comprehensive prediction models of control traffic for SDN controllers," in Proc. IEEE Int. Conf. on Network Softwarization (NetSoft)-Technical Sessions, pp. 62-266, Montreal, Canada, 25-29 Jun. 2018.
[26] K. Kuroki, et al., "Redundancy method for highly available openflow controller," International J. on Advances in Internet Technology, vol. 7, no. 1-2, pp. 114-123, 2014.
[27] http://ryu.readthedocs.io/en/latest/nicira_ext_ref.html, (Accessed Apr. 2019).
[28] M. Faizul Bari, et al., "Dynamic controller provisioning in software defined networks," in Proc. of the 9th Int.l Conf. on Network and Service Management, CNSM'13, pp. 18-25, Zurich, Switzerland, 14-18 Oct. 2013.
[29] L. Peng, B. Yang, Y. Chen, and Z. Chen, "Effectiveness of statistical features for early stage internet traffic identification," Int. J. Parallel Program., vol. 44, no. 1, pp. 181-197, 2016.
[30] A. S. da Silva, C. C. Machado, R. V. Bisol, L. Z. Granville, and A. Schaeffer-Filho, "Identification and selection of flow features for accurate traffic classification in SDN," in Proc. IEEE 14th Int. Symp. Netw. Comput. Appl., pp. 134-141, Cambridge, MA, USA, 28-30 Sept. 2015.
[31] M. Hayes, B. Ng, A. Pekar, and W. K. G. Seah, "Scalable architecture for SDN traffic classification," IEEE Systems J., vol. 12, no. 4, pp. 3203-3214, Dec. 2017.
[32] M. Al-Maolegi and B. Arkok, "An improved apriori algorithm for association rules," International J. on Natural Language Computing, vol. 3, no. 1, pp. 22-29, Feb. 2014.
[33] Y. Zhao and Y. Zhang, "Comparison of decision tree methods for finding active objects," Advances in Space Research, vol. 41, no. 12, pp. 1955-1959, 2008.
[34] R. Quinlan, C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, 1993.
[35] N. Shelly, E. J. Jackson, T. Koponen, N. McKeown, and J. Rajahalme, "Flow caching for high entropy packet fields," ACM SIGCOMM Computer Communication Review., vol. 44, no. 4, pp. 151-156, Oct. 2014.
[36] S. Luo, H. Yu, and L. M. Li, "Fast incremental flow table aggregation in SDN," in Proc. 23rd Int. Conf. Computer Communication and Networks, ICCCN'14, 8 pp., Shanhai, China, 4-7 Aug. 2014.
[37] M. Rifai, et al., "Too many SDN rules? Compress them with MINNIE," in Proc. IEEE Global Communications Conference, GLOBECOM'15, 7 pp., San Diego, CA, USA, 6-10 Dec. 2015.
[38] Mininet Team 2018, "Mininet: an Instant Virtual Network on your Laptop (or other PC)," Available: http://mininet.org/
[39] B. Lantz, B. Heller, and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," in Proc. 9th ACM SIGCOMM Workshop on Hot Topics in NetworksArticle No.: 19, 6 pp., Oct. 2010.
[40] RYU SDN Framework, Ryubook 1.0 Documentation, Available: http://osrg.github.io/ryu/ (Accessed Apr. 2019).
[41] B. Pfaff, et al., "Extending networking into the virtualization layer," in Proc. of the ACM SIGCOMM HotNets Workshop, 6 pp., 2009.
[42] J. Dugan, et al., "Iperf-The TCP, UDP and SCTP network bandwidth measurement tool," [Online]. Available: https://iperf.fr/
[43] Robin Richter, Hyenae, Available: https:// sourceforge.net/projects/hyenae/ (Dec. 2010)
[44] bwm-ng v0.6.2 Copyright (C) 2004-2019 Volker Gropp (bwmng@gropp.org) http://www.gropp.org/?id=projects&sub=bwm-ng, Available: https://github.com/vgropp/bwm-ng