Abstract
Software-defined networking (SDN) is emerging as a paradigm shift, drastically changing the modern networking, as it simplifies and automates the orchestration, administration of large applications and data centers. SDN architecture offers an easy programmable interface, centralized control and distributed state management model for modern networks. However, in classical implementation of SDN, the intelligence is centralized at the controller and the role of the switches is reduced to perform simple forwarding of packets. Thus, it is obvious that the controller, in addition to control and management operations, it must gather the runtime state and information from switches all over the network. This essentially poses some huge risks: (a) controller overload, (b) congestion in the control channel because of the dependence of switches on controller for even rudimentary forwarding operations (c) making the entire network infrastructure itself vulnerable and (d) eventually leading to resource saturation attacks on the servers in the network. As SDN opened up such new attack vectors, several solutions were proposed in terms of control plane extensions, data plane innovations, improved programming abstractions, augmenting OpenFlow channel. In this paper, we present our observations on emerging stateful SDN architectures and propose a stateful/application-aware SDN architecture. We developed a security-aware framework to detect threats and mitigate saturation attacks in SDN stack and to defend Denial-of-Services (DoS) attacks on other network services and present our experiments with DoS/Flooding attack tools, datasets from popular sources, simulation of real-world attack scenarios on transport protocols TCP, UDP/IP and HTTP, NTP services. The attack detection mechanism has no significant performance impact to good traffic and average detection confidence over 99.99% of traffic states, the mitigation response is comparable with the state of the art, but with our extensible secure architecture we can defend future attacks at scale.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of HotSDN 2013, pp. 165–166 (2013)
Krishnan, P., Najeem, J.S.: A review of security threats and mitigation solutions for SDN stack. Int. J. Pure Appl. Math. 115(8), 93–99 (2017)
Qazi, Z.A., et al.: SIMPLE-fying middlebox policy enforcement using SDN. In: SIGCOMM (2013)
Fayazbakhsh, S.K., et al.: Enforcing network-wide policies in presence of dynamic middlebox actions using flowtags. In: NSDI (2014)
Gember, A., Prabhu, P., Ghadiyali, Z., Akella, A.: Toward software-defined middlebox networking. In: Proceedings of HotNets-XI (2012)
Dixon, C., et al.: ETTM: a scalable fault tolerant network manager. In: Proceedings Of NSDI (2011)
Gember-Jacobson, A., et al.: OpenNF: enabling innovation in network function control. In: Proceedings Of SIGCOMM, Chicago, IL, August 2014
Bianchi, G., et al.: OpenState: programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Comput. Common. Rev. 44(2), 44–51 (2014)
Bianchi, G., et al.: Open packet processor: a programmable architecture for wire speed platform-independent stateful in-network processing. CoRR, vol. abs/1605.01977
Moshref, M., et al.: FAST: flowlevel state transition as a new switch primitive for SDN. In: HotSDN, Chicago, IL, USA, pp. 61–66 (2014)
Zhu, S., Bi, J., Sun, C., Wu, C., Hu, H.: SDPA: enhancing stateful forwarding for software-defined networking. In: Proceedings of 23rd International Conference on Network Protocols (ICNP), San Francisco, CA, USA, pp. 10–13 (2015)
Sonchack, J., et al.: Enabling practical software-defined networking security applications with OFX. In: NDSS 2016 (2016)
Mekky, H., et al.: Application-aware data plane processing in SDN. In: Proceedings of ACM SIGCOMM HotSDN 2014 (2014)
Mekky, H., et al.: Network function virtualization enablement within SDN data plane. In: IEEE INFOCOM 2017 (2017)
Jackson, E.J., et al.: SoftFlow: a middlebox architecture for Open vSwitch. In: Proceedings of USENIX ATC (2016)
Chaignon, P., et al.: Oko: extending open vSwitch with stateful filters. In: Symposium on SDN Research, SOSR 2018 (2018)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software defined networks. In: Proceedings of CCS 2013, pp. 413–424 (2013)
Ambrosin, M., et al.: Lineswitch: efficiently managing switch flow in SDN while effectively tackling DoS attacks. In: ACM Symposium on Information, Computer and Communications Security, pp. 639–644 (2015)
Wang, A., et al.: UMON: flexible and fine-grained traffic monitoring in open vSwitch, In: Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies, CoNEXT 2015 (2015)
Wang, H., Xu, L., Gu, G.: Floodguard: a DoS attack prevention extension in SDN. In: Dependable Systems and Networks (DSN), pp. 239–250. IEEE (2015)
Thimmaraju, K., et al.: Taking control of SDN-based cloud systems via the data plane. In: Proceedings of the Symposium on SDN Research, p. 1. ACM (2018)
Zha, Z., et al.: Instrumenting open vSwitch with monitoring capabilities: designs and challenges. In: SOSR 2018, Los Angeles, CA, USA, 28–29 March 2018 (2018)
Boite, J., et al.: StateSec: stateful monitoring for DDoS protection in software defined networks. In: Proceedings of IEEE NetSoft 2017, Italy (2017)
Krishnan, P., Najeem, Jisha S., Achuthan, K.: SDN framework for securing IoT networks. In: Kumar, N., Thakre, A. (eds.) UBICNET 2017. LNICST, vol. 218, pp. 116–129. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73423-1_11
Alizadeh, M., et al.: DCTCP: efficient packet transport for the commoditized data center. In: SIGCOMM (2010)
Acharya, A.A., et al.: An intrusion detection system against UDP flood attack and ping of death attack (DDOS) in MANET. Int. J. Eng. Technol. 8, 1112–1115 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Krishnan, P., Achuthan, K. (2019). Managing Network Functions in Stateful Application Aware SDN. In: Thampi, S., Madria, S., Wang, G., Rawat, D., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2018. Communications in Computer and Information Science, vol 969. Springer, Singapore. https://doi.org/10.1007/978-981-13-5826-5_7
Download citation
DOI: https://doi.org/10.1007/978-981-13-5826-5_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5825-8
Online ISBN: 978-981-13-5826-5
eBook Packages: Computer ScienceComputer Science (R0)