Software defined networking (SDN) is
a evolving technology which completely alters the architecture and working of legacy
networks. The physical separation of the network control
plane from the forwarding plane, and where a control plane controls several devices.
Software Defined Networking (SDN) is an
emerging architecture that is dynamic, manageable, cost effective, and
adaptable , making it ideal for the high-bandwidth , dynamic nature of today’s
application. This architecture decouples the network control and forwarding
functions 1. There
has been rising firmness among Networking designers to come up with a new set
of devices to support Software Defined Networks and to implement better
services in SDN related to legacy networks. During these accomplishments,
security of the packets in the SDN networks derives into argument.
Network (SDN) splits network device’s control logic from its forwarding logic.
Forwarding logic is kept with the device, whereas control logic is implemented
as a piece of software at a central controller.
In SDN, switches don’t process the incoming traffic
look for a match in the switch table and forward the traffic. If there is no
match in the switch table, the traffic is forwarded to the controller. The
controller is the main entity
will decide whether to drop the packet or to forward the packet 2. Communication between controller and
forwarding devices is carried out through southbound application program interface,
one of such API is Open Flow protocol.
Being located centrally, the controller is able to have a total view of the
network that progresses its policymaking process. It comforts network administrators
to easily program whole network. Problems, such as configuration issues, detection
and mitigation of attacks, and new protocol employment for legacy network
devices, that took a lengthy time to detect and resolve are now solved within
hours with SDN.3
all these rewards, SDN has paying attention maximum of the networking scholars
and industries. Though SDN carries several benefits in the era of networking,
there are certain tasks that need to be undertook to install it appropriately.
One of these tasks that are troubling everybody to adapt SDN technology is
security issue. It has got more attention from academia as well as industries.4
of SDN, open flow protocol Flows
frame and initial learning is done by the controller.
the controller knows where the devices are, it can update the flow table on the
switches can subsequently switch traffic independently of the controller.
only send traffic to the controller if it not matches with their flow table
send packets to the controller as packet in message.
send packets to the switches as packet out message.
controller observed the present flows and if there is an inactive flow for a
period of time it will eliminate that flow.
Figure 1. SDN Flows
issues of SDN.
are various attacks like Man in the Middle attacks , DOS attacks, DDOS attacks,
illegal access etc. exist that are possible on the SDN 5.DDOS attack are
denial of service attacks. These are the most threating tasks to internet
security today. The DDOS attacker depend on sending an overwhelming number of
bogus packets to consume the resources of the servers, such as CPU, memory, and
network bandwidth 6. xu,YU, Kun. Because of this, requests from the
legitimate users cannot be processed. These attacks are very difficult to
last years, legacy networks have been regularly troubled by Distributed Denial of Service (DDoS) attacks. It acquired the attention of researchers
towards this issue.
Being centrally organised, DDoS in SDN becomes
much larger problem than in legacy network, as absence of the single controller
might simply interrupt complete network management 4.
of the Attack points in SDN are:
Attack points in SDN
(Referenence qiao yan, f.richard yu)
various kinds of DDOS attacks are.
Denial of Service attacks differ significantly, and there are thousands of
different ways an attack can be carried out ,but an attack will generally fall into one of three broad
categories Arbour networks
attacks attempt to consume the bandwidth either within the target
network/service, or between the target network/service and the rest of the
Internet. These attacks are simply about causing congestion. These attacks
include flooding attacks such as User Datagram Protocol and Internet Control
Message protocol attacks.
TCP State-Exhaustion Attacks:
State-Exhaustion attacks attempt to consume the connection state tables which
are present in many infrastructure components such as load-balancers, firewalls
and the application servers themselves. Even high capacity devices capable of
maintaining state on millions of connections can be taken down by these
attacks. SYN flood, Ping of Death, and smurf attacks are the examples of such
Application Layer Attacks:
Layer attacks target some aspect of an application or service at Layer-7. These
are the poisonous kind of attacks as they can be very active with as few as one
attacking machine generating a low traffic rate (this makes these attacks very
difficult to pro-actively detect and mitigate). Application layer attacks have
come to prevalence over the past three or four years and simple application
layer flood attacks (HTTP GET flood etc.) have been some of the most common
denial of service attacks seen in the world..
increasing adoption of SDN technology, a growing body of work is addressing its
security issues and investigating how they can be mitigated. A survey on these
issues is provided in 4.
situation, 8 9Shin et al. and kandoi et. al. have examined the
influence of DOS attacks on the network performance and presented in what way
such attacks may impact on numerous parameters like the bandwidth , control
plane , latency, the controller efficiency and switches tables a. They don’t deliver any resolution
to address these problems.
et.al . presents a resolution to guard SDN networks against DDOS attacks
based on IP filtering techniques. The planned scheme examines user behaviour
and uses it to allocate the timeout for the flow entries. Small timeouts are
allocated for illegitimate users flows
and long timeouts are used for legitimate users. This scheme forces admissions
of malicious traffic to be quickly detached from switches CAM tables. This
solution deletes all malicious traffic which may be not good for false positive
et.al SDN Guard presents SDN Guard , a novel scheme able to efficiently
protect SDN networks against DOS attacks by rerouting malicious traffic ,
adjusting flow timeouts and aggregating flow rules. But it does not give
solution to DDOS attacks. Moreover the detection is based on a pre build IDS,
the accuracy of the IDS is doubtful.
