An Evaluation of Systems for Detection and Prevention of DoS Attacks in SDN Networks

PDF (1509KB), PP.31-49

Views: 0 Downloads: 0

Author(s)

Maurizio D Arienzo 1,*

1. Dipartimento di Scienze Politiche, Università della Campania “L. Vanvitelli”, Caserta, Italy

* Corresponding author.

DOI: https://doi.org/10.5815/ijwmt.2024.03.03

Received: 11 Jan. 2024 / Revised: 12 Feb. 2024 / Accepted: 14 Mar. 2024 / Published: 8 Jun. 2024

Index Terms

software defined network, security, denial of service

Abstract

This paper proposes a study on systems for the detection and prevention of Denial-of-Service attacks (DoS) in Software-Defined Network (SDN) architectures. After a survey of the characteristics of SDN and DoS attacks, we introduce a system based on several components and the sFlow protocol to detect and react to different types of attacks, both from single and distributed sources. The considered attacks include all the main flooding techniques, besides the slowris approach. Finally, an experimental example of an attack on a SDN controller is presented to highlight the interaction between the components and evaluate their timely mitigation effects against the threat.

Cite This Paper

Maurizio D’Arienzo, "An Evaluation of Systems for Detection and Prevention of DoS Attacks in SDN Networks", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.14, No.3, pp. 31-49, 2024. DOI:10.5815/ijwmt.2024.03.03

Reference

[1]J. C. Correa Chica, J. C. Imbachi and J. F. Botero Vega, "Security in SDN: A comprehensive survey," Journal of Network and Computer Applications, 2020 Vol. 159, 2020, https://doi.org/10.1016/j.jnca.2020.102595.
[2]S. Gao, Z. Li, B. Xiao and G. Wei, "Security Threats in the Data Plane of Software-Defined Networks," in IEEE Network, vol. 32, no. 4, pp. 108-113, July/August 2018, doi: 10.1109/MNET.2018.1700283.
[3]Lubna Fayez Eliyan, Roberto Di Pietro, "DoS and DDoS attacks in Software Defined Networks: A survey of existing solutions and research challenge"s, Future Generation Computer Systems, Volume 122, 2021,Pages 149-171, ISSN 0167-739X,https://doi.org/10.1016/j.future.2021.03.011.
[4] Swami, R.; Dave, M.; Ranga, V. "Software-defined Networking-based DDoS Defense Mechanisms". ACM Comput. Surv. 2020, Vol. 52, pp 1–36 https://doi.org/10.1145/3301614
[5]R. Kandoi and M. Antikainen, "Denial-of-service attacks in OpenFlow SDN networks", Proc. IFIP/IEEE Int. Symp. Integr. Netw. Manage. (IM), pp. 1322-1326, May 2015. doi: 10.1109/INM.2015.7140489..
[6]P. Zhang, H. Wang, C. Hu and C. Lin, "On Denial of Service Attacks in Software Defined Networks," IEEE Network, vol. 30, no.6 pp. 28-33, 2016. doi: 10.1109/MNET.2016.1600109NM
[7]S. Yoon, T. Ha, S. Kim and H. Lim, "Scalable Traffic Sampling using Centrality Measure on Software Defined Networks," in IEEE Communications Magazine, vol. 55, no. 7, pp. 43-49, July 2017, doi: 10.1109/MCOM.2017.1600990.
[8]N. McKeown et al., "OpenFlow: Enabling innovation in campus networks", ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Mar. 2008. https://doi.org/10.1145/1355734.1355746
[9]Cybersecurity and Infrastructure Security Agency, "Understanding Denial-of-Service Attacks," [Online]. Available: https://www.us-cert.gov/ncas/tips/ST04-015.
[10]Li Q., Huang H., Li R., Lv J., Yuan Z., Ma L., Han Y., Jiang Y. "A comprehensive survey on DDoS defense systems: New trends and challenges" Computer Networks, 233, 2023 doi: 10.1016/j.comnet.2023.109895
[11]Onyema, E.; Kumar, M.; Balasubaramanian, S.; Bharany, S. "A Security Policy Protocol for Detection and Prevention of Internet Control Message Protocol Attacks in Software Defined Networks". Sustainability 2022, 14, 11950. https://doi.org/10.3390/su141911950
[12]Kumar, P.; Tripathi, M.; Nehra, A.; Conti, M.; Lal, C. SAFETY: "Early detection and mitigation of TCP SYN flood utilizing entropy in SDN." IEEE Transactions on Network and Service Management, vol. 15, no. 4, pp. 1545-1559, Dec. 2018, doi: 10.1109/TNSM.2018.2861741.
[13]G. Shang, P. Zhe, X. Bin, H. Aiqun and R. Kui, "FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks", IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, Atlanta, GA, USA, 2017, pp. 1-9, doi: 10.1109/INFOCOM.2017.8057009
[14]Y. Xu and Y. Liu, "DDoS attack detection under SDN context", IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications, San Francisco, CA, USA, 2016, pp. 1-9, doi: 10.1109/INFOCOM.2016.7524500
[15]S. Jero, W. Koch, R. Skowyra, H. Okhravi, C. Nita-Rotaru and D. Bigelow, "Identifier binding attacks and defenses in software-defined networks", In Proceedings of the 26th USENIX Conference on Security Symposium (SEC'17). USENIX Association, USA, 415–432
[16]K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras and V. Maglaris, "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments," Computer Networks, Volume 62,2014,Pages 122-136, https://doi.org/10.1016/j.bjp.2013.10.014
[17]T. Ha, S. Yoon, A. C. Risdianto, J. Kim and H. Lim, "Suspicious Flow Forwarding for Multiple Intrusion Detection Systems on Software-Defined Networks," in IEEE Network, vol. 30, no. 6, pp. 22-27, 2016, doi: 10.1109/MNET.2016.1600106NM.
[18]Cisco, "Snort - Network Intrusion Detection & Prevention System," Cisco, [Online]. Available: https://www.snort.org/.
[19]Mininet Team, "Mininet: An Instant Virtual Network on your Laptop (or other PC)," [Online]. Available: http://mininet.org/.
[20]Sahoo, K.S.; Puthal, D.; Tiwary, M.; Rodrigues, J.; Sahoo, B.; Dash, R. "An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics". Future Generation Computer Systems,Volume 89, 2018, pp. 685-697 https://doi.org/10.1016/j.future.2018.07.017.
[21]S. Gao, Z. Peng, B. Xiao, A. Hu, Y. Song and K. Ren, "Detection and Mitigation of DoS Attacks in Software Defined Networks," in IEEE/ACM Transactions on Networking, vol. 28, no. 3, pp. 1419-1433, June 2020, doi: 10.1109/TNET.2020.2983976.
[22]Li, J.; Tu, T.; Li, Y.; Qin, S.; Shi, Y.; Wen, Q. DoSGuard: "Mitigating denial-of-service attacks in software-defined networks". Sensors 2022, 22, 1061. 22. https://doi.org/10.3390/s22031061
[23]Tang, D.; Zhang, S.Q.; Yan, Y.D.; Chen, J.W. "Real-time Detection and Mitigation of LDoS Attacks in the SDN Using the HGB-FP Algorithm". in IEEE Transactions on Services Computing, vol. 15, no. 6, pp. 3471-3484,. 2022, doi: 10.1109/TSC.2021.3102046