Skip to main content
SpringerLink
Log in

A comprehensive survey on SDN security: threats, mitigations, and future directions

  • Review
  • Published:
Journal of Reliable Intelligent Environments Aims and scope Submit manuscript

Abstract

Nowadays, security threats on Software Defined Network SDN architectures are similar to traditional networks. However, the profile of these threats changes with SDN. For example, a denial-of-service attack on a centralized controller that manages a large network of several network devices (routers, switches, etc.) is more destructive than a targeted attack against a router. A spoofed SDN controller could allow a hacker to control an entire network, while a spoofed router could only harm the proper functioning of the traffic routed through that router. The SDN is facing these new security challenges, especially on securing the SDN architecture itself. SDN security is ensured at all these levels based on three-layer architecture and programming interfaces, which poses several challenges. The SDN’s security challenges are expected to grow with the progressive deployment. This paper aims to provide a comprehensive review of state of the art, accompanied by categorizing the research literature into a taxonomy that highlights each proposal’s main characteristics and contributions to the SDN's different layers. Based on the analysis of existing work, we also highlight key research gaps that could support future research in this area.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Abdullaziz OI, Wang L (2019) Mitigating DoS Attacks against SDN controller using information hiding. In: 2019 IEEE Wireless Communications and Networking Conference (WCNC). pp 1–6.https://doi.org/10.1109/WCNC.2019.8885764

  2. Agborubere B, Sanchez-Velazquez E (2017) OpenFlow communications and TLS security in software-defined networks. In: 2017 IEEE International Conference on Internet of Things (IThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData). pp 560–566. https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData.2017.88

  3. Ahmad I, Namal S, Ylianttila M, Gurtov A (2015) Security in software defined networks: a survey. IEEE Commun Surv Tutor 17(4):2317–2346. https://doi.org/10.1109/COMST.2015.2474118

    Article  Google Scholar 

  4. Ahmed ME, Kim H (2017) DDoS attack mitigation in internet of things using software defined networking. In: 2017 IEEE Third International Conference on Big Data Computing Service and Applications (BigDataService). pp 271–276.https://doi.org/10.1109/BigDataService.2017.41

  5. Aizuddin AA, Atan M, Norulazmi M, Noor MM, Akimi S and Abidin Z (2017) DNS Amplification attack detection and mitigation via sflow with security-centric SDN. In: Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication. https://doi.org/10.1145/3022227.3022230

  6. Al-Haj S, Tolone WJ (2017) FlowTable pipeline misconfigurations in Software Defined Networks. In: 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). pp 247–252.https://doi.org/10.1109/INFCOMW.2017.8116384

  7. Al-Shaer E, Al-Haj S (2010) FlowChecker: configuration analysis and verification of federated openflow infrastructures. In: Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, pp 37–44. https://doi.org/10.1145/1866898.1866905

  8. Alasadi E, Al-Raweshidy HS (2018) SSED: servers under software-defined network architectures to eliminate discovery messages. IEEE/ACM Trans Netw 26(1):104–117. https://doi.org/10.1109/TNET.2017.2763131

    Article  Google Scholar 

  9. Alcorn JA, Chow CE (2014) A framework for large-scale modeling and simulation of attacks on an OpenFlow network. In: 2014 23rd International Conference on Computer Communication and Networks (ICCCN). pp 1–6. https://doi.org/10.1109/ICCCN.2014.6911848

  10. Allouzi M, Khan J (2018) SafeFlow: authentication protocol for software defined networks. In: 2018 IEEE 12th International Conference on Semantic Computing (ICSC). pp 374–376. https://doi.org/10.1109/ICSC.2018.00076

  11. Alparslan O, Gunes O, Hanay YS, Arakawa S, Murata M (2017) Improving resiliency against DDoS attacks by SDN and multipath orchestration of VNF services. In: 2017 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN). pp 1–3.https://doi.org/10.1109/LANMAN.2017.7972158

  12. Ambrosin M, Conti M, Gaspari FD, Poovendran R (2017) LineSwitch: tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans Netw 25(2):1206–1219. https://doi.org/10.1109/TNET.2016.2626287

    Article  Google Scholar 

  13. Aseeri A, Netjinda N, Hewett R (2017) Alleviating eavesdropping attacks in software-defined networking data plane. In: Proceedings of the 12th Annual Conference on Cyber and Information Security Research. https://doi.org/10.1145/3064814.3064832

  14. De Assis MVO, Hamamoto AH, Abrão T, Proença ML (2017) A game theoretical based system using holt-winters and genetic algorithm with fuzzy logic for DoS/DDoS mitigation on SDN networks. IEEE Access 5:9485–9496. https://doi.org/10.1109/ACCESS.2017.2702341

    Article  Google Scholar 

  15. Bailey J, Budgen D, Turner M, Kitchenham B, Brereton P, Linkman S (2007) Evidence relating to object-oriented software design: a survey. In: First international symposium on empirical software engineering and measurement (ESEM 2007). pp 482–484. https://doi.org/10.1109/ESEM.2007.58

  16. Banse C, Schuette J (2017) A taxonomy-based approach for security in software-defined networking. In: 2017 IEEE International Conference on Communications (ICC). pp 1–6. https://doi.org/10.1109/ICC.2017.7997245

