SDNShield: Towards more comprehensive defense against DDoS attacks on SDN control plane

Kuan Yin Chen, Anudeep Reddy Junuthula, Ishant Kumar Siddhrau, Yang Xu, H. Jonathan Chao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Original languageEnglish (US)
Title of host publication2016 IEEE Conference on Communications and Network Security, CNS 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages28-36
Number of pages9
ISBN (Electronic)9781509030651
DOIs
StatePublished - Feb 21 2017
Event2016 IEEE Conference on Communications and Network Security, CNS 2016 - Philadelphia, United States
Duration: Oct 17 2016Oct 19 2016

Publication series

Name2016 IEEE Conference on Communications and Network Security, CNS 2016

Other

Other2016 IEEE Conference on Communications and Network Security, CNS 2016
CountryUnited States
CityPhiladelphia
Period10/17/1610/19/16

    Fingerprint

Keywords

  • distributed denial-of-service (DDoS)
  • scalability
  • security
  • software-defined network (SDN)

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Cite this

Chen, K. Y., Junuthula, A. R., Siddhrau, I. K., Xu, Y., & Chao, H. J. (2017). SDNShield: Towards more comprehensive defense against DDoS attacks on SDN control plane. In 2016 IEEE Conference on Communications and Network Security, CNS 2016 (pp. 28-36). [7860467] (2016 IEEE Conference on Communications and Network Security, CNS 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CNS.2016.7860467