Amplified Distributed Denial of Service Attack in Software Defined Networking

Ambrosin, Moreno; Conti, Mauro; Gaspari, Fabio De; Devarajan, Nishanth

doi:10.1109/ntms.2016.7792432

Cited by 10 publications

(5 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Each handler can control up to a thousand agents. Now the new threat is something called Amplified Denial of Service (ADOS) [2]. And it's not a new threat as such, it's just a new common threat that's been theorized about for a while.…”

Section: Denial Of Servicementioning

confidence: 99%

A Survey of Network-based Security Attacks

Khan¹,

Goodridge²

2019

IJANA

View full text Add to dashboard Cite

Cross Site Scripting, SQL Injection, Denial of Service (DOS), Buffer Overflow and Password Cracking are current network-based security attacks that still looms on the Internet. Though these attacks have been around for decades and there exist protective mechanism for overcoming them they are still relevant today. In this paper we describe the basic workings of these attacks and outline how companies and individuals can mitigate these attacks. By taking the necessary precautions the severity of these attacks can be diminished.

show abstract

Section: Denial Of Servicementioning

confidence: 99%

A Survey of Network-based Security Attacks

Khan¹,

Goodridge²

2019

IJANA

View full text Add to dashboard Cite

show abstract

“…If a packet triggers the table‐miss event, it will be buffered in the switch, and the OpenFlow request contains only some fraction of the packet header and a buffer ID. If the buffer is full, the entire packet will be sent to the controller, causing the congestion of the OpenFlow channel between the switch and the controller . As a result, a large number of packets pile up in the controller socket interface, and the service for normal users is damaged too. (3) Controller resource saturation.…”

Section: Preliminariesmentioning

confidence: 99%

FMD: A DoS mitigation scheme based on flow migration in software‐defined networking

Yao

Lin

et al. 2018

Int J Communication

View full text Add to dashboard Cite

Software-defined networking (SDN) emerges as the next generation of networking architecture, aiming to improve the network manageability and adaptability.However, because of the centralized control policy, SDN is liable to suffering from the denial of service attack in both the data plane and the control plane. To resist the attack and prevent the network from being paralyzed, we propose a novel mitigation scheme named flow migration defense, which uses a slave controller as a substitution to endure flooding requests mitigated from the master controller. Considering the special case that the normal requests may be regarded as the malicious ones, these requests are reforwarded back to the master controller on the basis of the round-robin scheduling. To prevent the master controller from being flooded by the reforwarded requests, we design the adaptive rate adjustment method to adjust the reforwarding rate. Compared with multilevel feedback queue and FloodDefender, simulations demonstrate that flow migration defense can mitigate the SDN-aimed denial of service attack efficiently with a better performance in terms of request response time, packet loss rate, and mitigation time. KEYWORDSattack mitigation, denial of service attack, OpenFlow, software-defined networking Int J Commun Syst. 2018;31:e3543.wileyonlinelibrary.com/journal/dac

show abstract

“…Researchers have shown that the extensive communication between the data and control plane can potentially result in a bottleneck for the whole system, a situation that is exacerbated when a single controller manages a set of OpenFlow switches. Moreover, since the installation of rules on the switches is driven by the traffic generated from network users, an attacker can exploit this behavior to attack the control plane by flooding an OpenFlow switch with a large number of unique flows . Even worse, the control plane saturation attack can be performed through a variety of network protocols, including Transport Control Protocol (TCP), UDP ICMP, or IGMP , …”

Section: Second Dimension: Characteristics Provided By Sdn Controllermentioning

confidence: 99%

A comprehensive 3‐dimensional security analysis of a controller in software‐defined networking

Tseng

Naït‐Abdesselam

Khokhar

2018

Security and Privacy

View full text Add to dashboard Cite

Software-defined networking (SDN) has recently emerged as a novel networking paradigm that enables network administrators to manage network services through high-level abstraction of networking functions. This is achieved by mainly decoupling the control plane from the data plane. The control plane, namely the SDN controller, makes dynamic decisions on where traffic is sent in the underlying systems that forward data to the selected destinations. The SDN controller, seen as a networking operating system, acts, therefore, as the brain in SDN. Consequently, its importance makes it a privileged new target for future attackers. In order to have a comprehensive security assessment of the SDN controller, we conducted a 3-dimensional analysis to study the security of OpenFlow-based SDN controllers. This study includes: (1) the essential components of a controller, (2) the characteristics provided by a controller, and (3) the STRIDE model. At the end, we also summarized 9 principles that are necessary to secure an SDN controller from the reported attacks and analyzed the security of 5 active open-source controllers following those principles. KEYWORDSOpenFlow, SDN, SDN controller, security INTRODUCTIONSoftware-defined networking (SDN) is as susceptible to attacks as traditionally managed networks. A long and continuous series of attacks have revealed many areas of network vulnerability. The SDN controller is a key to any software-defined network and offers attackers a target not present in earlier network technologies. Clearly, any successful attack on the controller will halt or disrupt network operations. 1 To address this problem, some researchers have proposed to harden the SDN control plane. For example, FortNOX 2 hardens the kernel of the SDN controller (NOX) to avoid malicious rule injection from the application plane. Extending FortNOX, SE-Floodlight 3 enhances the security of the overall control plane through authentication, role authorization, and network application operation auditing. Rosemary 4 isolates the net-app from the control plane via interprocess communication (IPC), which enables the SDN controller to be immune from resource exhaustion attacks. Moreover, the distributed controllers have also been proposed for providing a more scalable control plane, such as ONOS, 5 Onix, 6 Kandoo, 7 and the 3-level controller architecture for IoT (Internet of things). 8 Moreover, a distributed architecture brings new challenges for data consistency between controllers. 9 However, the SDN controller remains vulnerable to many threats, such as data inconsistency, OpenFlow messages flooding, topology spoofing, malicious scanning, etc. Hence, the motivation of this work is to provide a clear view in order to evaluate the security of the control plane. A number of surveys on SDN/OpenFlow security also precede this analysis such as References 10-16. Reference 13 adopts STRIDE to evaluate the security of SDN. Conversely, Reference 17 uses STRIDE to evaluate the security of the Security Privacy. 2018;1:e21.wileyonlinelibrar...

show abstract

Amplified Distributed Denial of Service Attack in Software Defined Networking

Cited by 10 publications

References 10 publications

A Survey of Network-based Security Attacks

A Survey of Network-based Security Attacks

FMD: A DoS mitigation scheme based on flow migration in software‐defined networking

A comprehensive 3‐dimensional security analysis of a controller in software‐defined networking

Contact Info

Product

Resources

About