Skip to main content
SpringerLink
Log in

Early Detection of DDoS Attacks Against Software Defined Network Controllers

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Software Defined Network (SDN) is a new network architecture that has an operating system. Unlike conventional production networks, SDN allows more flexibility in network management using that operating system that is called the controller. The main advantage of having a controller in the network is the separation of the forwarding and the control planes, which provides central control over the network. Although central control is the major advantage of SDN, it is also a single point of failure if it is made unreachable by a Distributed Denial of Service (DDoS) attack. In this paper, that single point of failure is addressed by utilizing the controller to detect such attacks and protect the SDN architecture of the network in its early stages. The two main objectives of this paper are to (1) make use of the controller’s broad view of the network to detect DDoS attacks and (2) propose a solution that is effective and lightweight in terms of the resources that it uses. To accomplish these objectives, this paper examines the effect of DDoS attacks on the SDN controller and the way it can exhaust controller resources. The proposed solution to detect such attacks is based on the entropy variation of the destination IP address. Based on our experimental setup, the proposed method can detect DDoS within the first 250 packets of the attack traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. A new packet in the sense that there is no flow for it in the switch table and it must be sent to the controller to be validated for a new flow.

  2. It is important to note that starting with OpenFlow v1.4.0, an eviction mechanism exists.

References

  1. Open Networking Foundation: www.opennetworking.org (2014)

  2. Feinstein, L., Schnackenberg, D., Balupari, R., Kindred D.: Statistical approaches to DDoS attack detection and response. In: Proceedings of DARPA Information Survivability Conference and Exposition, vol. 1, pp. 303–314 (2003)

  3. SDN Central: http://www.sdncentral.com/announced-sdn-products/ (2014)

  4. Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks, NDSS, pp. 1–15, 2015

  5. Gu G., Shin, S.: CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?). In: 20th IEEE International conference on Network Protocols, pp. 1–6 (2012)

  6. Su, W., Wu, L., Huang, Y., Kuo, S., Hu, Y.: Design of event-based intrusion detection system on OpenFlow network. In: IEEE International Conference on Dependable Systems and Networks (SDN), pp. 1–2 (2013)

  7. Mota, E., Passito A., Braga, R.: Lightweight DDoS flooding attack detection usingNOX/OpenFlow. In: IEEE 35th Conference on Local Computer Networks, pp. 408–415 (2010)

  8. Ostermann, S., Tjaden B., Ramadas, M.: Detecting anamalous network traffic with self-organizing maps. In: Recent Advances in Intrusion Detection, pp. 36–54 (2003)

  9. Wang, R., Jia, Z., Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: IEEE Trustcom/BigDataSE/ISPA, pp. 310–317 (2015)

  10. Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security, pp. 413–424 (2013)

  11. Wang, H., Xu, L., Gu, G.: FloodGuard: A DoS attack prevention extension in software-defined networks. In: 45th annual IEEE/IFIP international conference on dependable systems and networks, pp. 239–250 (2015)

  12. Zhang, J., Qin, Z., Ou, L., Jiang, P., Liu, J., Liu, A.X.: An advanced entropy-based DDoS detection scheme. In: International Conference on Information Networking and Automation (ICINA), pp. 67–71 (2010)

  13. No, G., Ra, I.: An efficient and reliable DDoS attack detection using fast entropy computation method. In: International Symposium on Communication and Information Technology, pp. 1223–1228 (2009)

  14. Nakashima, T., Sueyoshi T., Oshima, S.: Early DoS/DDoS detection method using short-term statistics. In: International Conference on Complex, Intelligent and Software Intensive Systems, pp. 168–173 (2010)

  15. Mininet: http://mininet.org (2014)

  16. Open Vswitch: http://openvswitch.org (2014)

  17. McCauley, M.: NOXREPO. http://www.noxrepo.org/ (2014)

  18. Scapy: http://www.secdev.org/projects/scapy (2014)

Download references

Author information

Authors and Affiliations

  1. Department of Systems and Computer Engineering, Carleton University, Ottawa, Canada

    Seyed Mohammad Mousavi & Marc St-Hilaire

Authors
  1. Seyed Mohammad Mousavi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marc St-Hilaire
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marc St-Hilaire.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mousavi, S.M., St-Hilaire, M. Early Detection of DDoS Attacks Against Software Defined Network Controllers. J Netw Syst Manage 26, 573–591 (2018). https://doi.org/10.1007/s10922-017-9432-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-017-9432-1

Keywords

Search

Navigation