1. IntroductionSoftware defined networking (SDN) isa evolving technology which completely alters the architecture and working of legacynetworks.
The physical separation of the network controlplane from the forwarding plane, and where a control plane controls several devices.Software Defined Networking (SDN) is anemerging architecture that is dynamic, manageable, cost effective, andadaptable , making it ideal for the high-bandwidth , dynamic nature of today’sapplication. This architecture decouples the network control and forwardingfunctions 1. Therehas been rising firmness among Networking designers to come up with a new setof devices to support Software Defined Networks and to implement betterservices in SDN related to legacy networks. During these accomplishments,security of the packets in the SDN networks derives into argument. Software-DefinedNetwork (SDN) splits network device’s control logic from its forwarding logic.Forwarding logic is kept with the device, whereas control logic is implementedas a piece of software at a central controller.
In SDN, switches don’t process the incoming trafficTheylook for a match in the switch table and forward the traffic. If there is nomatch in the switch table, the traffic is forwarded to the controller. Thecontroller is the main entityThatwill decide whether to drop the packet or to forward the packet 2. Communication between controller andforwarding devices is carried out through southbound application program interface,one of such API is Open Flow protocol.Being located centrally, the controller is able to have a total view of thenetwork that progresses its policymaking process.
It comforts network administratorsto easily program whole network. Problems, such as configuration issues, detectionand mitigation of attacks, and new protocol employment for legacy networkdevices, that took a lengthy time to detect and resolve are now solved withinhours with SDN.3Withall these rewards, SDN has paying attention maximum of the networking scholarsand industries. Though SDN carries several benefits in the era of networking,there are certain tasks that need to be undertook to install it appropriately.One of these tasks that are troubling everybody to adapt SDN technology issecurity issue. It has got more attention from academia as well as industries.4Workingof SDN, open flow protocol Flows1. Firstframe and initial learning is done by the controller.
2. Oncethe controller knows where the devices are, it can update the flow table on theswitches.3.
Thenswitches can subsequently switch traffic independently of the controller.4. Switchesonly send traffic to the controller if it not matches with their flow tableentry.5. Switchessend packets to the controller as packet in message.6.
Controllersend packets to the switches as packet out message.7. Thecontroller observed the present flows and if there is an inactive flow for aperiod of time it will eliminate that flow. Figure 1. SDN Flows Securityissues of SDN.
Thereare various attacks like Man in the Middle attacks , DOS attacks, DDOS attacks,illegal access etc. exist that are possible on the SDN 5.DDOS attack aredenial of service attacks. These are the most threating tasks to internetsecurity today. The DDOS attacker depend on sending an overwhelming number ofbogus packets to consume the resources of the servers, such as CPU, memory, andnetwork bandwidth 6.
xu,YU, Kun. Because of this, requests from thelegitimate users cannot be processed. These attacks are very difficult todetect. Inlast years, legacy networks have been regularly troubled by Distributed Denial of Service (DDoS) attacks. It acquired the attention of researcherstowards this issue. Being centrally organised, DDoS in SDN becomesmuch larger problem than in legacy network, as absence of the single controllermight simply interrupt complete network management 4.Someof the Attack points in SDN are:1. ControlPlane2.
SouthboundAPI3. DataPlane4. ApplicationPlane5.
NorthboundAPI6. EastboundAPI7. WestboundAPI Attack points in SDN(Referenence qiao yan, f.richard yu) Thevarious kinds of DDOS attacks are.
DistributedDenial of Service attacks differ significantly, and there are thousands ofdifferent ways an attack can be carried out ,but an attack will generally fall into one of three broadcategories Arbour networks1. Volumetric Attacks:Volumetricattacks attempt to consume the bandwidth either within the targetnetwork/service, or between the target network/service and the rest of theInternet. These attacks are simply about causing congestion. These attacksinclude flooding attacks such as User Datagram Protocol and Internet ControlMessage protocol attacks.2. TCP State-Exhaustion Attacks:TCPState-Exhaustion attacks attempt to consume the connection state tables whichare present in many infrastructure components such as load-balancers, firewallsand the application servers themselves.
Even high capacity devices capable ofmaintaining state on millions of connections can be taken down by theseattacks. SYN flood, Ping of Death, and smurf attacks are the examples of suchattacks.3. Application Layer Attacks:ApplicationLayer attacks target some aspect of an application or service at Layer-7.
Theseare the poisonous kind of attacks as they can be very active with as few as oneattacking machine generating a low traffic rate (this makes these attacks verydifficult to pro-actively detect and mitigate). Application layer attacks havecome to prevalence over the past three or four years and simple applicationlayer flood attacks (HTTP GET flood etc.) have been some of the most commondenial of service attacks seen in the world…
2.Literature Review With theincreasing adoption of SDN technology, a growing body of work is addressing itssecurity issues and investigating how they can be mitigated. A survey on theseissues is provided in 4.In thissituation, 8 9Shin et al. and kandoi et.
al. have examined theinfluence of DOS attacks on the network performance and presented in what waysuch attacks may impact on numerous parameters like the bandwidth , controlplane , latency, the controller efficiency and switches tables a. They don’t deliver any resolutionto address these problems.Daoet.al . presents a resolution to guard SDN networks against DDOS attacksbased on IP filtering techniques. The planned scheme examines user behaviourand uses it to allocate the timeout for the flow entries.
