TY - GEN
T1 - SDNShield
T2 - 2016 IEEE Conference on Communications and Network Security, CNS 2016
AU - Chen, Kuan Yin
AU - Junuthula, Anudeep Reddy
AU - Siddhrau, Ishant Kumar
AU - Xu, Yang
AU - Chao, H. Jonathan
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2017/2/21
Y1 - 2017/2/21
N2 - While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.
AB - While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.
KW - distributed denial-of-service (DDoS)
KW - scalability
KW - security
KW - software-defined network (SDN)
UR - http://www.scopus.com/inward/record.url?scp=85016057290&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85016057290&partnerID=8YFLogxK
U2 - 10.1109/CNS.2016.7860467
DO - 10.1109/CNS.2016.7860467
M3 - Conference contribution
AN - SCOPUS:85016057290
T3 - 2016 IEEE Conference on Communications and Network Security, CNS 2016
SP - 28
EP - 36
BT - 2016 IEEE Conference on Communications and Network Security, CNS 2016
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 17 October 2016 through 19 October 2016
ER -