Mousavi et al proposed to calculate entropy for the events
happening in the network. Samples of entropy for traffic approaching towards
controller are calculated, and a threshold for traffic is decided. This
threshold is used to determine the reference point for traffic. If
the traffic approaching to controller go beyond agreed threshold,
an attack is said to be raised. This technique determines the simple methods
for recognizing volumetric traffic but is not suitable to detect slow rate or
protocol exploitation DDoS attacks.
Dayal 10et. all tried to classify various possibilities of DDOS
attacks in SDN environments with attack
tree and attack model. They analysed the impact of various traditional DDOS
attacks on SDN. The authors will try to find exact parameters for accurately
identifying a DDOS attack in their future work.
26 the techniques
contains three modules, Flow collector , Feature Extractor and classifier.
The flow collector module is used for periodical requesting flow
entries from all flow tables of open
flow switches. Then the Feature Extractor module
receives the collected flows and extracts features that are important to DDoS
attack detection. In the end the Classifier module examines the features weather they are correspond to attack or
105. Authors have recommended
using two different methods, one is performance model-based approach that uses
OpenFlow-based SDN and another is commercial off-the-shelf components that use
juniper components for controller communication. They have similar working
except the protocol for communication and service chaining mechanism. The Usage of shark tank benefits the actual users
to carry on their service and in any false positive case to classify. The
malicious user could easily be followed with such approach.
In 27, , the authors reduced flow data gathering by sampling
and reduced the required communication between the OpenFlow switches and
controller by merging with the sampled
flow (sFlow) protocol. the authors
designed a global anomaly
mitigation using Open Flow. But the
authors did not study the accuracy of
69 In addition to OpenFlow devices, a monitoring plane is also
added to this proposal. A flow statistic collector module of monitoring plane
collects flow information from
OpenFlow switches and forwards it to detection engine. Detection
engine takes these flow statistic from the collector as input and generates
security alerts when anomalous
Flows are identified. The framework also allows incorporating
further security functions. Further, middle boxes are also used in this
framework to enforce security policies to switches in order to mitigate attack.
This framework monitors and is capable of mitigating
DDoS attack from data plane also. It needs to be implemented as a
part of the network itself.
Author in enabling security function with sdn implement
security in floodlight application inline mode security functions, passive mode
security functions, network anomaly detection functions, to compare SDN with
traditional networks. In security side, more work to be done.
Kruetz et. al examined and recognised some threat vectors
that could enable the exploit of SDN weaknesses. They have briefed SDN security
kernel work that is capable of safeguarding prioritized switch flow rules for
Finally, in 12
a Technique is suggested to carefully eliminate entries from full flow tables.
The proportion of PacketIns and FlowMods is managed and if the table is going
to be full,
removed using a least-frequently-used scheme.
this approach causes a potentially high load on the switches due to more
usage of OpenFlow’s statistical features.
2017 the authors
proposed a statistical detection
approach for DOS attacks. The technique used is to detect and mitigate attacks
in a lightweight and dependable way against the data plane. After identifying the
attack, they propose to use an OpenFlow rule which drops further attack
propose FloodGuard, an method that attempts to anticipate the working of the controller as well as the applications
and set up rules in the switches proactively. These rules try to lessen the
quantity of PacketIn messages and therefore restrict the attacker to be
successful.. this approach causes poor
delays due to the storing of packets.
et al. 55 used Self-organizing map, neural network models, for detection of DDoS attacks. This work
presents SDN-centered DDoS attack detection based on six traffic flow features.
These features include Average of Packets per flow (APf), Average of Bytes per
flow (ABf), Average of Duration per flow (ADf),Percentage of Pair-flows (PPf),
Growth of Single-flows (GSf) and Growth of Different Ports (GDP). The features
are collected by a flow collector module in a NOX based network and are
delivered to the classifier module for detection of illegitimate flows.
This paper (anti
ddos) proposes AntiDDOS mechanism
consisting of four modules attack detection trigger, attack detection
mitigation, attack Traceback and Attack mitigation. The proposed mechanism
evaluated on SDN Testbed.
In this paper,
we propose FloodDefender, an efficient and protocol-independent defence
framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between
the controller platform and other controller apps, and can protect both the
data and control plane resources by leveraging three new techniques: table-miss
engineering to prevent the communication bandwidth from being exhausted; packet
filter to identify attack traffic and
resources of the control plane; and flow rule management to eliminate most of
useless flow entries in the switch flow table