Small timeouts areallocated for illegitimate users flowsand long timeouts are used for legitimate users. This scheme forces admissionsof malicious traffic to be quickly detached from switches CAM tables. Thissolution deletes all malicious traffic which may be not good for false positiveflows.Dridiet.al SDN Guard presents SDN Guard , a novel scheme able to efficientlyprotect SDN networks against DOS attacks by rerouting malicious traffic ,adjusting flow timeouts and aggregating flow rules. But it does not givesolution to DDOS attacks. Moreover the detection is based on a pre build IDS,the accuracy of the IDS is doubtful.Mousavi et al proposed to calculate entropy for the eventshappening in the network.
Samples of entropy for traffic approaching towardscontroller are calculated, and a threshold for traffic is decided. Thisthreshold is used to determine the reference point for traffic. Ifthe traffic approaching to controller go beyond agreed threshold,an attack is said to be raised. This technique determines the simple methodsfor recognizing volumetric traffic but is not suitable to detect slow rate orprotocol exploitation DDoS attacks. Dayal 10et. all tried to classify various possibilities of DDOSattacks in SDN environments with attacktree and attack model. They analysed the impact of various traditional DDOSattacks on SDN.
The authors will try to find exact parameters for accuratelyidentifying a DDOS attack in their future work.26 the techniquescontains three modules, Flow collector , Feature Extractor and classifier.The flow collector module is used for periodical requesting flowentries from all flow tables of openflow switches. Then the Feature Extractor modulereceives the collected flows and extracts features that are important to DDoSattack detection.
In the end the Classifier module examines the features weather they are correspond to attack orlegitimate traffic. 105. Authors have recommendedusing two different methods, one is performance model-based approach that usesOpenFlow-based SDN and another is commercial off-the-shelf components that usejuniper components for controller communication. They have similar workingexcept the protocol for communication and service chaining mechanism.
The Usage of shark tank benefits the actual usersto carry on their service and in any false positive case to classify. Themalicious user could easily be followed with such approach. In 27, , the authors reduced flow data gathering by samplingand reduced the required communication between the OpenFlow switches andcontroller by merging with the sampledflow (sFlow) protocol.
the authors designed a global anomalymitigation using Open Flow. But theauthors did not study the accuracy ofanomaly detection. 69 In addition to OpenFlow devices, a monitoring plane is alsoadded to this proposal. A flow statistic collector module of monitoring planecollects flow information fromOpenFlow switches and forwards it to detection engine. Detectionengine takes these flow statistic from the collector as input and generatessecurity alerts when anomalousFlows are identified. The framework also allows incorporatingfurther security functions. Further, middle boxes are also used in thisframework to enforce security policies to switches in order to mitigate attack.This framework monitors and is capable of mitigatingDDoS attack from data plane also.
It needs to be implemented as apart of the network itself. Author in enabling security function with sdn implementsecurity in floodlight application inline mode security functions, passive modesecurity functions, network anomaly detection functions, to compare SDN withtraditional networks. In security side, more work to be done.
Kruetz et. al examined and recognised some threat vectorsthat could enable the exploit of SDN weaknesses. They have briefed SDN securitykernel work that is capable of safeguarding prioritized switch flow rules forsecurity applications. Finally, in 12a Technique is suggested to carefully eliminate entries from full flow tables.The proportion of PacketIns and FlowMods is managed and if the table is goingto be full,rules areremoved using a least-frequently-used scheme.
this approach causes a potentially high load on the switches due to moreusage of OpenFlow’s statistical features. 2017 the authors proposed a statistical detectionapproach for DOS attacks. The technique used is to detect and mitigate attacksin a lightweight and dependable way against the data plane. After identifying theattack, they propose to use an OpenFlow rule which drops further attackpackets.Further, 5,propose FloodGuard, an method that attempts to anticipate the working of the controller as well as the applicationsand set up rules in the switches proactively. These rules try to lessen thequantity of PacketIn messages and therefore restrict the attacker to besuccessful.
. this approach causes poordelays due to the storing of packets. Bragaet al. 55 used Self-organizing map, neural network models, for detection of DDoS attacks. This workpresents SDN-centered DDoS attack detection based on six traffic flow features.These features include Average of Packets per flow (APf), Average of Bytes perflow (ABf), Average of Duration per flow (ADf),Percentage of Pair-flows (PPf),Growth of Single-flows (GSf) and Growth of Different Ports (GDP). The featuresare collected by a flow collector module in a NOX based network and aredelivered to the classifier module for detection of illegitimate flows.
This paper (antiddos) proposes AntiDDOS mechanismconsisting of four modules attack detection trigger, attack detectionmitigation, attack Traceback and Attack mitigation. The proposed mechanismevaluated on SDN Testbed. In this paper,we propose FloodDefender, an efficient and protocol-independent defenceframework for SDN/OpenFlow networks to mitigate DoS attacks. It stands betweenthe controller platform and other controller apps, and can protect both thedata and control plane resources by leveraging three new techniques: table-missengineering to prevent the communication bandwidth from being exhausted; packetfilter to identify attack traffic andsave computationalresources of the control plane; and flow rule management to eliminate most ofuseless flow entries in the switch flow table