  17. Bauer R, Dittebrandt A, Zitterbart M (2019) GCMI: a generic approach for SDN control message interception. In: 2019 IEEE Conference on Network Softwarization (NetSoft). pp 360–368. https://doi.org/10.1109/NETSOFT.2019.8806661

  18. Bera S, Misra S, Vasilakos AV (2017) Software-defined networking for internet of things: a survey. IEEE Internet Things J 4(6):1994–2008. https://doi.org/10.1109/JIOT.2017.2746186

    Article  Google Scholar 

  19. Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. IEEE Local Comput Netw Conf. https://doi.org/10.1109/LCN.2010.5735752

    Article  Google Scholar 

  20. Brooks M, Yang B (2015) A man-in-the-middle attack against opendaylight SDN controller. In: Proceedings of the 4th Annual ACM Conference on Research in Information Technology. pp 45–49. https://doi.org/10.1145/2808062.2808073

  21. Schlesinger C, Story A, Gutz S, Foster N and W D (2012). Splendid isolation: Language-based security for softwaredefined networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. ACM pp 79–84

  22. Carvalho RN, Bordim JL, Alchieri EAP (2019) Entropy-based DoS attack identification in SDN. In: 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW). pp 627–634.https://doi.org/10.1109/IPDPSW.2019.00108

  23. Chang S, Park Y, Babu BBA (2019) Fast IP hopping randomization to secure hop-by-hop access in SDN. IEEE Trans Netw Serv Manage 16(1):308–320. https://doi.org/10.1109/TNSM.2018.2889842

    Article  Google Scholar 

  24. Chen M-H, Ciou J-Y, Chung I-H, Chou C-F (2018) FlexProtect: a SDN-based DDoS attack protection architecture for multi-tenant data centers. Proc Int Conf High Perform Comput Asia-Pacific Region. https://doi.org/10.1145/3149457.3149476

    Article  Google Scholar 

  25. Chica JCC, Imbachi JC, Vega JFB (2020) Security in SDN: a comprehensive survey. J Netw Comput Appl 159:102595

    Article  Google Scholar 

  26. Chi P-W, Kuo C-T, Guo J-W, Lei C-L (2015) How to detect a compromised SDN switch. In: Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft). pp 1–6. https://doi.org/10.1109/NETSOFT.2015.7116184

  27. Chin T, Mountrouidou X, Li X, Xiong K (2015). Selective packet inspection to detect DoS flooding using software defined networking (SDN). In: 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops. pp 95–99. https://doi.org/10.1109/ICDCSW.2015.27

  28. Chowdhary A, Alshamrani A, Huang D, Liang H (2018). MTD analysis and evaluation framework in software defined network (MASON). In: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. pp 43–48. https://doi.org/10.1145/3180465.3180473

  29. Chowdhary A, Huang D, Ahn G-J, Kang M, Kim A, Velazquez A (2019) SDNSOC: object oriented SDN framework. In: Proceedings of the ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization. pp 7–12. https://doi.org/10.1145/3309194.3309196

  30. Chung C, Member S, Khatkar P, Xing T (2013) NICE : network intrusion detection and countermeasure. IEEE Trans Depend Secure Comput 10(4):1–14. http://dblp.uni-trier.de/db/journals/tdsc/tdsc10.html#ChungKXLH13

  31. Conti M, Gaspari FD, Mancini LV (2020) A novel stealthy attack to gather SDN configuration-information. IEEE Trans Emerg Top Comput 8(2):328–340. https://doi.org/10.1109/TETC.2018.2806977

    Article  Google Scholar 

  32. Controller T (2013) Trema controller. Full-Stack OpenFlow Framework in Ruby and C. Retrieved September 12, 2020, from https://trema.github.io/trema/

  33. Cui H, Chen Z, Yu L, Xie K, Xia Z (2017) Authentication mechanism for network applications in SDN environments. In: 2017 20th International Symposium on Wireless Personal Multimedia Communications (WPMC). pp 1–5. https://doi.org/10.1109/WPMC.2017.8301788

  34. Cui Y, Yan L, Li S, Xing H, Pan W, Zhu J, Zheng X (2016) SD-Anti-DDoS: fast and efficient DDoS defense in software-defined networks. J Netw Comput Appl 68:65–79. https://doi.org/10.1016/j.jnca.2016.04.005

    Article  Google Scholar 

  35. Cziva R, Jouët S, Stapleton D, Tso FP, Pezaros DP (2016) SDN-based virtual machine management for cloud data centers. IEEE Trans Netw Serv Manage 13(2):212–225

    Article  Google Scholar 

  36. D’Orsaneo J, Tummala M, McEachen J, Martin B (2018) Analysis of traffic signals on an SDN for detection and classification of a man-in-the-middle attack. In: 2018 12th International Conference on Signal Processing and Communication Systems (ICSPCS). pp 1–9. https://doi.org/10.1109/ICSPCS.2018.8631762

  37. Dargahi T, Caponi A, Ambrosin M, Bianchi G, Conti M (2017) A Survey on the Security of Stateful SDN Data Planes. IEEE Commun Surv Tutor. https://doi.org/10.1109/COMST.2017.2689819

    Article  Google Scholar 

  38. da Silva AS, Smith P, Mauthe A, Schaeffer-Filho A (2015) Resilience support in software-defined networking: a survey. Comput Netw 92:189–207

