DroPPPP: A P4 Approach to Mitigating DoS Attacks in SDN

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11897)


Software-Defined Networking (SDN) has proven itself a useful technology for establishing and managing configurable, dynamic networks with the rapid deployment of services in the past decade. Despite these advantages, the fact that the functionality of SDN relies heavily on the controller with a much less capable data plane creates a single point of failure, which leaves the network susceptible to denial of service (DoS) attacks mainly targeting the controller to affect the operation of the whole network. An effective approach for mitigating DoS attacks in SDN requires identifying and stopping attacks as close to their source as possible, which will require involvement of the data plane in the mitigation strategy. In this work we propose DroPPPP, a DoS prevention approach for SDN that operates in the data plane using the P4 programming language. We demonstrate through experiments in the Mininet that lightweight processing of the packets in the data plane with DroPPPP negates significant overheads through reducing the traffic between switches while keeping the controller’s CPU usage at 0% and below 50% during spoofing and volumetric attacks.


Software-Defined Networking Denial of service P4 


  1. 1.
    Bosshart, P., et al.: P4: programming protocol-independent packet processors. SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)CrossRefGoogle Scholar
  2. 2.
    Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE Local Computer Network Conference, pp. 408–415, October 2010Google Scholar
  3. 3.
    Deng, S., Gao, X., Lu, Z., Gao, X.: Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensics Secur. 13(3), 695–705 (2018)CrossRefGoogle Scholar
  4. 4.
    Deng, S., Gao, X., Lu, Z., Li, Z., Gao, X.: Dos vulnerabilities and mitigation strategies in software-defined networks. J. Netw. Comput. Appl. 125, 209–219 (2019)CrossRefGoogle Scholar
  5. 5.
    Kreutz, D., Ramos, F.M.V., Veríssimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)CrossRefGoogle Scholar
  6. 6.
    Kuerban, M., Tian, Y., Yang, Q., Jia, Y., Huebert, B., Poss, D.: FlowSec: DOS attack mitigation strategy on SDN controller. In: IEEE International Conference on Networking, Architecture and Storage (NAS), Long Beach, CA, USA, 8–10 August 2016, pp. 1–2. IEEE Computer Society (2016)Google Scholar
  7. 7.
    Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, pp. 19:1–19:6. Hotnets-IX, ACM, New York (2010)Google Scholar
  8. 8.
    Mohammadi, R., Javidan, R., Conti, M.: SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Trans. Netw. Serv. Manag. 14(2), 487–497 (2017)CrossRefGoogle Scholar
  9. 9.
    Mousavi, S.M., St-Hilaire, M.: Early detection of ddos attacks against software defined network controllers. J. Netw. Syst. Manag. 26(3), 573–591 (2018)CrossRefGoogle Scholar
  10. 10.
    Orlowski, S., Pióro, M., Tomaszewski, A., Wessäly, R.: SNDlib 1.0-survivable network design library. In: Proceedings of the 3rd International Network Optimization Conference (INOC 2007), Spa, Belgium, April 2007. Extended version accepted in Networks 2009.
  11. 11.
    p4lang: p4lang/behavioral-model.
  12. 12.
    Raj, A., Bhat, A.S., Namboothiri, L.V.: Effective threshold defence against DoS attack on SDN controller. Int. J. Pure Appl. Math. 119(10), 691–698 (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Middle East Technical UniversityAnkaraTurkey

Personalised recommendations