FMD: A DoS mitigation scheme based on flow migration in software‐defined networking

Wu, Pengpeng; Yao, Lin; Lin, Chi; Wu, Guowei; Obaidat, Mohammad S.

doi:10.1002/dac.3543

Cited by 14 publications

(5 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The proposed scheme has high resource utilization and can effectively alleviate the impact of DDoS attacks on controller resource consumption. Wu et al [ 21 ] proposed a new mitigation scheme, FlowMitigation, in order to resist DDoS attacks in SDNs. The proposed scheme uses a slave controller as an alternative to tolerating flooding requests from the master controller.…”

Section: Related Workmentioning

confidence: 99%

A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controllers

Wang

2023

Entropy

View full text Add to dashboard Cite

Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system’s timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

show abstract

Section: Related Workmentioning

confidence: 99%

A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controllers

Wang

2023

Entropy

View full text Add to dashboard Cite

show abstract

“…7 and implemented in the Mininet 2.2.2 emulator environment [32]. According to Table II, this implementation uses OpenVSwitch [33] software switches for the Open_ Flow switches and the RYU platform [34] for the controllers. Additionally, the iPerf [35] tool has been used to produce UDP flood attack traffic in order to test the scenarios.…”

Section: Investigating How the Proposal Is Affected By A Control-leve...mentioning

confidence: 99%

Security in Software-Defined Networks Against Denial-of-Service Attacks Based on Increased Load Balancing Efficiency

ZHANG,

DING

2023

IJACSA

View full text Add to dashboard Cite

The goal of software-oriented networks (SDNs), which enable centralized control by separating the control layer from the data layer, is to increase manageability and network compatibility. However, this form of network is vulnerable to the control layer going down in the face of a denial-of-service assault because of the centralized control policy. The considerable increase in events brought on by the introduction of fresh currents into the network puts a lot of strain on the control surface when the system is in reaction mode. Additionally, the existence of recurring events that seriously impair the control surface's ability to function, such as the gathering of statistical data from the entire network, might have a negative impact. This article introduces a new approach that uses a control box comprising a coordinating controller, a main controller that establishes the flow rules, and one or more sub-controllers that establish the rules to fend off the attack and avoid network paralysis. It makes use of current (when needed). The controllers who currently set the regulations are relieved of some work by giving the coordinating controller management and supervision responsibilities. Additionally, the coordinator controller distributes the load at the control level by splitting up incoming traffic among the controllers of the flow rules. Thus, a proposed method can avoid performance disruption of the flow rule setter's main controller and withstand denial-of-service attacks by distributing the traffic load brought on by the denial-ofservice attack to one or more sub-controllers of the flow rule setter. The results of the experiments conducted indicate that, when compared to the existing solutions, the proposed solution performs better in the face of a denial-of-service assault.

show abstract

“…FloodDefender aims at securing both the control and data layers through leveraging table-miss engineering and packet filter approaches. FMD [32] is another solution to prevent re-forwarded request-based flooding attacks in a multi-SDN environment. FMD deploys an adaptive rate adjustment method to adjust the re-forwarding rate.…”

Section: Related Workmentioning

confidence: 99%

SYNGuard: Dynamic threshold‐based SYN flood attack detection and mitigation in software‐defined networks

et al. 2021

View full text Add to dashboard Cite

SYN flood attacks (half-open attacks) have been proven a serious threat to softwaredefined networking (SDN)-enabled infrastructures. A variety of intrusion detection and prevention systems (IDPS) have been introduced for identifying and preventing such security threats, but they often result in significant performance overhead and response time. Therefore, those existing approaches are inflexible for large-scale networks and realtime applications. For this reason, a novel and adaptive threshold-based kernel-level intrusion detection and prevention system by leveraging SDN capabilities are proposed. The proposed systems to detect and mitigate the aforementioned threats within an SDN over widely used traditional IDPS technologies, Snort and Zeek, are comparatively examined. The approach is evaluated using a mixture of fundamental adverse attacks and SDN-specific threats on a real-world testbed. The experimental results demonstrate the efficacy of the mechanism to detect and mitigate SYN flood attacks within an SDN environment. This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.

show abstract

FMD: A DoS mitigation scheme based on flow migration in software‐defined networking

Cited by 14 publications

References 20 publications

A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controllers

A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controllers

Security in Software-Defined Networks Against Denial-of-Service Attacks Based on Increased Load Balancing Efficiency

SYNGuard: Dynamic threshold‐based SYN flood attack detection and mitigation in software‐defined networks

Contact Info

Product

Resources

About