Slow TCAM Exhaustion DDoS Attack

  • Túlio A. PascoalEmail author
  • Yuri G. Dantas
  • Iguatemi E. Fonseca
  • Vivek Nigam
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 502)


Software Defined Networks (SDN) facilitate network management by decoupling the data plane which forwards packets using efficient switches from the control plane by leaving the decisions on how packets should be forwarded to a (centralized) controller. However, due to limitations on the number of forwarding rules a switch can store in its TCAM memory, SDN networks have been subject to saturation and TCAM exhaustion attacks where the attacker is able to deny service by forcing a target switch to install a great number of rules. An underlying assumption is that these attacks are carried out by sending a high rate of unique packets. This paper shows that this assumption is not necessarily true and that SDNs are vulnerable to Slow TCAM exhaustion attacks (Slow-TCAM). We analyse this attack arguing that existing defenses for saturation and TCAM exhaustion attacks are not able to mitigate Slow-TCAM due to its relatively low traffic rate. We then propose a novel defense called SIFT based on selective strategies demonstrating its effectiveness against the Slow-TCAM attack.


DDoS attacks SDN Low-Rate attacks Selective defenses 


  1. 1.
  2. 2.
    Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: efficiently managing switch flow in software-defined networking while effectively tackling DoS attacks. In: ASIACCS, pp. 639–644. ACM (2015)Google Scholar
  3. 3.
    Cambiaso, E., Papaleo, G., Aiello, M.: SlowDroid: turning a smartphone into a mobile attack vector. In: FiCloud 2014, pp. 405–410 (2014)Google Scholar
  4. 4.
    Cambiaso, E., Papaleo, G., Chiola, G., Aiello, M.: Slow DoS attacks: definition and categorisation. IJTMCC 1(3–4), 300–319 (2013)CrossRefGoogle Scholar
  5. 5.
    Cambiaso, E., Papaleo, G., Chiola, G., Aiello, M.: Designing and modeling the slow next DoS attack. In: Herrero, Á., Baruque, B., Sedano, J., Quintián, H., Corchado, E. (eds.) International Joint Conference. AISC, vol. 369. Springer, Cham (2015)CrossRefGoogle Scholar
  6. 6.
    Cambiaso, E., Papaleo, G., Chiola, G., Aiello, M.: Mobile executions of slow DoS attacks. Log. J. IGPL 24(1), 54–67 (2016). Oxford University Press (2015)Google Scholar
  7. 7.
    Curtis, A.R., Kim, W., Yalagandula, P.: Mahout: low-overhead datacenter traffic management using end-host-based elephant detection. In: INFOCOM, pp. 1629–1637. IEEE (2011)Google Scholar
  8. 8.
    Dantas, Y.G., Lemos, M.O.O., Fonseca, I.E., Nigam, V.: Formal specification and verification of a selective defense for TDoS attacks. In: Lucanu, D. (ed.) WRLA 2016. LNCS, vol. 9942, pp. 82–97. Springer, Cham (2016). doi: 10.1007/978-3-319-44802-2_5 CrossRefGoogle Scholar
  9. 9.
    Dantas, Y.G., Nigam, V., Fonseca, I.E.: A selective defense for application layer DDoS attacks. In: JISIC 2014, pp. 75–82 (2014)Google Scholar
  10. 10.
    Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Detecting security attacks in software-defined networks. In: NDSS, SPHINX (2015)Google Scholar
  11. 11.
    Dong, X., Lin, H., Tan, R., Iyer, R.K., Kalbarczyk, Z.: Software-defined networking for smart grid resilience: opportunities and challenges. In: CPSS (2015)Google Scholar
  12. 12.
    Hong, S., Lei, X., Wang, H., Gu, G.: New attacks and countermeasures. In: NDSS, Poisoning Network Visibility in Software-Defined Networks (2015)Google Scholar
  13. 13.
    Kandoi, R., Antikainen, M.: Denial-of-service attacks in OpenFlow SDN networks. In: IM (2015)Google Scholar
  14. 14.
    Kannan, K., Banerjee, S.: Compact TCAM: flow entry compaction in TCAM for power aware SDN. In: Frey, D., Raynal, M., Sarkar, S., Shyamasundar, R.K., Sinha, P. (eds.) ICDCN 2013. LNCS, vol. 7730, pp. 439–444. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35668-1_32 CrossRefGoogle Scholar
  15. 15.
    Katta, N., Alipourfard, O., Rexford, J., Walker, D.: Infinite cacheflow in software-defined networks. In: HotSDN, pp. 175–180. ACM (2014)Google Scholar
  16. 16.
    Khanna, S., Venkatesh, S.S., Fatemieh, O., Khan, F., Gunter, C.A.: Adaptive selective verification: an efficient adaptive countermeasure to Thwart DoS attacks. IEEE/ACM Trans. Netw. 20(3), 715–728 (2012)CrossRefGoogle Scholar
  17. 17.
    Klöti, R., Kotronis, V., Smith, P.: Openflow: a security analysis. In: ICNP (2013)Google Scholar
  18. 18.
    Lemos, M.O.O, Dantas, Y.G., Fonseca, I., Nigam, V., Sampaio, G.: A selective defense for mitigating coordinated call attacks. In: SBRC (2016)Google Scholar
  19. 19.
    Lemos, M.O.O., Dantas, Y.G., Fonseca, I.E., Nigam, V.: On the accuracy of formal verification of selective defenses for TDoS attacks (under review)Google Scholar
  20. 20.
    Mininet (2016). Accessed 02 Nov 2016
  21. 21.
    OpenFlow: Open Networking Foundation.
  22. 22.
    OpenVSwitch (2016). Accessed 14 Nov 2016
  23. 23.
    Ryu (2016). Accessed 10 Nov 2016
  24. 24.
    Shen, J.: Defending against flow table overloading attack in software-defined networks. IEEE Trans. Serv. Comput. PP(99) (2016). doi: 10.1109/TSC.2016.2602861
  25. 25.
    Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: HotSDN, pp. 165–166. ACM (2013)Google Scholar
  26. 26.
    Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS (2013)Google Scholar
  27. 27.
    Vishnoi, A., Poddar, R., Mann, V., Bhattacharya, S.: Effective switch memory management in OpenFlow networks. In: DEBS (2014)Google Scholar
  28. 28.
    Wang, H., Xu, L., Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: DSN, pp. 239–250. IEEE (2015)Google Scholar
  29. 29.
    Wang, M., Zhou, H., Chen, J., Tong, B.: An approach for protecting the OpenFlow switch from the saturation attack (2016)Google Scholar
  30. 30.
    Yu, M., Rexford, J., Freedman, M.J., Wang, J.: Scalable flow-based networking with DIFANE. ACM Comput. Commun. Rev. 40(4), 351–362 (2010)CrossRefGoogle Scholar
  31. 31.
    Zarek, A., Ganjali, Y., Lie, D.: OpenFlow timeouts demystified. Master thesis, University of Toronto, Canada (2012)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Túlio A. Pascoal
    • 1
    Email author
  • Yuri G. Dantas
    • 2
  • Iguatemi E. Fonseca
    • 1
  • Vivek Nigam
    • 1
    • 3
  1. 1.Federal University of ParaíbaJoão PessoaBrazil
  2. 2.TU DarmstadtDarmstadtGermany
  3. 3.fortissMunichGermany

Personalised recommendations