TY - GEN
T1 - FloodShield
T2 - 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, Trustcom/BigDataSE 2018
AU - Zhang, Menghao
AU - Bi, Jun
AU - Bai, Jiasong
AU - Li, Guanyu
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/9/5
Y1 - 2018/9/5
N2 - Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.
AB - Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.
KW - Denial-of-Service Attack
KW - Software Defined Networking
KW - Source Address Validation
KW - Stateful Packet Supervision
UR - https://www.scopus.com/pages/publications/85054053411
U2 - 10.1109/TrustCom/BigDataSE.2018.00101
DO - 10.1109/TrustCom/BigDataSE.2018.00101
M3 - 会议稿件
AN - SCOPUS:85054053411
SN - 9781538643877
T3 - Proceedings - 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, Trustcom/BigDataSE 2018
SP - 687
EP - 698
BT - Proceedings - 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, Trustcom/BigDataSE 2018
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 31 July 2018 through 3 August 2018
ER -