    Article  Google Scholar 

  39. Dridi L, Zhani MF (2016) SDN-Guard: DoS attacks mitigation in SDN networks. In: 2016 5th IEEE International Conference on Cloud Networking (Cloudnet). pp 212–217. https://doi.org/10.1109/CloudNet.2016.9

  40. Erickson D (2013) The beacon openflow controller. In: Proceedings of the second ACM SIGCOMM workshop on hot topics in software defined networking, August 2013, pp 13–18

  41. Feghali A, Kilany R, Chamoun M (2015) SDN security problems and solutions analysis. In: 2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS). pp 1–5. https://doi.org/10.1109/NOTERE.2015.7293514

  42. Fernandez MP (2013) Comparing OpenFlow controller paradigms scalability: reactive and proactive. In: 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA). pp 1009–1016. https://doi.org/10.1109/AINA.2013.113

  43. Fichera S, Galluccio L, Grancagnolo SC, Morabito G, Palazzo S (2015) OPERETTA: an openflow-based remedy to mitigate TCP SYNFLOOD attacks against web servers. Comput Netw 92:89–100. https://doi.org/10.1016/j.comnet.2015.08.038

    Article  Google Scholar 

  44. Fielding RT, Taylor RN (2000) Architectural styles and the design of network-based software architectures, vol 7. University of California, Irvine

    Google Scholar 

  45. Floodlight (2013) Floodlight OpenFlow controller. Available from http://www.projectfloodlight.org/floodlight

  46. Foerster K, Ludwig A, Marcinkowski J, Schmid S (2018) Loop-free route updates for software-defined networks. IEEE/ACM Trans Netw 26(1):328–341. https://doi.org/10.1109/TNET.2017.2778426

    Article  Google Scholar 

  47. François J, Dolberg L, Festor O, Engel T (2014) Network security through software defined networking: a survey. Proc Conf Principles Syst Appl IP Telecommun. https://doi.org/10.1145/2670386.2670390

    Article  Google Scholar 

  48. Freire L, Neves M, Leal L, Levchenko K, Schaeffer-Filho A, Barcellos M (2018) Uncovering bugs in P4 programs with assertion-based verification. Proc Sympos SDN Res. https://doi.org/10.1145/3185467.3185499

    Article  Google Scholar 

  49. Gao S, Li Z, Xiao B, Wei G (2018) Security threats in the data plane of software-defined networks. IEEE Network 32(4):108–113. https://doi.org/10.1109/MNET.2018.1700283

    Article  Google Scholar 

  50. Gao S, Li Z, Yao Y, Xiao B, Guo S, Yang Y (2018) Software-defined firewall: enabling malware traffic detection and programmable security control. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security. pp 413–424. https://doi.org/10.1145/3196494.3196519

  51. Giotis K, Argyropoulos C, Androulidakis G, Kalogeras D, Maglaris V (2014) Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw 62:122–136

    Article  Google Scholar 

  52. Goksel N, Demirci M (2019) DoS attack detection using packet statistics in SDN. In: 2019 International Symposium on Networks, Computers and Communications (ISNCC). pp 1–6https://doi.org/10.1109/ISNCC.2019.8909114

  53. Gude N, Koponen T, Pettit J, Pfaff B, Casado M, McKeown N, Shenker S (2008) NOX: towards an operating system for networks. Comput Commun Rev. https://doi.org/10.1145/1384609.1384625

    Article  Google Scholar 

  54. Hall RS, Cervantes H (2004) An OSGi implementation and experience report. In: First IEEE Consumer Communications and Networking Conference, 2004. CCNC 2004. pp 394–399. https://doi.org/10.1109/CCNC.2004.1286894

  55. Hamdan M, Hassan E, Abdelaziz A, Elhigazi A, Mohammed B, Khan S, Vasilakos AV, Marsono MN (2021) A comprehensive survey of load balancing techniques in software-defined network. J Netw Comput Appl 174:102856. https://doi.org/10.1016/j.jnca.2020.102856

    Article  Google Scholar 

  56. de la Hoz E, Cochrane G, Moreira-Lemus JM, Paez-Reyes R, Marsa-Maestre I, Alarcos B (2014) Detecting and defeating advanced man-in-the-middle attacks against TLS. In: 2014 6th International Conference On Cyber Conflict (CyCon 2014). pp 209–221. https://doi.org/10.1109/CYCON.2014.6916404

  57. Hu T, Yi P, Hu Y, Lan J, Zhang Z, Li Z (2020) SAIDE: Efficient application interference detection and elimination in SDN. Comput Netw 183:107619. https://doi.org/10.1016/j.comnet.2020.107619

    Article  Google Scholar 

  58. Hu Y, Su W, Wu L, Huang Y, Kuo S (2013) Design of event-based intrusion detection system on openflow network. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). pp 1–2. https://doi.org/10.1109/DSN.2013.6575335

  59. Ishii S, Kawai E, Takata T, Kanaumi Y, Saito S, Kobayashi K, Shimojo S (2012) Extending the RISE controller for the interconnection of RISE and OS3E/NDDI. In: 2012 18th IEEE International Conference on Networks (ICON). pp 243–248. https://doi.org/10.1109/ICON.2012.6506564

  60. Isong B, Molose RRS, Abu-Mahfouz AM, Dladlu N (2020) Comprehensive review of SDN controller placement strategies. IEEE Access 8:170070–170092. https://doi.org/10.1109/ACCESS.2020.3023974

