FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks

Wang, Haopei; Xu, Lei; Gu, Guofei

doi:10.1109/dsn.2015.27

Cited by 301 publications

(183 citation statements)

References 17 publications

Supporting

Mentioning

160

Contrasting

Unclassified

Order By: Relevance

“…Avant-Guard [3] shows a new attack (which is called data-to-control plane saturation attack) against SDN networks and provide solutions to prevent such attacks. FloodGuard [7] provides a new solution to this attack. Besides, SPHINX [2] proposes a unified approach to use network graphs to detect attacks that violate those learned flow graphs.…”

Section: Security Research For Sdn Networkmentioning

confidence: 99%

Hauth:A Novel Approach for Network Visibility Protection

Wang¹,

Gao²,

Zhang³

2017

Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)

View full text Add to dashboard Cite

show abstract

Section: Security Research For Sdn Networkmentioning

confidence: 99%

Hauth:A Novel Approach for Network Visibility Protection

Wang¹,

Gao²,

Zhang³

2017

Proceedings of the International Conference on Computer Networks and Communication Technology (CNCT 2016)

View full text Add to dashboard Cite

show abstract

“…AvantGuard can alleviate TCP saturation attack effectively which however, has some limitation for other protocols. FloodGuard [11] is another approach which is also proposed to defend saturation attack in both control plane and data plane. FloodGuard adopts proactive flow rules to preserve network policy enforcement and packet migration mechanism to protect the controller from being overloaded.…”

Section: Related Workmentioning

confidence: 99%

An Approach for Protecting the OpenFlow Switch from the Saturation Attack

Wang¹,

Zhou²,

Chen³

et al. 2016

Proceedings of the 2015 4th National Conference on Electrical, Electronics and Computer Engineering

View full text Add to dashboard Cite

Abstract. Security is always a serious issue influencing the development of Software-Defined Network (SDN). The central control mechanism makes the SDN controller a bottleneck of the network which is vulnerable to network saturation attack. In this paper, we propose an approach to defense this kind attack. Firstly, we add a miss matched packet cache module in the OpenFlow switch which can temporarily cache the packets that don't match in the flow table. Besides, we apply the mechanism of separating the header and payload of packets in the cache queue once the switch detects the volume of cache queue exceeding the threshold of the cache size. In addition, the switch can classify the packets headers and send it in an alert message to the SDN controller for further processing. At last in the paper, we evaluate the effort of our proposed approach in Mininet. With our approach, the SDN network can effectively defend the network saturation attack.

show abstract

“…end if (12) end for ( a product of innovations (errors) of the past terms and its standard deviation by = ,…”

Section: Forecastmentioning

confidence: 99%

“…AvantGuard [2] introduces connection migration and actuating triggers into the SDN architecture to defend against the SYN Flood attacks, but it does not work well when confronted with other DoS attacks in SDN. FloodGuard [12] uses proactive flow rule analyzer and packet migration to defend against data plane saturation attack, but it is too costly. Previously related works, such as [13,14], employed Self Organizing Maps (SOM) to classify whether the traffic is abnormal or not to defend against DoS attacks, but the overhead of the classification is also too high to be used in real time.…”

Section: Related Workmentioning

confidence: 99%

SDNManager: A Safeguard Architecture for SDN DoS Attacks Based on Bandwidth Prediction

Wang

Chen

Cheng

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Software-Defined Networking (SDN) has quickly emerged as a promising technology for future networks and gained much attention. However, the centralized nature of SDN makes the system vulnerable to denial-of-services (DoS) attacks, especially for the currently widely deployed multicontroller system. Due to DoS attacks, SDN multicontroller model may additionally face the risk of the cascading failures of controllers. In this paper, we propose SDNManager, a lightweight and fast denial-of-service detection and mitigation system for SDN. It has five components: monitor, forecast engine, checker, updater, and storage service. It typically follows a control loop of reading flow statistics, forecasting flow bandwidth changes based on the statistics, and accordingly updating the network. It is worth noting that the forecast engine employs a novel dynamic time-series (DTS) model which greatly improves bandwidth prediction accuracy. What is more, to further optimize the defense effect, we also propose a controller dynamic scheduling strategy to ensure the global network state optimization and improve the defense efficiency. We evaluate SDNManager through a prototype implementation tested in a real SDN network environment. The results show that SDNManager is effective with adding only a minor overhead into the entire SDN/OpenFlow infrastructure.

show abstract

FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks

Cited by 301 publications

References 17 publications

Hauth:A Novel Approach for Network Visibility Protection

Hauth:A Novel Approach for Network Visibility Protection

An Approach for Protecting the OpenFlow Switch from the Saturation Attack

SDNManager: A Safeguard Architecture for SDN DoS Attacks Based on Bandwidth Prediction

Contact Info

Product

Resources

About