Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network: Attack Model, Evaluation, and Defense

Zhou, Yadong; Chen, Kaiyue; Zhang, Junjie; Leng, Junyuan; Tang, Yazhe

doi:10.1155/2018/4760632

Cited by 33 publications

(16 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…DoS attacks are launched from a single host, so their treatment can be easier, unlike DDoS attacks, which are launched through multiple hosts, usually botnets, and whose identification is more complex. Likewise, it has been observed that DoS attacks can be launched in conjunction with impersonation attacks, such as MAC or IP address spoofing [128], [129], or can even be triggered after an inference attack [130].…”

Section: Southbound Interface and Data Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

The software-defined networking (SDN) paradigm proposes the decoupling of control and data planes and a centralized software-oriented management approach based on a central controller, easing the development of new applications and services. These design principles pave the way for a more flexible, fast, and dynamic software-controlled network. However, in terms of security, the elements that comprise the SDN architecture present several vulnerabilities, which could be exploited by attackers to carry out malicious actions and thus affect the network and its services. Although for several years, some studies have already focused on identifying the weaknesses of the SDN layer structure, the nature of the attacks, and possible solutions for this paradigm, the literature contains few contributions that review and discuss this topic in an integral fashion. This paper provides a comprehensive, updated, and detailed review of the main security issues and mitigating measures for all layers and interfaces of the SDN architecture, classifying the contributions according to the STRIDE threat modeling methodology categories. Finally, this manuscript identifies, discusses, and synthesizes open challenges and future research directions in this area.

show abstract

Section: Southbound Interface and Data Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

show abstract

“…In addition, under the attack of OpenFlow switch, the table overflow will be more serious, and how to deal with it is still a problem to be solved. Zhou et al proposed a strategy to build a new flow aggregation algorithm and a multilevel flow table architecture to defend against the overflow attack launched by the attacker [5]. Cao studied the effects of the LOFT (Low-Rate Flow Table ) overflow attacks on the SDN network, proposed a method for attackers to detect the SDN network configuration and build low-rate attack traffic, and gave two simple methods to prevent the network configuration detection [13].…”

Section: Security and Communication Networkmentioning

confidence: 99%

“…However, the introduction of the new architecture also brings a lot of new problems [1], among which security is the most noteworthy, including the security of the data plane [2,3]. e data plane not only will be affected by existing attacks in traditional networks (such as DDoS attacks [4]) but will also bring new types of attacks due to its own architecture, the most typical of which are flow table overflow attacks [5,6].…”

Section: Introductionmentioning

confidence: 99%

A Table Overflow LDoS Attack Defending Mechanism in Software-Defined Networks

Xie

Xing

Zhang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

In order to achieve requirements such as fast search of flow entries and mask matching, OpenFlow hardware switches usually use TCAM to store flow entries. Limited by the capacity of TCAM, the current commercial OpenFlow switches can only support hundreds of thousands of flow entries, which makes SDN network using OpenFlow hardware switches vulnerable to the threat of flow table overflow attack. Among them, low-rate DoS (LDoS) attack against table overflow poses a serious threat to SDN networks due to its high attack efficiency and concealed flow, and it is also difficult to detect. In this regard, this paper analyzed two types of LDoS attack flow against table overflow and proposed an attack detection and defense mechanism named SAIA (Small-flow Analysis and Inport-flow Analysis) through the design of table overflow prediction and flow entries deletion strategy. Experiments conducted through the SDN network environment showed that SAIA can effectively detect and suppress LDoS attack flows in the flow table in large-scale network conditions and verified that the deployment of SAIA is lightweight. At the same time, SAIA implemented the flow entry deletion strategy based on LRU when the flow table overflows in a nonattack situation, which further enhances the stability of the network.

show abstract

“…In response to the tampering threat, [23] proposed a method based on hierarchical protection to mitigate attacks against controller storage components. [53] proposed a route aggregation algorithm and a multi-level flow table structure, aiming to mitigate the vulnerability to flow table overflow. [24] proposed a defence framework, SPHINX, against network topology attacks and controller DoS attacks.…”

Section: Sdn Security Defensesmentioning

confidence: 99%

A Systematic Treat Model for Software-Defined Networking

2021

KSII TIIS

View full text Add to dashboard Cite

Software-Defined Networking (SDN) has three key features: separation of control and forwarding, centralized control, and network programmability. While improving network management flexibility, SDN has many security issues. This paper systemizes the security threats of SDN using spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE) model to understand the current security status of SDN. First, we introduce the network architecture and data flow of SDN. Second, we analyze security threats of the six types given in the STRIDE model, aiming to reveal the vulnerability mechanisms and assess the attack surface. Then, we briefly describe the corresponding defense technologies. Finally, we summarize the work of this paper and discuss the trends of SDN security research.

show abstract

Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network: Attack Model, Evaluation, and Defense

Cited by 33 publications

References 23 publications

A Survey of the Main Security Issues and Solutions for the SDN Architecture

A Survey of the Main Security Issues and Solutions for the SDN Architecture

A Table Overflow LDoS Attack Defending Mechanism in Software-Defined Networks

A Systematic Treat Model for Software-Defined Networking

Contact Info

Product

Resources

About