    Article  Google Scholar 

  61. Jafarian JH, Al-Shaer E, Duan Q (2013) Formal approach for route agility against persistent attackers. In: Crampton J, Jajodia S, Mayes K (eds) In european symposium on research in computer security. Springer, Berlin, pp 237–254

    Google Scholar 

  62. Jäger B, Röpke C, Adam I, Holz T (2015) Multi-layer access control for SDN-based Telco clouds. In: Buchegger S, Dam M (eds) In Nordic conference on secure IT systems. Springer International Publishing, pp 197–204

    Chapter  Google Scholar 

  63. Jain R (2012) OpenADN: mobile apps on global clouds using software defined networking. In: Proceedings of the Third ACM Workshop on Mobile Cloud Computing and Services. pp 1–2.https://doi.org/10.1145/2307849.2307851

  64. Jain S, Kumar A, Mandal S, Ong J, Poutievski L, Singh A, Venkata S, Wanderer J, Zhou J, Zhu M, Zolla J, Hölzle U, Stuart S, Vahdat A (2013) B4: Experience with a globally-deployed software defined wan. SIGCOMM Comput Commun Rev 43(4):3–14. https://doi.org/10.1145/2534169.2486019

    Article  Google Scholar 

  65. Jeong K, Kim J, Kim Y (2012) QoS-aware Network Operating System for software defined networking with Generalized OpenFlows. In: 2012 IEEE Network Operations and Management Symposium. pp 1167–1174.https://doi.org/10.1109/NOMS.2012.6212044

  66. Kempf J, Bellagamba E, Kern A, Jocha D, Takacs A, Sköldström P (2012) Scalable fault management for OpenFlow. In: 2012 IEEE International Conference on Communications (ICC). pp 6606–6610.https://doi.org/10.1109/ICC.2012.6364688

  67. Khurshid A, Zou X, Zhou W, Caesar M, Godfrey PB (2013) VeriFlow: verifying network-wide invariants in real time. In: 10th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 13). pp 15–27. https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/khurshid

  68. Kim E, Kim K, Lee S, Jeong JP, Kim H (2018) A Framework for managing user-defined security policies to support network security functions. In: Proceedings of the 12th International Conference on Ubiquitous Information Management and Communication. https://doi.org/10.1145/3164541.3164569

  69. Klaedtke F, Karame GO, Bifulco R, Cui H (2015) Towards an access control scheme for accessing flows in SDN. In: Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft). pp 1–6. https://doi.org/10.1109/NETSOFT.2015.7116185

  70. Klaedtke F, Karame GO, Bifulco R, Cui H (2014) Access control for SDN controllers. Proc Third Workshop Hot Top Softw Defined Netw. https://doi.org/10.1145/2620728.2620773

    Article  Google Scholar 

  71. Koponen T, Casado M, Gude N, Stribling J, Poutievski L, Zhu M, Ramanathan R, Iwata Y, Inoue H, Hama T, Shenker S (2010) Onix: a distributed control platform for large-scale production networks. In OSDI. In OSDI, 10

  72. Kotani D, Okabe Y (2016) A packet-in message filtering mechanism for protection of control plane in OpenFlow switches. IEICE Trans Inf Syst 99(3):695–707

    Article  Google Scholar 

  73. Kreutz D, Ramos FMV, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. pp 55–60.https://doi.org/10.1145/2491185.2491199

  74. Kuerban M, Tian Y, Yang Q, Jia Y, Huebert B, Poss D (2016) FlowSec: DOS attack mitigation strategy on SDN controller. In: 2016 IEEE International Conference on Networking, Architecture and Storage (NAS). pp 1–2. https://doi.org/10.1109/NAS.2016.7549402

  75. Lévai T, Pelle I, Németh F, Gulyás A (2015) EPOXIDE: a modular prototype for SDN troubleshooting. SIGCOMM Comput Commun Rev 45(4):359–360. https://doi.org/10.1145/2829988.2790027

    Article  Google Scholar 

  76. Li H, Li P, Guo S, Yu S (2014) Byzantine-resilient secure software-defined networks with multiple controllers. In: 2014 IEEE International Conference on Communications (ICC). pp 695–700.https://doi.org/10.1109/ICC.2014.6883400

  77. Li Q, Zou X, Huang Q, Zheng J, Lee PPC (2019) Dynamic packet forwarding verification in SDN. IEEE Trans Dependable Secure Comput 16(6):915–929. https://doi.org/10.1109/TDSC.2018.2810880

    Article  Google Scholar 

  78. Liu B, Bi J, Zhou Y (2016) Source address validation in software defined networks. In: Proceedings of the 2016 ACM SIGCOMM conference. pp 595–596. https://doi.org/10.1145/2934872.2960425

  79. Maestro. (2009). Maestro. Maestro homepage: http://zhengcai.github.io/maestro-platform/

  80. Masoud MZ, Jaradat Y, Jannoud I (2015) On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm. In: 2015 IEEE Jordan Conference on Applied Electrical Engineering and Computing Technologies (AEECT). pp. 1–5.https://doi.org/10.1109/AEECT.2015.7360549

  81. Matsumoto S, Hitz S, Perrig A (2014) Fleet: defending SDNs from malicious administrators. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. pp 103–108.https://doi.org/10.1145/2620728.2620750

