Abstract
Most of the IT infrastructure across the globe is virtualized and is backed by Software Defined Networks (SDN). Hence, any threat to SDN’s core components would potentially mean to harm today’s Internet and the very fabric of utility computing. After thorough analysis, this study identifies Crossfire link flooding technique as one of the lethal attacks that can potentially target the link connecting the control plane to the data plane in SDNs. In such a situation, the control plane may get disconnected, resulting in the degradation of the performance of the whole network and service disruption. In this work we present a detailed comparative analysis of the link flooding mitigation techniques and propose a framework for effective defense. It comprises of a separate controller consisting of a flood detection module, a link listener module and a flood detection module, which will work together to detect and mitigate attacks and facilitate the normal flow of traffic. This paper serves as a first effort towards identifying and mitigating the crossfire LFA on the channel that connects control plane to data plane in SDNs. We expect that further optimizations in the proposed solution can bring remarkable results.
References
ONF, OpenFlow Switch Specification 1.5.0. Open Networking Foundation (2013)
DDoS attack using Mirai botnet. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
Wang, L., Li, Q., Jiang, Y., Wu, J.: Towards mitigating link flooding attack via incremental SDN deployment. In: 2016 IEEE Symposium on Computers and Communication (ISCC) (2016)
Hirayama, T., Toyoda, K., Sasase, I.: Fast target link flooding attack detection scheme by analyzing traceroute packets flow. In: 2015 1EEE International Workshop on Information Forensics and Security (WIFS) (2015)
Wang, Q., Xiao, F., Zhou, M., Wang, Z., Ding, H.: Targets can be baits Mitigating Link Flooding Attacks With Active Link Obfuscation in arXiv:1703.09521v1 [cs.NI] 28 Mar 2017
Liaskos, C., et al.: A novel framework for modeling and mitigating distributed link flooding attacks. In: IEEE International Conference on Computer Communications, San Francisco, CA, USA (2016)
Gkounis, D., et al.: On the interplay of link-flooding attacks and traffic engineering. In: ACM SIGCOMM Computer Communication, vol. 46, no. 2. ACM, New York (2016)
Xiao, P., et al.: An Efficient DDOS Detection with Bloom Filter in SDN. In: IEEE TrustCom/BigDataSE/ISPA (2016)
Aydeger, A., et al.: Mitigating crossfire attacks using SDN-based moving target defense. In: IEEE 41st Conference on Local Computer Networks (2016)
Xue, L., Luo, X., Chan, E.W.W., Zhan, X.: Towards detecting target link flooding attack. In: The 28th Large Installation System Administration Conference (2014)
Lee, S.B., Kang, M.S., Gligor, V.D.: CoDef collaborative defense against large-scale link flooding attacks. In: ACM CoNEXT 2013, California, USA (2013)
Kang, M.S., Gligor, V.D., Sekar, V.: SPIFFY: inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: NDSS 2016, San Diego, CA USA (2016)
Gillani, F., et al.: Agile virtualized infrastructure to proactively defend against cyber attacks. In: IEEE Conference on Computer Communications (INFOCOM) (2015)
Kalliola, A., et al.: Flooding DDOS mitigation and traffic management with software defined networks. In: IEEE 4th International Conference on Cloud Networking (2015)
OpenFlow whitepaper. https://www.opennetworking.org/sdn-resources/sdn-library/whitepapers
Kang, M.S., et al.: The crossfire attacks. In: 2013 IEEE Symposium on Security and Privacy (2013)
Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_3
BRIGHT. Can a DDoS break the Internet? Sure… just not all of it. Ars Technica, April 2013. http://arstechnica.com/security/2013/04/can-a-ddos-break-the-internet-sure-just-not-all-of-it/
Difference in control vs data plane in SDN, June 2017. http://sdntutorials.com/difference-between-control-plane-and-data-plane
Wang, H., et al.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)
Sun, X., et al.: A family of enhanced (L, α)-diversity models for privacy preserving data publishing. Future Gener. Comput. Syst. 27(3), 348–356 (2011)
Wang, H., et al.: Effective collaboration with information sharing in virtual universities. IEEE Trans. Knowl. Data Eng. 21(6), 840–853 (2009)
Kabir, M.E., et al.: A conditional purpose-based access control model with dynamic roles. Expert Syst. Appl. 38(3), 1482–1489 (2011)
Sun, X., et al.: Injecting purpose and trust into data anonymization. Comput. Secur. 30(5), 332–345 (2011)
Kabir, M.E., et al.: Efficient systematic clustering method for k-anonymization. Acta Informatica 48(1), 51–66 (2011)
Sun, X., et al.: Satisfying privacy requirements before data anonymization. Comput. J. 55(4), 422–437 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Rasool, R.U., Wang, H., Rafique, W., Yong, J., Cao, J. (2017). A Study on Securing Software Defined Networks. In: Bouguettaya, A., et al. Web Information Systems Engineering – WISE 2017. WISE 2017. Lecture Notes in Computer Science(), vol 10570. Springer, Cham. https://doi.org/10.1007/978-3-319-68786-5_38
Download citation
DOI: https://doi.org/10.1007/978-3-319-68786-5_38
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68785-8
Online ISBN: 978-3-319-68786-5
eBook Packages: Computer ScienceComputer Science (R0)