Managing Network Functions in Stateful Application Aware SDN

  • Prabhakar KrishnanEmail author
  • Krishnashree Achuthan
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 969)


Software-defined networking (SDN) is emerging as a paradigm shift, drastically changing the modern networking, as it simplifies and automates the orchestration, administration of large applications and data centers. SDN architecture offers an easy programmable interface, centralized control and distributed state management model for modern networks. However, in classical implementation of SDN, the intelligence is centralized at the controller and the role of the switches is reduced to perform simple forwarding of packets. Thus, it is obvious that the controller, in addition to control and management operations, it must gather the runtime state and information from switches all over the network. This essentially poses some huge risks: (a) controller overload, (b) congestion in the control channel because of the dependence of switches on controller for even rudimentary forwarding operations (c) making the entire network infrastructure itself vulnerable and (d) eventually leading to resource saturation attacks on the servers in the network. As SDN opened up such new attack vectors, several solutions were proposed in terms of control plane extensions, data plane innovations, improved programming abstractions, augmenting OpenFlow channel. In this paper, we present our observations on emerging stateful SDN architectures and propose a stateful/application-aware SDN architecture. We developed a security-aware framework to detect threats and mitigate saturation attacks in SDN stack and to defend Denial-of-Services (DoS) attacks on other network services and present our experiments with DoS/Flooding attack tools, datasets from popular sources, simulation of real-world attack scenarios on transport protocols TCP, UDP/IP and HTTP, NTP services. The attack detection mechanism has no significant performance impact to good traffic and average detection confidence over 99.99% of traffic states, the mitigation response is comparable with the state of the art, but with our extensible secure architecture we can defend future attacks at scale.


SDN NFV DDoS Security Defense Firewall Flooding OpenFlow OpenvSwitch Controller Data plane Stateful Firewall Switch 


  1. 1.
    Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of HotSDN 2013, pp. 165–166 (2013)Google Scholar
  2. 2.
    Krishnan, P., Najeem, J.S.: A review of security threats and mitigation solutions for SDN stack. Int. J. Pure Appl. Math. 115(8), 93–99 (2017)Google Scholar
  3. 3.
    Qazi, Z.A., et al.: SIMPLE-fying middlebox policy enforcement using SDN. In: SIGCOMM (2013)Google Scholar
  4. 4.
    Fayazbakhsh, S.K., et al.: Enforcing network-wide policies in presence of dynamic middlebox actions using flowtags. In: NSDI (2014)Google Scholar
  5. 5.
    Gember, A., Prabhu, P., Ghadiyali, Z., Akella, A.: Toward software-defined middlebox networking. In: Proceedings of HotNets-XI (2012)Google Scholar
  6. 6.
    Dixon, C., et al.: ETTM: a scalable fault tolerant network manager. In: Proceedings Of NSDI (2011)Google Scholar
  7. 7.
    Gember-Jacobson, A., et al.: OpenNF: enabling innovation in network function control. In: Proceedings Of SIGCOMM, Chicago, IL, August 2014Google Scholar
  8. 8.
    Bianchi, G., et al.: OpenState: programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Comput. Common. Rev. 44(2), 44–51 (2014)CrossRefGoogle Scholar
  9. 9.
    Bianchi, G., et al.: Open packet processor: a programmable architecture for wire speed platform-independent stateful in-network processing. CoRR, vol. abs/1605.01977Google Scholar
  10. 10.
    Moshref, M., et al.: FAST: flowlevel state transition as a new switch primitive for SDN. In: HotSDN, Chicago, IL, USA, pp. 61–66 (2014)Google Scholar
  11. 11.
    Zhu, S., Bi, J., Sun, C., Wu, C., Hu, H.: SDPA: enhancing stateful forwarding for software-defined networking. In: Proceedings of 23rd International Conference on Network Protocols (ICNP), San Francisco, CA, USA, pp. 10–13 (2015)Google Scholar
  12. 12.
    Sonchack, J., et al.: Enabling practical software-defined networking security applications with OFX. In: NDSS 2016 (2016)Google Scholar
  13. 13.
    Mekky, H., et al.: Application-aware data plane processing in SDN. In: Proceedings of ACM SIGCOMM HotSDN 2014 (2014)Google Scholar
  14. 14.
    Mekky, H., et al.: Network function virtualization enablement within SDN data plane. In: IEEE INFOCOM 2017 (2017)Google Scholar
  15. 15.
    Jackson, E.J., et al.: SoftFlow: a middlebox architecture for Open vSwitch. In: Proceedings of USENIX ATC (2016)Google Scholar
  16. 16.
    Chaignon, P., et al.: Oko: extending open vSwitch with stateful filters. In: Symposium on SDN Research, SOSR 2018 (2018)Google Scholar
  17. 17.
    Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software defined networks. In: Proceedings of CCS 2013, pp. 413–424 (2013)Google Scholar
  18. 18.
    Ambrosin, M., et al.: Lineswitch: efficiently managing switch flow in SDN while effectively tackling DoS attacks. In: ACM Symposium on Information, Computer and Communications Security, pp. 639–644 (2015)Google Scholar
  19. 19.
    Wang, A., et al.: UMON: flexible and fine-grained traffic monitoring in open vSwitch, In: Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies, CoNEXT 2015 (2015)Google Scholar
  20. 20.
    Wang, H., Xu, L., Gu, G.: Floodguard: a DoS attack prevention extension in SDN. In: Dependable Systems and Networks (DSN), pp. 239–250. IEEE (2015)Google Scholar
  21. 21.
    Thimmaraju, K., et al.: Taking control of SDN-based cloud systems via the data plane. In: Proceedings of the Symposium on SDN Research, p. 1. ACM (2018)Google Scholar
  22. 22.
    Zha, Z., et al.: Instrumenting open vSwitch with monitoring capabilities: designs and challenges. In: SOSR 2018, Los Angeles, CA, USA, 28–29 March 2018 (2018)Google Scholar
  23. 23.
    Boite, J., et al.: StateSec: stateful monitoring for DDoS protection in software defined networks. In: Proceedings of IEEE NetSoft 2017, Italy (2017)Google Scholar
  24. 24.
    Krishnan, P., Najeem, Jisha S., Achuthan, K.: SDN framework for securing IoT networks. In: Kumar, N., Thakre, A. (eds.) UBICNET 2017. LNICST, vol. 218, pp. 116–129. Springer, Cham (2018). Scholar
  25. 25.
    Alizadeh, M., et al.: DCTCP: efficient packet transport for the commoditized data center. In: SIGCOMM (2010)Google Scholar
  26. 26.
    Acharya, A.A., et al.: An intrusion detection system against UDP flood attack and ping of death attack (DDOS) in MANET. Int. J. Eng. Technol. 8, 1112–1115 (2016)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Amrita Center for Cybersecurity Systems and Networks, Amrita Vishwa Vidyapeetham, Amrita UniversityAmritapuriIndia

Personalised recommendations