  82. Mekky H, Hao F, Mukherjee S, Zhang Z-L, Lakshman TV (2014) Application-aware data plane processing in SDN. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. pp 13–18. https://doi.org/10.1145/2620728.2620735

  83. Midha S, Triptahi K (2019) Extended TLS security and Defensive Algorithm in OpenFlow SDN. In: 2019 9th International Conference on Cloud Computing, Data Science & Engineering (Confluence). pp 141–146. https://doi.org/10.1109/CONFLUENCE.2019.8776607

  84. Mihai-Gabriel I, Victor-Valeriu P (2014) Achieving DDoS resiliency in a software defined network by intelligent risk assessment based on neural networks and danger theory. In: 2014 IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI). pp 319–324. https://doi.org/10.1109/CINTI.2014.7028696

  85. Moazzeni S, Khayyambashi MR, Movahhedinia N, Callegati F (2018) On reliability improvement of Software-Defined Networks. Comput Netw 133:195–211. https://doi.org/10.1016/j.comnet.2018.01.023

    Article  Google Scholar 

  86. Mohammadi R, Javidan R, Conti M (2017) SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans Netw Serv Manag 14(2):487–497

    Article  Google Scholar 

  87. Mohan PM, Truong-Huu T, Gurusamy M (2018) Towards resilient in-band control path routing with malicious switch detection in SDN. In: 2018 10th International Conference on Communication Systems & Networks (COMSNETS). pp 9–16. https://doi.org/10.1109/COMSNETS.2018.8328174

  88. Monsanto C, Foster N, Harrison R, Walker D (2012) A compiler and run-time system for network programming languages. SIGPLAN Not 47(1):217–230. https://doi.org/10.1145/2103621.2103685

    Article  Google Scholar 

  89. Monsanto C, Foster N, Harrison R, Walker D (2012) A complier and run-time system for network programming languages. Sigplan Not. https://doi.org/10.1145/2103621.2103685

    Article  Google Scholar 

  90. Morzhov SV, Nikitinskiy MA (2018) Development and research of the PreFirewall network application for floodlight SDN controller. In: 2018 Moscow Workshop on Electronic and Networking Technologies (MWENT). pp 1–4.https://doi.org/10.1109/MWENT.2018.8337255

  91. Nagai R, Kurihara W, Higuchi S, Hirotsu T (2018) Design and implementation of an OpenFlow-based TCP SYN flood mitigation. In: 2018 6th IEEE International Conference on Mobile Cloud Computing, Services, and Engineering (MobileCloud). pp 37–42. https://doi.org/10.1109/MobileCloud.2018.00014

  92. Namal S, Ahmad I, Gurtov A, Ylianttila M (2013) Enabling secure mobility with OpenFlow. In: 2013 IEEE SDN for Future Networks and Services (SDN4FNS). pp 1–5. https://doi.org/10.1109/SDN4FNS.2013.6702540

  93. Nguyen T, Yoo M (2016) Attacks on host tracker in SDN controller: Investigation and prevention. In: 2016 International Conference on Information and Communication Technology Convergence (ICTC). pp 610–612.https://doi.org/10.1109/ICTC.2016.7763545

  94. Nife F, Kotulski Z (2018). In: Gaj P, Sawicki M, Suchacka G, Kwiecień A (eds) New SDN-oriented authentication and access control mechanism BT-computer networks. Springer International Publishing, Berlin, pp 74–88

    Google Scholar 

  95. Oktian YE, Lee S, Lee H, Lam J (2015) Secure your Northbound SDN API. In: 2015 Seventh International Conference on Ubiquitous and Future Networks. pp 919–920.https://doi.org/10.1109/ICUFN.2015.7182679

  96. Oktian YE, Lee SG, Lee HJ, Lam JH (2017) Distributed SDN controller system: a survey on design choice. Comput Netw 121:100–111. https://doi.org/10.1016/j.comnet.2017.04.038

    Article  Google Scholar 

  97. OpenDaylight (2014) OpenDaylight: a linux foundation collaborative project. http://www.opendaylight.org/

  98. Porras P, Cheung S, Fong M, Skinner K and Y V (2015) Securing the software-defined network control layer

  99. Padekar H, Park Y, Hu H, Chang S-Y (2016) Enabling dynamic access control for controller applications in software-defined networks. In: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies. pp 51–61. https://doi.org/10.1145/2914642.2914647

  100. Pan H, Li Z, Zhang P, Salamatian K, Xie G (2020) Misconfiguration checking for SDN: data structure, theory and algorithms. In: 2020 IEEE 28th International Conference on Network Protocols (ICNP). pp 1–11. https://doi.org/10.1109/ICNP49622.2020.9259353

  101. Park T, Kim Y, Yegneswaran V, Porras P, Xu Z, Park K, Shin S (2019) DPX: data-plane extensions for SDN security service instantiation. In: Perdisci R, Maurice C, Giacinto G, Almgren M (eds) International conference on detection of intrusions and malware, and vulnerability assessment. Springer International Publishing, pp 415–437

    Google Scholar 

  102. Petersen K, Feldt R, Mujtaba S, Mattsson M (2008) Systematic mapping studies in software engineering. In: 12th International Conference on Evaluation and Assessment in Software Engineering (EASE), vol. 12. pp 1–10

