Abstract
Software defined networking facilitates better network management by decoupling the data and control planes of legacy routers and switches and is widely adopted in data center and production networks. The decoupling of control and data planes facilitates more optimal network management and deployment of elaborate security mechanisms, but also introduces new vulnerabilities which could be exploited using distributed denial of service (DDoS) attacks. In this paper, we identify several protocol vulnerabilities and resource limitations that are exploited by DDoS attacks. We also analyze the vulnerabilities introduced by several DDoS mitigation techniques, discuss attacks that exploit them, and quantify their impact on the network performance using experiments on a 5-node testbed. We show an approach to mitigate such vulnerabilities while minimizing the introduction of any exploitable vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: OpenFlow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008). http://doi.acm.org/10.1145/1355734.1355746
Kreutz, D., Ramos, F.M., Verissimo, P., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Garber, L.: Denial-of-service attacks rip the internet. Computer 33(4), 12–17 (2000)
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: mirai and other botnets. Computer 50(7), 80–84 (2017)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Chang, R.K.: Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE Commun. Mag. 40(10), 42–51 (2002)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Blankenship, J.: DDoS mitigation solutions, Q4 2017. In: The Forrester Wave\(^{TM}\), December 2017
Akhunzada, A., Ahmed, E., Gani, A., Khan, M.K., Imran, M., Guizani, S.: Securing software defined networks: taxonomy, requirements, and open issues. IEEE Commun. Mag. 53(4), 36–44 (2015)
Alsmadi, I., Xu, D.: Security of software defined networks: a survey. Comput. Secur. 53, 79–108 (2015)
Zhang, P., Wang, H., Hu, C., Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)
Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutor. 18(1), 602–622 (2016)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the ACM Conference on Computer & Communications Security, pp. 413–424 (2013)
Postel, J.: Transmission control protocol. STDÂ 7, RFC Editor, September 1981. http://www.rfc-editor.org/rfc/rfc793.txt
Ambrosin, M., Conti, M., Gaspari, F.D., Poovendran, R.: Lineswitch: tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1219 (2017)
Chen, K., Junuthula, A.R., Siddhrau, I.K., Xu, Y., Chao, H.J.: SDNShield: towards more comprehensive defense against DDoS attacks on SDN control plane. In: IEEE Conference on Communications and Network Security (CNS), pp. 28–36. IEEE (2016)
Mohammadi, R., Javidan, R., Conti, M.: Slicots: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans. Netw. Serv. Manag. 14(2), 487–497 (2017)
Fichera, S., Galluccio, L., Grancagnolo, S.C., Morabito, G., Palazzo, S.: OPERETTA: an openflow-based remedy to mitigate TCP synflood attacks against web servers. Comput. Netw. 92, 89–100 (2015)
Sahay, R., Blanc, G., Zhang, Z., Debar, H.: ArOMA: an SDN based autonomic DDoS mitigation framework. Comput. Secur. 70, 482–499 (2017)
Specification, O.S.: Version 1.0. 0 (wire protocol 0x01). Open Networking Foundation (2009). https://www.opennetworking.org/wp-content/uploads/2013/04/openflow-spec-v1.0.0.pdf
Schabel, L.: Working with synproxy. https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY
Bernstein, D.J.: Syn cookies. https://cr.yp.to/syncookies.html
Cisco, Inc.: Configuring Firewall TCP SYN Cookie, chap. Cisco ASR 1000 Series Aggregation Services Routers. Cisco, Inc., August 2018
Cisco Systems, Inc.: Implementing Open Flow Agent, chap. Cisco ASR 9000 Series Aggregation Services Router System Management Configuration Guide, Release 5.1.x. Cisco Systems, Inc., October 2017
Juniper Inc.: OpenFlow Support on Juniper Networks Devices, chap. Juniper, Inc., Junos OS (2018)
Juniper Networks, Inc.: Junos Space Network Management Platform Hardening, chap. Junos Space Service Automation, Release 16.1. Juniper Networks, Inc., August 2017
CVE details, May 2019. https://www.cvedetails.com/vulnerability-list/vendor_id-13628/product_id-36893/Opendaylight-Openflow.html
NIST: Cve-2018-1000155 detail. https://nvd.nist.gov/vuln/detail/CVE-2018-1000155. Accessed May 2019
Bifulco, R., Cui, H., Karame, G.O., Klaedtke, F.: Fingerprinting software-defined networks. In: 2015 IEEE 23rd International Conference on Network Protocols (ICNP), pp. 453–459. IEEE (2015)
cURL client. https://github.com/php-http/curl-client
BoNeSi: the DDoS botnet simulator. https://github.com/Markus-Go/bonesi
Hennesy, J.L., Patterson, D.A.: Computer Architecture: A Quantitative Approach, 6th edn. Morgan Kaufmann Publishers, Burlington (2017)
Openflow. https://github.com/mininet/openflow
Pfaff, B., Pettit, J., Koponen, T., Jackson, E., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., et al.: The design and implementation of Open vSwitch. In: USENIX Symposium on Networked Systems Design and Implementation (NSDI), pp. 117–130 (2015)
Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. In: Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 1530–1539. IEEE (2002)
Wang, B., Zheng, Y., Lou, W., Hou, Y.T.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308–319 (2015)
Shang, G., Zhe, P., Bin, X., Aiqun, H., Kui, R.: FloodDefender: protecting data and control plane resources under SDN-aimed DoS attacks. In: IEEE INFOCOM 2017-IEEE Conference on Computer Communications, pp. 1–9. IEEE (2017)
Sonchack, J., Smith, J.M., Aviv, A.J., Keller, E.: Enabling practical software-defined networking security applications with OFX. In: NDSS, vol. 16, pp. 1–15 (2016)
Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 121–126. ACM (2012)
Hu, H., Han, W., Ahn, G.J., Zhao, Z.: FLOWGUARD: building robust firewalls for software-defined networks. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, pp. 97–102. ACM (2014)
Wang, H., Xu, L., Gu, G.: Floodguard: a DoS attack prevention extension in software-defined networks. In: Proceedings of the 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015, pp. 239–250. IEEE Computer Society, Washington (2015). http://dx.doi.org/10.1109/DSN.2015.27
Shin, S.W., Porras, P., Yegneswara, V., Fong, M., Gu, G., Tyson, M.: Fresco: modular composable security services for software-defined networks. In: 20th Annual Network & Distributed System Security Symposium, NDSS (2013)
Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against SDN controllers. In: 2015 International Conference on Computing, Networking and Communications (ICNC), pp. 77–81. IEEE (2015)
Bhuyan, M.H., Bhattacharyya, D., Kalita, J.K.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit. Lett. 51, 1–7 (2015)
Sahoo, K.S., Puthal, D., Tiwary, M., Rodrigues, J.J., Sahoo, B., Dash, R.: An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics. Futur. Gener. Comput. Syst. 89, 685–697 (2018)
Acknowledgment
This research is partially supported by grant H98230-18-1-0335 from the National Security Agency, U.S.A. The claims and opinions expressed in this document are solely those of the authors and do not represent those by the U.S. government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Boppana, R.V., Chaganti, R., Vedula, V. (2020). Analyzing the Vulnerabilities Introduced by DDoS Mitigation Techniques for Software-Defined Networks. In: Choo, KK., Morris, T., Peterson, G. (eds) National Cyber Summit (NCS) Research Track. NCS 2019. Advances in Intelligent Systems and Computing, vol 1055. Springer, Cham. https://doi.org/10.1007/978-3-030-31239-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-31239-8_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31238-1
Online ISBN: 978-3-030-31239-8
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)