TableGuard: A Novel Security Mechanism Against Flow Table Overflow Attacks in SDN

Kong, Dezhang; Wu, Chunming; Shen, Yi; Chen, Xiang; Liu, Hongyan; Zhang, Dong

doi:10.1109/globecom48099.2022.10001437

Cited by 5 publications

(3 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Xu et al [21] proposed a defense model that uses the concept of degree to locate vulnerable switches and deploys token bucket to limit the strength of overflow attacks. Kong et al [55] designed TableGuard, which uses the proactive flow rule number as the detection metric and applies a statistical approach to help filter malicious flows. However, because these methods mitigate or locate overflow attacks based on flow entry consumption rather than attack flow features, they may fail to defend against distributed attacks that exhibit subtle patterns and evade detection by consuming flow entries within the normal range.…”

Section: A Table Management Methodsmentioning

confidence: 99%

“…To induce the PPS overflow, we combine 100 background flows and 110 POA flows, leading to the eviction of 10 entries each time. We compare the proposed eviction algorithm with FIFO, LFU, SIFT [38], SAIA [25] and TableGuard [55] in terms of the evction of attack flows. To investigate the impact of attack traffic, we set the packet interval at 1s, 0.1s, 0.01s, and a 1:1 mixture of both.…”

Section: B Evaluation Of Flow Entry Eviction Algorithmmentioning

confidence: 99%

“…In this context, the SAIA and LFU eviction algorithms preferentially evict normal flow entries, thereby posing a vulnerability to POA. Therefore, the latest eviction algorithms that function similarly to SAIA, such as FTMaster [54] and LtRFT [55], are excluded from comparison. Furthermore, a comparison between Fig.…”

Section: B Evaluation Of Flow Entry Eviction Algorithmmentioning

confidence: 99%

See 2 more Smart Citations

POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks

Liu,

Wang,

Feng

2023

IEEE Access

View full text Add to dashboard Cite

In Software-Defined Networks (SDN), the limited flow table capacity of switches makes them susceptible to flow table overflow attacks, which can lead to performance degradation or network corruption. Prior research has mainly focused on rate-based overflow attacks (ROA), which exhibit varying attack effects depending on the overflow rate. This study introduces a novel attack called the preemptive overflow attack (POA), which exploits flow entry eviction mechanism to preempt the flow entries of normal applications, resulting in amplified performance degradation. Notably, when using the widely deployed Least Frequently Used (LFU) eviction algorithm, POA achieves a significant impact while consuming fewer flow entries than existing ROA methods. Furthermore, the detection of POA remains challenging owing to the lack of distinctive flow features. To mitigate POA, we propose POAGuard as a defense mechanism. POAGuard incorporates a table segmentation method for table management, a score-based eviction algorithm that evicts suspicious flow entries, and a concept drift-based detection method that identifies and defends against POA. Extensive experiments are conducted to verify the effectiveness of POAGuard, and the results demonstrate that POAGuard can effectively defend against POA.

show abstract

Section: A Table Management Methodsmentioning

confidence: 99%