  103. Phan TV, Park M (2019) Efficient distributed denial-of-service attack defense in SDN-based cloud. IEEE Access 7:18701–18714. https://doi.org/10.1109/ACCESS.2019.2896783

    Article  Google Scholar 

  104. Phemius K, Bouet M, Leguay J (2014) DISCO: Distributed multi-domain SDN controllers. In: 2014 IEEE Network Operations and Management Symposium (NOMS). pp 1–4.https://doi.org/10.1109/NOMS.2014.6838330

  105. Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G (2012) A security enforcement kernel for OpenFlow networks. https://doi.org/10.1145/2342441.2342466

  106. Porras P, Cheung S, Fong M, Skinner K, Yegneswaran V (2015) Securing the software defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), February, 8–11. https://doi.org/10.14722/ndss.2015.23222

  107. Prete LR, Shinoda AA, Schweitzer CM, Oliveira RLS (2014) Simulation in an SDN network scenario using the POX Controller. In: 2014 IEEE Colombian Conference on Communications and Computing (COLCOM). pp 1–6. https://doi.org/10.1109/ColComCon.2014.6860403

  108. Qasmaoui Y, Haqiq A (2020) Enhanced solid-flow: an enhanced flow rules security mechanism for SDN. IAENG Int J Comput Sci 47(3):522–532

    Google Scholar 

  109. Qasmaoui Y, Haqiq A (2017) Solid-flow: a flow rules security mechanism for SDN. In: 2017 3rd International Conference of Cloud Computing Technologies and Applications (CloudTech). pp 1–7. https://doi.org/10.1109/CloudTech.2017.8284734

  110. Qi C, Wu J, Hu H, Cheng G, Liu W, Ai J, Yang C (2016) An intensive security architecture with multi-controller for SDN. In: 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). pp 401–402.https://doi.org/10.1109/INFCOMW.2016.7562109

  111. Ranjbar A, Komu M, Salmela P, Aura T (2016) An SDN-based approach to enhance the end-to-end security: SSL/TLS case study. In: NOMS 2016—2016 IEEE/IFIP Network Operations and Management Symposium. pp 281–288. https://doi.org/10.1109/NOMS.2016.7502823

  112. Ryu (2017) Ryu SDN framework. Ryu Homepage: http://osrg.github.io/ryu/.

  113. Saâdaoui A, Souayeh NBYB, Bouhoula A (2019) Automated and optimized formal approach to verify SDN access-control misconfigurations. In: Gao H, Yin Y, Yang X, Miao H (eds) International conference on testbeds and research infrastructure. Springer International Publishing, pp 96–112

    Google Scholar 

  114. Sahay R, Blanc G, Zhang Z, Debar H (2017) ArOMA: an SDN based autonomic DDoS mitigation framework. Comput Secur 70:482–499

    Article  Google Scholar 

  115. Sasaki T, Pappas C, Lee T, Hoefler T, Perrig A (2016) SDNsec: forwarding accountability for the SDN data plane. In: 2016 25th International Conference on Computer Communication and Networks (ICCCN). pp 1–10. https://doi.org/10.1109/ICCCN.2016.7568569

  116. Sasaki T, Perrig A, Asoni DE (2016) Control-plane isolation and recovery for a secure SDN architecture. In: 2016 IEEE NetSoft Conference and Workshops (NetSoft). pp 459–464.https://doi.org/10.1109/NETSOFT.2016.7502485

  117. Schehlmann L, Abt S, Baier H (2014) Blessing or curse? Revisiting security aspects of Software-Defined Networking. In: 10th International Conference on Network and Service Management (CNSM) and Workshop. pp 382–387. https://doi.org/10.1109/CNSM.2014.7014199

  118. Scott-Hayward S, Kane C, Sezer S (2014) OperationCheckpoint: SDN application control. In: 2014 IEEE 22nd International Conference on Network Protocols. pp 618–623. https://doi.org/10.1109/ICNP.2014.98

  119. Scott-Hayward S, O’Callaghan G, Sezer S (2013) SDN security: a survey. Future networks and services (SDN4FNS), 2013 IEEE SDN for. pp 1–7

  120. Sebbar A, Boulmalf M, Kettani MDE-CEl, Baddi Y (2018). Detection MITM attack in multi-SDN controller. In: 2018 IEEE 5th International Congress on Information Science and Technology (CiSt). pp 583–587. https://doi.org/10.1109/CIST.2018.8596479

  121. Sezer S, Scott-Hayward S, Chouhan PK, Fraser B, Lake D, Finnegan J, Viljoen N, Miller M, Rao N (2013) Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Commun Mag 51(7):36–43. https://doi.org/10.1109/MCOM.2013.6553676

    Article  Google Scholar 

  122. Shaghaghi A, Kaafar MA, Buyya R, Jha S (2018) Software-Defined Network (SDN) Data plane security: issues, solutions and future directions. ArXiv Preprint http://arxiv.org/abs/1804.00262.

