A Study on Securing Software Defined Networks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10570)


Most of the IT infrastructure across the globe is virtualized and is backed by Software Defined Networks (SDN). Hence, any threat to SDN’s core components would potentially mean to harm today’s Internet and the very fabric of utility computing. After thorough analysis, this study identifies Crossfire link flooding technique as one of the lethal attacks that can potentially target the link connecting the control plane to the data plane in SDNs. In such a situation, the control plane may get disconnected, resulting in the degradation of the performance of the whole network and service disruption. In this work we present a detailed comparative analysis of the link flooding mitigation techniques and propose a framework for effective defense. It comprises of a separate controller consisting of a flood detection module, a link listener module and a flood detection module, which will work together to detect and mitigate attacks and facilitate the normal flow of traffic. This paper serves as a first effort towards identifying and mitigating the crossfire LFA on the channel that connects control plane to data plane in SDNs. We expect that further optimizations in the proposed solution can bring remarkable results.


Network security Target link flooding Software defined network 


  1. 1.
    ONF, OpenFlow Switch Specification 1.5.0. Open Networking Foundation (2013)Google Scholar
  2. 2.
  3. 3.
    Wang, L., Li, Q., Jiang, Y., Wu, J.: Towards mitigating link flooding attack via incremental SDN deployment. In: 2016 IEEE Symposium on Computers and Communication (ISCC) (2016)Google Scholar
  4. 4.
    Hirayama, T., Toyoda, K., Sasase, I.: Fast target link flooding attack detection scheme by analyzing traceroute packets flow. In: 2015 1EEE International Workshop on Information Forensics and Security (WIFS) (2015)Google Scholar
  5. 5.
    Wang, Q., Xiao, F., Zhou, M., Wang, Z., Ding, H.: Targets can be baits Mitigating Link Flooding Attacks With Active Link Obfuscation in arXiv:1703.09521v1 [cs.NI] 28 Mar 2017
  6. 6.
    Liaskos, C., et al.: A novel framework for modeling and mitigating distributed link flooding attacks. In: IEEE International Conference on Computer Communications, San Francisco, CA, USA (2016)Google Scholar
  7. 7.
    Gkounis, D., et al.: On the interplay of link-flooding attacks and traffic engineering. In: ACM SIGCOMM Computer Communication, vol. 46, no. 2. ACM, New York (2016)CrossRefGoogle Scholar
  8. 8.
    Xiao, P., et al.: An Efficient DDOS Detection with Bloom Filter in SDN. In: IEEE TrustCom/BigDataSE/ISPA (2016)Google Scholar
  9. 9.
    Aydeger, A., et al.: Mitigating crossfire attacks using SDN-based moving target defense. In: IEEE 41st Conference on Local Computer Networks (2016)Google Scholar
  10. 10.
    Xue, L., Luo, X., Chan, E.W.W., Zhan, X.: Towards detecting target link flooding attack. In: The 28th Large Installation System Administration Conference (2014)Google Scholar
  11. 11.
    Lee, S.B., Kang, M.S., Gligor, V.D.: CoDef collaborative defense against large-scale link flooding attacks. In: ACM CoNEXT 2013, California, USA (2013)Google Scholar
  12. 12.
    Kang, M.S., Gligor, V.D., Sekar, V.: SPIFFY: inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: NDSS 2016, San Diego, CA USA (2016)Google Scholar
  13. 13.
    Gillani, F., et al.: Agile virtualized infrastructure to proactively defend against cyber attacks. In: IEEE Conference on Computer Communications (INFOCOM) (2015)Google Scholar
  14. 14.
    Kalliola, A., et al.: Flooding DDOS mitigation and traffic management with software defined networks. In: IEEE 4th International Conference on Cloud Networking (2015)Google Scholar
  15. 15.
  16. 16.
    Kang, M.S., et al.: The crossfire attacks. In: 2013 IEEE Symposium on Security and Privacy (2013)Google Scholar
  17. 17.
    Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04444-1_3CrossRefGoogle Scholar
  18. 18.
    BRIGHT. Can a DDoS break the Internet? Sure… just not all of it. Ars Technica, April 2013.
  19. 19.
    Difference in control vs data plane in SDN, June 2017.
  20. 20.
    Wang, H., et al.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)CrossRefGoogle Scholar
  21. 21.
    Sun, X., et al.: A family of enhanced (L, α)-diversity models for privacy preserving data publishing. Future Gener. Comput. Syst. 27(3), 348–356 (2011)CrossRefGoogle Scholar
  22. 22.
    Wang, H., et al.: Effective collaboration with information sharing in virtual universities. IEEE Trans. Knowl. Data Eng. 21(6), 840–853 (2009)CrossRefGoogle Scholar
  23. 23.
    Kabir, M.E., et al.: A conditional purpose-based access control model with dynamic roles. Expert Syst. Appl. 38(3), 1482–1489 (2011)CrossRefGoogle Scholar
  24. 24.
    Sun, X., et al.: Injecting purpose and trust into data anonymization. Comput. Secur. 30(5), 332–345 (2011)CrossRefGoogle Scholar
  25. 25.
    Kabir, M.E., et al.: Efficient systematic clustering method for k-anonymization. Acta Informatica 48(1), 51–66 (2011)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Sun, X., et al.: Satisfying privacy requirements before data anonymization. Comput. J. 55(4), 422–437 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Victoria UniversityMelbourneAustralia
  2. 2.National University of Sciences and TechnologyIslamabadPakistan
  3. 3.University of Southern QueenslandToowoombaAustralia
  4. 4.La Trobe UniversityBundooraAustralia

Personalised recommendations