Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis

Zheng, Jing; Li, Qi; Gu, Guofei; Cao, Jiahao; Yau, David K. Y.; Wu, Jianping

doi:10.1109/tifs.2018.2805600

Cited by 146 publications

(80 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus, we build another long processing chain to better explore the hijacking probability for different positions of the malicious application and the target application. Specifically, we apply four applications, i.e., DoS Detection [38], ARP Proxy [39], Hub [40], and Learning Switch [41], to form the processing chain. Figure 8 shows the two longest processing chains that contain eight SDN applications in total.…”

Section: A Experiments Setupmentioning

confidence: 99%

“…The functionalities of these applications range from basic network service, such as providing network topology with Topology Manager, and network optimizations, such as balancing flows across multiple servers with Load Balancer, to advanced network security enhancement, such as detecting malicious flows with DoS Detection. For their detailed functionality description, we refer the readers to the links [34], [35], [36], [37], [38], [39], [40], [41]. In our experiments, we focus on the hijacking probability and attack effectiveness with the two longest processing chains.…”

Section: A Experiments Setupmentioning

confidence: 99%

See 1 more Smart Citation

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

Cao¹,

Xie²,

Sun³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

show abstract

Section: A Experiments Setupmentioning

confidence: 99%

Section: A Experiments Setupmentioning

confidence: 99%

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

Cao¹,

Xie²,

Sun³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…Zheng et al proposed a technique named reinforcing anti-DDoS action in realtime (RADAR), a real-time defense application built on commercial off-the-shelf (COTS) unmodified SDN switches to detect and defend against various flooding attacks through adaptive correlation analysis [39]. Attacks are detected by identifying certain attack features in suspicious flows.…”

Section: Reinforcing Anti-ddos Actions In Realtime (Radar)mentioning

confidence: 99%

On Distributed Denial of Service Current Defense Schemes

2019

View full text Add to dashboard Cite

Distributed denial of service (DDoS) attacks are a major threat to any network-based service provider. The ability of an attacker to harness the power of a lot of compromised devices to launch an attack makes it even more complex to handle. This complexity can increase even more when several attackers coordinate to launch an attack on one victim. Moreover, attackers these days do not need to be highly skilled to perpetrate an attack. Tools for orchestrating an attack can easily be found online and require little to no knowledge about attack scripts to initiate an attack. Studies have been done severally to develop defense mechanisms to detect and defend against DDoS attacks. As defense schemes are designed and developed, attackers are also on the move to evade these defense mechanisms and so there is a need for a continual study in developing defense mechanisms. This paper discusses the current DDoS defense mechanisms, their strengths and weaknesses.

show abstract

“…All the modules will cooperate to complete a series of tasks such as authorization, classification, and so on. Zheng et al propose Reinforcing Anti‐DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off‐the‐shelf SDN switches. It is an efficient system to defend against a wide range of flooding‐based DDoS attacks, eg, link flooding, SYN flooding, and UDP‐based amplification attacks while requiring neither modifications in SDN switches/protocols nor new appliances.…”

Section: Related Workmentioning

confidence: 99%

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

Mohammadi

Conti

Lal

et al. 2019

Int J Communication

View full text Add to dashboard Cite

In software-defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN-Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN-Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN-Guard. The host of the fake SYN request is detected, and SYN-Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN-Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state-of-art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack. KEYWORDS denial of service, resource exhaustion, security, software-defined networking, SYN flooding Int J Commun Syst. 2019;32:e4061.wileyonlinelibrary.com/journal/dac

show abstract

Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis

Cited by 146 publications

References 12 publications

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

On Distributed Denial of Service Current Defense Schemes

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

Contact Info

Product

Resources

About