  123. Shin J, Kim T, Lee B, Yang S (2017) IRIS-HiSA: highly scalable and available carrier-grade SDN controller cluster. Mob Netw Appl. https://doi.org/10.1007/s11036-017-0853-6

    Article  Google Scholar 

  124. Shin S, Porras P, Yegneswaran V, Gu G (2013) FRESCO: Modular composable security services for software-defined networks. Netw Distrib Syst Secur Sympos 1(1):1–16

    Google Scholar 

  125. Shin S, Yegneswaran V, Porras P, Gu G (2013) Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security. pp 413–424

  126. Shu Z, Wan J, Li D, Lin J, Vasilakos AV, Imran M (2016) Security in software-defined networking: threats and countermeasures. Mob Netw Appl 21(5):764–776. https://doi.org/10.1007/s11036-016-0676-x

    Article  Google Scholar 

  127. Shuangyu H, Jianwei L, Jian M, Jie C (2014) Hierarchical solution for access control and authentication in software defined networks. In: Au MH, Carminati B, Kuo C-CJ (eds) International conference on network and system security. Springer International Publishing, pp 70–81

    Chapter  Google Scholar 

  128. Singh J, Behal S (2020) Detection and mitigation of DDoS attacks in SDN: a comprehensive review, research challenges and future directions. Comput Sci Rev 37:100279. https://doi.org/10.1016/j.cosrev.2020.100279

    Article  MATH  Google Scholar 

  129. SNAC (2012) SNAC: simple network access control. https://github.com/

  130. Son J, Buyya R (2018) A taxonomy of software-defined networking (SDN)-enabled cloud computing. ACM Comput Surv (CSUR) 51(3):59

    Google Scholar 

  131. Son J, Dastjerdi AV, Calheiros RN, Buyya R (2017) SLA-aware and energy-efficient dynamic overbooking in SDN-based cloud data centers. IEEE Trans Sustain Comput 2(2):76–89

    Article  Google Scholar 

  132. Son S, Shin S, Yegneswaran V, Porras P, Gu G (2013) Model checking invariant security properties in OpenFlow. IEEE Int Conf Commun. https://doi.org/10.1109/ICC.2013.6654813

    Article  Google Scholar 

  133. Specification OS (2013) Open networking foundation. Version ONF TS-015 1(3):1–164

  134. Suh J, Choi H, Yoon W, You T, Kwon TT, Choi Y (2010) Implementation of content-oriented networking architecture (CONA): a focus on DDoS countermeasure. In: 1st European NetFPGA Developers Workshop. pp 1–5. https://mmlab.snu.ac.kr/publications/docs/2010_EU_netfpga_workshop_jhsuh.pdf

  135. Tootoonchian A, Ganjali Y (2010) HyperFlow: a distributed control plane for OpenFlow

  136. Tootoonchian A, Gorbunov S, Ganjali Y, Casado M, Sherwood R (2012) On controller performance in software-defined networks. In: 2nd {USENIX} Workshop on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services (Hot-ICE 12). https://www.usenix.org/conference/hot-ice12/workshop-program/presentation/tootoonchian

  137. Voellmy A, Hudak P (2011). In: Rocha R, Launchbury J (eds) Nettle: taking the sting out of programming network routers BT-practical aspects of declarative languages. Springer, Berlin, pp 235–249

    Google Scholar 

  138. Voellmy A, Kim H, Feamster N (2012). Procera: a language for high-level reactive network control. In: HotSDN’12 - Proceedings of the 1st ACM International Workshop on Hot Topics in Software Defined Networks. https://doi.org/10.1145/2342441.2342451

  139. Voellmy A, Wang J (2012) Scalable software defined network controllers. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. pp 289–290. https://doi.org/10.1145/2342356.2342414

  140. Wang H (2014) Authentic and confidential policy distribution in software defined wireless network. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC). pp 1167–1171.https://doi.org/10.1109/IWCMC.2014.6906520

  141. Wang H, Xu L, Gu G (2015) FloodGuard: a DoS attack prevention extension in software-defined networks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. pp 239–250. https://doi.org/10.1109/DSN.2015.27

  142. Wang M, Liu J, Chen J, Liu X, Mao J (2016) PERM-GUARD: authenticating the validity of flow rules in software defined networking. In: Proceedings—2nd IEEE International Conference on Cyber Security and Cloud Computing, CSCloud 2015—IEEE International Symposium of Smart Cloud, IEEE SSC 2015, 37. pp 127–132. https://doi.org/10.1109/CSCloud.2015.89

  143. Wei L, Fung C (2015) FlowRanger: a request prioritizing algorithm for controller DoS attacks in Software Defined Networks. In: 2015 IEEE International Conference on Communications (ICC). pp 5254–5259.https://doi.org/10.1109/ICC.2015.7249158

  144. Wen X, Chen Y, Hu C, Shi C, Wang Y (2013) Towards a secure controller platform for openflow applications.https://doi.org/10.1145/2491185.2491212

  145. Wu B, Li H, Wu Q, Jiang Z, Liu J (2020) TMPTCP: a lightweight trust extension for multipath-TCP. In: 2020 International Conference on Networking and Network Applications (NaNA). pp 342–347.https://doi.org/10.1109/NaNA51271.2020.00065

  146. Wu G, Wang J, Obaidat MS, Yao L, Hsiao K-F (2019) Dynamic switch migration with noncooperative game towards control plane scalability in SDN. Int J Commun Syst 32(7):e3927. https://doi.org/10.1002/dac.3927

    Article  Google Scholar 

  147. Xie R, Xu M, Cao J, Li Q (2019) SoftGuard: defend against the low-rate TCP attack in SDN. In: ICC 2019—2019 IEEE International Conference on Communications (ICC). pp 1–6. https://doi.org/10.1109/ICC.2019.8761806

