Abstract
Software-defined network (SDN) architecture is characterized by the separation between the data plane and the control plane. This feature provides the development of a programmable environment on the network. Despite the numerous benefits provided by this architecture, the security of an SDN network is still an important matter of concern. In particular, Denial of Service (DoS) attacks challenge SDN architectures in several ways. Solutions that act on the control plane require continuous communication with the data plane, which can result in higher processing time delays, which in turn can affect the time required to detect an attack. On the other hand, solutions that work in the data plane seek to reduce this processing time. However, these solutions still need to address a restricted set of traffic analysis functionality, limiting the scope of the security solutions developed in the data plane. This paper proposes a data plane architecture that allows the use of more sophisticated solutions to be implemented directly in the data plane. The proposed architecture is composed of a component that acts alongside the P4 switch and adds flexibility to the switch to handle more complex operations. The architecture also provides support for the OpenFlow protocol, ensuring compatibility with currently deployed controllers. We compared two DoS attack detection techniques (chi-square and entropy) when applied to control and data planes. Experimental results show that the data plane and the control plane yield similar results in terms of detection accuracy, although the data plane requires fewer packets to detect the attack, on average 45% less compared to the control plane.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The relationship between the \(\delta \) and \(T_{w_{i}}\) depends on the field to be analyzed. For example, if the field is the source IP, use \(\delta > T_{w_{i}}\), if the field is the destination IP, use (\(\delta < T_{w_{i}}\)).
References
Apache thrift. https://thrift.apache.org/
Bani-Hani, R., Al-Ali, Z.: SYN flooding attacks and countermeasures: a survey, April 2013
Beitollahi, H., Deconinck, G.: Analyzing well-known countermeasures against distributed denial of service attacks. Comput. Commun. 35(11), 1312–1332 (2012)
Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., Walker, D.: P4: programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)
Carvalho, R., Bordim, J.L., Alchieri, E.A.P.: Entropy-based DoS attack identification in SDN. In: 21st Workshop on Advances in Parallel and Distributed Computational Models (2019)
Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: Network and Distributed System Security Symposium. Internet Society (2015)
Ferrazani Mattos, D.M., Duarte, O.C.M.B.: AuthFlow: authentication and access control mechanism for software defined networking. Ann. Telecommun. 71, 607–615 (2016)
Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: Proceedings DARPA Information Survivability Conference and Exposition, vol. 1, pp. 303–314, April 2003
Imran, M., Durad, M.H., Khan, F.A., Derhab, A.: Toward an optimal solution against denial of service attacks in software defined networks. Futur. Gener. Comput. Syst. 92, 444–453 (2019)
Gondim, J.J.C., Albuquerque, R.O.: Mirror saturation in amplified reflection DDoS. In: JNIC-Jornadas Nacionales de Investigacin en Ciberseguridad (2019)
Kreutz, D., Ramos, F.M.V., Veríssimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Lapolli, A.C., Marques, J.A., Gaspary, L.P.: Offloading real-time DDoS attack detection to programmable data planes. In: IFIP/IEEE International Symposium on Integrated Network Management (2019)
Lau, F., Rubin, S.H., Smith, M., Trajkovic, L.: Distributed denial of service attacks, vol. 3, pp. 2275–2280, February 2000
Sanfilippo, S.: Hping - active network security (2006)
Scapy: Packet crafting for python2 and python3 (2008)
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948)
Sharma, S., Sahu, S.K., Jena, S.K.: On selection of attributes for entropy based detection of DDoS. In: International Conference on Advances in Computing, Communications and Informatics (2015)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 413–424. ACM, New York (2013)
Sviridov, G., Bonola, M., Tulumello, A., Giaccone, P., Bianco, A., Bianchi, G.: LODGE: LOcal decisions on global statEs in progrananaable data planes. In: 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft), pp. 257–261, June 2018
Tajer, J., Makke, A., Salem, O., Mehaoua, A.: A comparison between divergence measures for network anomaly detection. In: 7th International Conference on Network and Service Management (2011)
Mininet Team: Mininet - an instant virtual network on your laptop (or other PC) (2014)
Tritilanunt, S., Sivakorn, S., Juengjincharoen, C., Siripornpisan, A.: Entropy-based input-output traffic mode detection scheme for DoS/DDoS attacks. In: 2010 10th International Symposium on Communications and Information Technologies, pp. 804–809, October 2010
Yang, X., Han, B., Sun, Z., Huang, J.: SDN-based DDoS attack detection with cross-plane collaboration and lightweight flow monitoring. In: GLOBECOM 2017 - 2017 IEEE Global Communications Conference, pp. 1–6, December 2017
Acknowledgements
This work is partially supported by the MCTIC/RNP/CTIC (Brazil) through the project P4Sec.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Carvalho, R.N., Costa, L.R., Bordim, J.L., Alchieri, E.A.P. (2020). New Programmable Data Plane Architecture Based on P4 OpenFlow Agent. In: Barolli, L., Amato, F., Moscato, F., Enokido, T., Takizawa, M. (eds) Advanced Information Networking and Applications. AINA 2020. Advances in Intelligent Systems and Computing, vol 1151. Springer, Cham. https://doi.org/10.1007/978-3-030-44041-1_115
Download citation
DOI: https://doi.org/10.1007/978-3-030-44041-1_115
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44040-4
Online ISBN: 978-3-030-44041-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)