Lightweight solutions to counter DDoS attacks in software defined networking

Abstract

AbstractA distributed denial of service (DDoS) attack on any of the major components (e.g., controller, switches, and southbound channel) of software defined networking (SDN) architecture is a critical security threat.\n For example, the breakdown of controller could disrupt the data communication in the whole SDN network. A possible way to perform DoS is to generate a large number of new, but short length traffic flows. These flows will trigger malicious flooding requests to overload the controller and causes overflow in flow tables at SDN switches. In this paper, we propose two lightweight and practically feasible countermeasures against two different types of DDoS attacks called Route Spoofing and Resource Exhaustion in SDN networks. For Route Spoofing attack, we introduce a technique called “selective blocking”, which stops an adversary node from maliciously using other users active communication routes.\n To countermeasure Resource Exhaustion attack, we propose a solution called “periodic monitoring”, which detects adversary nodes based on the traffic analysis statistics that are gathered within a time window. We implement and perform result analysis of the attacks and their proposed countermeasures. When using our proposed countermeasures in the target SDN scenarios, the simulation results indicate an adequate reduction in bandwidth consumption and processing delay of new request, and it also depicts substantial gain in packet delivery rate. Additionally, we present the receiver operating characteristic curve, which shows the sensitivity and specificity of our countermeasures along with their detection accuracy.