  148. Yan Z, Zhang P, Vasilakos AV (2016) A security and trust framework for virtualized networks and software-defined networking. Secur Commun Netw 9(16):3059–3069. https://doi.org/10.1002/sec.1243

    Article  Google Scholar 

  149. Yang M, Li Y, Jin D, Zeng L, Wu X, Vasilakos AV (2015) Software-defined and virtualized future mobile and wireless networks: a survey. Mob Netw Appl 20(1):4–18. https://doi.org/10.1007/s11036-014-0533-8

    Article  Google Scholar 

  150. Yao G, Bi J, Xiao P (2011) Source address validation solution with OpenFlow/NOX architecture. In: 2011 19th IEEE International Conference on Network Protocols. pp 7–12. https://doi.org/10.1109/ICNP.2011.6089085

  151. Ying Q, Wanqssing Y, Kai Q (2016) OpenFlow flow table overflow attacks and countermeasures. In: 2016 European Conference on Networks and Communications (EuCNC). pp 205–209.https://doi.org/10.1109/EuCNC.2016.7561033

  152. Yue M, Wang H, Liu L, Wu Z (2020) Detecting DoS attacks based on multi-features in SDN. IEEE Access 8:104688–104700. https://doi.org/10.1109/ACCESS.2020.2999668

    Article  Google Scholar 

  153. Zhang C, Hu G, Chen G, Sangaiah AK, Zhang P, Yan X, Jiang W (2018) Towards a SDN-based integrated architecture for mitigating IP spoofing attack. IEEE Access 6:22764–22777. https://doi.org/10.1109/ACCESS.2017.2785236

    Article  Google Scholar 

  154. Zhang H, Cai Z, Liu Q, Xiao Q, Li Y, Cheang CF (2018) A survey on security-aware measurement in SDN. Secur Commun Netw

  155. Zhang K, Qiu X (2018) CMD: a convincing mechanism for MITM detection in SDN. In: 2018 IEEE International Conference on Consumer Electronics (ICCE). pp 1–6.https://doi.org/10.1109/ICCE.2018.8326334

  156. Zhang L, Guo Y, Yuwen H, Wang Y (2016) A port hopping based DoS mitigation scheme in SDN network. In: 2016 12th International Conference on Computational Intelligence and Security (CIS). pp 314–317. https://doi.org/10.1109/CIS.2016.0077

  157. Zhang L, Wang Z, Gu K, Miao F, Guo Y (2016) Transparent synchronization based port mutation scheme in SDN network. In: 2016 5th International Conference on Computer Science and Network Technology (ICCSNT). pp 581–585. https://doi.org/10.1109/ICCSNT.2016.8070225

  158. Zhang L, Wei Q, Gu K, Yuwen H (2016) Path hopping based SDN network defense technology. In: 2016 12th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD). pp 2058–2063. https://doi.org/10.1109/FSKD.2016.7603498

  159. Zhang P, Wang H, Hu C, Lin C (2016) On denial of service attacks in software defined networks. IEEE Network 30(6):28–33. https://doi.org/10.1109/MNET.2016.1600109NM

    Article  Google Scholar 

  160. Zhang Y, Beheshti N, Tatipamula M (2011) On resilience of split-architecture networks. In: 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011. pp 1–6. https://doi.org/10.1109/GLOCOM.2011.6134496

  161. Zheng J, Li Q, Gu G, Cao J, Yau DKY, Wu J (2018) Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans Inf Forensics Secur 13(7):1838–1853. https://doi.org/10.1109/TIFS.2018.2805600

    Article  Google Scholar 

  162. Zhou H, Wu C, Yang C, Wang P, Yang Q, Lu Z, Cheng Q (2018) SDN-RDCD: a real-time and reliable method for detecting compromised SDN devices. IEEE/ACM Trans Netw 26(5):2048–2061. https://doi.org/10.1109/TNET.2018.2859483

    Article  Google Scholar 

  163. Zhu L, Tang X, Shen M, Du X, Guizani M (2018) Privacy-Preserving DDoS attack detection using cross-domain traffic in software defined networks. IEEE J Sel Areas Commun 36(3):628–643. https://doi.org/10.1109/JSAC.2018.2815442

    Article  Google Scholar 

  164. Zou D, Lu Y, Yuan B, Chen H, Jin H (2018) A fine-grained multi-tenant permission management framework for SDN and NFV. IEEE Access 6:25562–25572. https://doi.org/10.1109/ACCESS.2018.2828132

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Laboratory laSTI, ENSAK, USMS University, Beni Mellal, Morocco

    Yassine Maleh, Khalid El Gholami & Soufyane Mounir

  2. Laboratory IR2M, FSTS, UH1 University, Settat, Morocco

    Youssef Qasmaoui

  3. Laboratory LIMATI, FPBM, USMS University, Beni Mellal, Morocco

    Yassine Sadqi

Authors
  1. Yassine Maleh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Youssef Qasmaoui
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Khalid El Gholami
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yassine Sadqi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Soufyane Mounir
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yassine Maleh.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Maleh, Y., Qasmaoui, Y., El Gholami, K. et al. A comprehensive survey on SDN security: threats, mitigations, and future directions. J Reliable Intell Environ 9, 201–239 (2023). https://doi.org/10.1007/s40860-022-00171-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s40860-022-00171-8

Keywords

Search

Navigation