Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Security in Computing and Communication

SSCC 2018: Security in Computing and Communications pp 88–103Cite as

Managing Network Functions in Stateful Application Aware SDN

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 969))

Abstract

Software-defined networking (SDN) is emerging as a paradigm shift, drastically changing the modern networking, as it simplifies and automates the orchestration, administration of large applications and data centers. SDN architecture offers an easy programmable interface, centralized control and distributed state management model for modern networks. However, in classical implementation of SDN, the intelligence is centralized at the controller and the role of the switches is reduced to perform simple forwarding of packets. Thus, it is obvious that the controller, in addition to control and management operations, it must gather the runtime state and information from switches all over the network. This essentially poses some huge risks: (a) controller overload, (b) congestion in the control channel because of the dependence of switches on controller for even rudimentary forwarding operations (c) making the entire network infrastructure itself vulnerable and (d) eventually leading to resource saturation attacks on the servers in the network. As SDN opened up such new attack vectors, several solutions were proposed in terms of control plane extensions, data plane innovations, improved programming abstractions, augmenting OpenFlow channel. In this paper, we present our observations on emerging stateful SDN architectures and propose a stateful/application-aware SDN architecture. We developed a security-aware framework to detect threats and mitigate saturation attacks in SDN stack and to defend Denial-of-Services (DoS) attacks on other network services and present our experiments with DoS/Flooding attack tools, datasets from popular sources, simulation of real-world attack scenarios on transport protocols TCP, UDP/IP and HTTP, NTP services. The attack detection mechanism has no significant performance impact to good traffic and average detection confidence over 99.99% of traffic states, the mitigation response is comparable with the state of the art, but with our extensible secure architecture we can defend future attacks at scale.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of HotSDN 2013, pp. 165–166 (2013)

    Google Scholar 

  2. Krishnan, P., Najeem, J.S.: A review of security threats and mitigation solutions for SDN stack. Int. J. Pure Appl. Math. 115(8), 93–99 (2017)

    Google Scholar 

  3. Qazi, Z.A., et al.: SIMPLE-fying middlebox policy enforcement using SDN. In: SIGCOMM (2013)

    Google Scholar 

  4. Fayazbakhsh, S.K., et al.: Enforcing network-wide policies in presence of dynamic middlebox actions using flowtags. In: NSDI (2014)

    Google Scholar 

  5. Gember, A., Prabhu, P., Ghadiyali, Z., Akella, A.: Toward software-defined middlebox networking. In: Proceedings of HotNets-XI (2012)

    Google Scholar 

  6. Dixon, C., et al.: ETTM: a scalable fault tolerant network manager. In: Proceedings Of NSDI (2011)

    Google Scholar 

  7. Gember-Jacobson, A., et al.: OpenNF: enabling innovation in network function control. In: Proceedings Of SIGCOMM, Chicago, IL, August 2014

    Google Scholar 

  8. Bianchi, G., et al.: OpenState: programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Comput. Common. Rev. 44(2), 44–51 (2014)

    Article  Google Scholar 

  9. Bianchi, G., et al.: Open packet processor: a programmable architecture for wire speed platform-independent stateful in-network processing. CoRR, vol. abs/1605.01977

    Google Scholar 

  10. Moshref, M., et al.: FAST: flowlevel state transition as a new switch primitive for SDN. In: HotSDN, Chicago, IL, USA, pp. 61–66 (2014)

    Google Scholar 

  11. Zhu, S., Bi, J., Sun, C., Wu, C., Hu, H.: SDPA: enhancing stateful forwarding for software-defined networking. In: Proceedings of 23rd International Conference on Network Protocols (ICNP), San Francisco, CA, USA, pp. 10–13 (2015)

    Google Scholar 

  12. Sonchack, J., et al.: Enabling practical software-defined networking security applications with OFX. In: NDSS 2016 (2016)

