A Novel OpenFlow-Based DDoS Flooding Attack Detection and Response Mechanism in Software-Defined Networking
Authors: 
Rui Wang, Zhiyong Zhang, Lei Ju, Zhiping JiaAuthors Info & Claims
Pages 21 - 40
Abstract
Software-Defined Networking SDN and OpenFlow have brought a promising architecture for the future networks. However, there are still a lot of security challenges to SDN. To protect SDN from the Distributed denial-of-service DDoS flooding attack, this paper extends the flow entry counters and adds a mark action of OpenFlow, then proposes an entropy-based distributed attack detection model, a novel IP traceback and source filtering response mechanism in SDN with OpenFlow-based Deterministic Packet Marking. It achieves detecting the attack at the destination and filtering the malicious traffic at the source and can be easily implemented in SDN controller program, software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results show that this scheme can detect the attack quickly, achieve a high detection accuracy with a low false positive rate, shield the victim from attack traffic and also avoid the attacker consuming resource and bandwidth on the intermediate links.
References
[1]
Belenky, A., & Ansari, N. 2003. Tracing multiple attackers with deterministic packet marking DPM. Proceedings of the 2003 IEEE Pacific Rim Conference on Communications, Computers and signal Processing pp. 49-52. New Jersey: IEEE. 10.1109/PACRIM.2003.1235716
[2]
Braga, R., Mota, E., & Passito, A. 2010. Lightweight DDoS flooding attack detection using NOX/OpenFlow. Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks LCN pp. 408-415. New Jersey, USA: IEEE.
[3]
The CAIDA UCSD "DDoS Attack 2007" Dataset. 2007. CAIDA. Retrieved from http://www.caida.org/data/passive/ddos20070804 dataset.xml
[4]
Francois, J., & Festor, O. 2015. Anomaly traceback using software defined networking. Proceedings of the 2015 National Conference on Parallel Computing Technologies PARCOMPTECH pp. 203-208. New Jersey, USA: IEEE.
[5]
Giotis, K., Androulidakis, G., & Maglaris, V. 2014. Leveraging SDN for efficient anomaly detection and mitigation on legacy networks. Proceedings of the 2014 Third European Workshop on Software Defined Networks EWSDN pp. 85-90. New Jersey, USA: IEEE. 10.1109/EWSDN.2014.24
[6]
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., & Maglaris, V. 2014. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Computer Networks, 62, 122-136.
[7]
Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., & Pratt, I. 2005. Using packet symmetry to curtail malicious traffic. Proceedings of the 2005 Proc ACM HotNets Vol. 2005. New York, USA: ACM.
[8]
KreutzD.RamosF.VerissimoP. 2013. Towards secure and dependable software-defined networks. Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking pp. 55-60, New York: ACM. 10.1145/2491185.2491199
[9]
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., & Turner, J. et al . 2008. OpenFlow: Enabling innovation in campus networks. Computer Communication Review, 382, 69-74.
[10]
Mehdi, S. A., Khalid, J., & Khayam, S. A. 2011. Revisiting traffic anomaly detection using software defined networking. In Recent Advances in Intrusion Detection pp. 161-180. Berlin, Heidelberg: Springer.
[11]
Mirkovic, J., & Reiher, P. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. Computer Communication Review, 342, 39-53.
[12]
MoshrefM.YuM.GovindanR. 2014. Resource/accuracy tradeoffs in software-defined measurement. Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking pp. 73-78. New York, USA: ACM.
[13]
Oktian, Y. E., Lee, S. G., & Lee, H. 2014. Mitigating Denial of Service DoS attacks in OpenFlow networks. Proceedings of the 2014 International Conference on Information and Communication Technology Convergence ICTC pp. 325-330. New Jersey, USA: IEEE. 10.1109/ICTC.2014.6983147
[14]
Park, K., & Lee, H. 2001. On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack. Proceedings of the Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies Vol. 1, pp. 338-347.
[15]
Sahay, R., Blanc, G., Zhang, Z., & Debar, H. 2015. Towards Autonomic DDoS Mitigation using Software Defined Networking. Paper presented at NDSS Workshop on Security of Emerging Networking Technologies SENT, San Diego, CA, USA. 10.14722/sent.2015.23004
[16]
Tran, T.P., Tsai, P.C., Jan, T. & He, S. 2009. Machine Learning Techniques for Network Intrusion Detection. In Dynamic and Advanced Data Mining for Progressing Technological Development pp. 273-299.
[17]
TupakulaU. K.VaradharajanV. 2003. A practical method to counteract denial of service attacks. Proceedings of the 26th Australasian computer science conference pp. 275-284. Adelaide: Australian Computer Society.
[18]
Xiang, Y., Zhou, W., & Guo, M. 2009. Flexible deterministic packet marking: An IP traceback system to find the real source of attacks. IEEE Transactions on Parallel and Distributed Systems, 204, 567-580.
[19]
Xiong, Z. 2014. An SDN-based IPS Development Framework in Cloud Networking Environment. Arizona State University.
[20]
Yan, Z., Zhang, P., & Vasilakos, A. V. 2015In Press. A security and trust framework for virtualized networks and software-defined networking. Security and Communication Networks.
[21]
Zargar, S. T., Joshi, J., & Tipper, D. 2013. A survey of defense mechanisms against distributed denial of service DDoS flooding attacks. Communications Surveys & Tutorials, 154, 2046-2069.
[22]
Zhang, H., Reich, J., & Rexford, J. 2015. Packet Traceback for Software-Defined Networks. Princeton University.
[23]
Zhang, Y. 2013. An adaptive flow counting method for anomaly detection in sdn. Proceedings of the 2013 9th ACM International Conference on Emerging Networking Experiments and Technologies pp. 25-30. New York, USA: ACM. 10.1145/2535372.2535411
Recommendations
An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Software-Defined Networking (SDN) and OpenFlow (OF) protocol have brought a promising architecture for the future networks. However, the centralized control and programmable characteristics also bring a lot of security challenges. Distributed denial-of-...
An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Software-Defined Networking (SDN) and OpenFlow (OF) protocol have brought a promising architecture for the future networks. However, the centralized control and programmable characteristics also bring a lot of security challenges. Distributed denial-of-...
Towards DDoS detection mechanisms in Software-Defined Networking
AbstractSoftware-Defined Networking (SDN) is widely considered as one of the next generation network architecture. However, SDN faces with a series of issues which restraint its development and application, where the security is one of the ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Publisher
IGI Global
United States
Publication History
Published: 01 July 2015
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025