    Google Scholar 

  13. Mekky, H., et al.: Application-aware data plane processing in SDN. In: Proceedings of ACM SIGCOMM HotSDN 2014 (2014)

    Google Scholar 

  14. Mekky, H., et al.: Network function virtualization enablement within SDN data plane. In: IEEE INFOCOM 2017 (2017)

    Google Scholar 

  15. Jackson, E.J., et al.: SoftFlow: a middlebox architecture for Open vSwitch. In: Proceedings of USENIX ATC (2016)

    Google Scholar 

  16. Chaignon, P., et al.: Oko: extending open vSwitch with stateful filters. In: Symposium on SDN Research, SOSR 2018 (2018)

    Google Scholar 

  17. Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software defined networks. In: Proceedings of CCS 2013, pp. 413–424 (2013)

    Google Scholar 

  18. Ambrosin, M., et al.: Lineswitch: efficiently managing switch flow in SDN while effectively tackling DoS attacks. In: ACM Symposium on Information, Computer and Communications Security, pp. 639–644 (2015)

    Google Scholar 

  19. Wang, A., et al.: UMON: flexible and fine-grained traffic monitoring in open vSwitch, In: Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies, CoNEXT 2015 (2015)

    Google Scholar 

  20. Wang, H., Xu, L., Gu, G.: Floodguard: a DoS attack prevention extension in SDN. In: Dependable Systems and Networks (DSN), pp. 239–250. IEEE (2015)

    Google Scholar 

  21. Thimmaraju, K., et al.: Taking control of SDN-based cloud systems via the data plane. In: Proceedings of the Symposium on SDN Research, p. 1. ACM (2018)

    Google Scholar 

  22. Zha, Z., et al.: Instrumenting open vSwitch with monitoring capabilities: designs and challenges. In: SOSR 2018, Los Angeles, CA, USA, 28–29 March 2018 (2018)

    Google Scholar 

  23. Boite, J., et al.: StateSec: stateful monitoring for DDoS protection in software defined networks. In: Proceedings of IEEE NetSoft 2017, Italy (2017)

    Google Scholar 

  24. Krishnan, P., Najeem, Jisha S., Achuthan, K.: SDN framework for securing IoT networks. In: Kumar, N., Thakre, A. (eds.) UBICNET 2017. LNICST, vol. 218, pp. 116–129. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73423-1_11

    Chapter  Google Scholar 

  25. Alizadeh, M., et al.: DCTCP: efficient packet transport for the commoditized data center. In: SIGCOMM (2010)

    Google Scholar 

  26. Acharya, A.A., et al.: An intrusion detection system against UDP flood attack and ping of death attack (DDOS) in MANET. Int. J. Eng. Technol. 8, 1112–1115 (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Amrita Center for Cybersecurity Systems and Networks, Amrita Vishwa Vidyapeetham, Amrita University, Amritapuri, Kerala, India

    Prabhakar Krishnan & Krishnashree Achuthan

Authors
  1. Prabhakar Krishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Krishnashree Achuthan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Prabhakar Krishnan .

Editor information

Editors and Affiliations

  1. Technology and Management, Indian Institute of Information, Kerala, India

    Sabu M. Thampi

  2. Department of Computer Science, Missouri University of Science and Technology, Rolla, MO, USA

    Sanjay Madria

  3. Guangzhou University, Guangzhou, China

    Guojun Wang

  4. Howard University, Washington, DC, USA

    Danda B. Rawat

  5. University of the West of Scotland, Paisley, Glasgow, UK

    Jose M. Alcaraz Calero

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Krishnan, P., Achuthan, K. (2019). Managing Network Functions in Stateful Application Aware SDN. In: Thampi, S., Madria, S., Wang, G., Rawat, D., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2018. Communications in Computer and Information Science, vol 969. Springer, Singapore. https://doi.org/10.1007/978-981-13-5826-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-5826-5_7

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-5825-8

  • Online ISBN: 978-981-13-5826-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation