Journal of Computer Science and Technology ›› 2022, Vol. 37 ›› Issue (4): 839-851.doi: 10.1007/s11390-022-1495-0

Special Issue: Computer Networks and Distributed Computing

• Special Section of MASS 2020-2021 • Previous Articles     Next Articles

An Efficient Scheme to Defend Data-to-Control-Plane Saturation Attacks in Software-Defined Networking

Xuan-Bo Huang1 (黄轩博), Student Member, IEEE, Kai-Ping Xue1,* (薛开平), Senior Member, CCF, IEEE, Yi-Tao Xing1 (幸一滔), Student Member, IEEE, Ding-Wen Hu1 (胡定文), Student Member, IEEE, Ruidong Li2 (李睿栋), Senior Member, IEEE, and Qi-Bin Sun1 (孙启彬), Fellow, IEEE        

  1. 1School of Cyber Science and Technology, University of Science and Technology of China, Hefei 230027, China
    2College of Science and Engineering, Kanazawa University, Kanazawa 920-1192, Japan
  • Received:2021-04-04 Revised:2022-04-06 Accepted:2022-05-24 Online:2022-07-25 Published:2022-07-25
  • Contact: Kai-Ping Xue
  • About author:
    Kai-Ping Xue received his Bachelor's degree from the Department of Information Security, University of Science and Technology of China (USTC), Hefei, in 2003, and received his Ph.D. degree in information and communication engineering from the Department of Electronic Engineering and Information Science (EEIS), USTC, Hefei, in 2007. From May 2012 to May 2013, he was a postdoctoral researcher with Department of Electrical and Computer Engineering, University of Florida, Gainesville. Currently, he is a professor in the School of Cyber Science and Technology and the Department of EEIS, USTC, Hefei. His research interests include next-generation Internet, distributed networks and network security. He serves on the Editorial Board of several journals, including the IEEE Transactions on Dependable and Secure Computing (TDSC), the IEEE Transactions on Wireless Communications (TWC), and the IEEE Transactions on Network and Service Management (TNSM). He has also served as a (lead) guest editor of many reputed journals/magazines, including IEEE Journal on Selected Areas in Communications (JSAC), IEEE Communications Magazine and IEEE Network. He is a fellow of the IET and a senior member of CCF and IEEE.
  • Supported by:
    The work was supported in part by the National Natural Science Foundation of China under Grant Nos. 61972371, U19B2023 and U19B2044, and the Youth Innovation Promotion Association of the Chinese Academy of Sciences under Grant No. Y202093.

Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1,000 to 4,000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5,000 to 30,000.

Key words: software-defined networking (SDN); saturation attack; fast recovery; linear discriminant analysis;

[1] Kreutz D, Ramos F, V P et al. Software-defined networking: A comprehensive survey. Proc. IEEE, 2015, 103(1): 14-76. DOI: 10.1109/JPROC.2014.2371999.

[2] McKeown N, Anderson T, Balakrishnan H et al. OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69-74. DOI: 10.1145/1355734.1355746

[3] Shin S, Yegneswaran V, Porras P, Gu G. AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks. In Proc. the ACM Conference on Computer and Communications Security, November 2013, pp.413-424. DOI: 10.1145/2508859.2516684.

[4] Fichera S, Galluccio L, Grancagnolo S et al. OPERETTA: An OPEnflow-based remedy to mitigate TCP SYNFLOOD attacks against web servers. Computer Networks, 2015, 92: 89-100. DOI: 10.1016/j.comnet.2015.08.038.

[5] Mohammadi R, Javidan R, Conti M. SLICOTS: An SDN-based lightweight countermeasure for TCP SYN flooding attacks. IEEE Transactions on Network and Service Management, 2017, 14(2): 487-497. DOI: 10.1109/TNSM.2017.2701549.

[6] Li Z, Xing W, Khamaiseh S, Xu D. Detecting saturation attacks based on self-similarity of OpenFlow traffic. IEEE Transactions on Network and Service Management, 2020, 17(1): 607-621. DOI: 10.1109/TNSM.2019.2959268.

[7] Achleitner S, Porta T L, Jaeger T, McDaniel P. Adversarial network forensics in software defined networking. In Proc. the Symposium on SDN Research, April 2017, pp.8-20. DOI: 10.1145/3050220.3050223.

[8] Liu S, Reiter M K, Sekar V. Flow reconnaissance via timing attacks on SDN switches. In Proc. the 37th IEEE International Conference on Distributed Computing Systems, June 2017, pp.196-206. DOI: 10.1109/ICDCS.2017.281.

[9] Cao J, Li Q, Xie R et al. The CrossPath attack: Disrupting the SDN control channel via shared links. In Proc. the 28th USENIX Security Symposium, August 2019, pp.19-36.

[10] Patwardhan A, Jayarama D, Limaye N et al. SDN Security: Information disclosure and flow table overflow attacks. In Proc. the IEEE Global Communications Conference, December 2019. DOI: 10.1109/GLOBECOM38437.2019.9014048.

[11] Zhang M, Li G, Xu L et al. Control plane reflection attacks in SDNs: New attacks and countermeasures. In Proc. the 21st International Symposium on Research in Attacks, Intrusions, and Defenses, September 2018, pp.161-183. DOI: 10.1007/978-3-030-00470-5.

[12] Cao J, Xu M, Li Q et al. Disrupting SDN via the data plane: A low-rate flow table overflow attack. In Proc. the 13th International Conference on Security and Privacy in Communication Networks, October 2017, pp.356-376. DOI: 10.1007/978-3-319-78813-5.

[13] Yu M, He T, McDaniel P, Burke Q K. Flow table security in SDN: Adversarial reconnaissance and intelligent attacks. In Proc. the 39th IEEE International Conference on Computer Communications, July 2020, pp.1519-1528. DOI: 10.1109/INFOCOM41043.2020.9155538.

[14] Wang H, Xu L, Gu G. FloodGuard: A DoS attack prevention extension in software-defined networks. In Proc. the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, June 2015, pp.239-250. DOI: 10.1109/DSN.2015.27.

[15] Gao S, Peng Z, Xiao B, Hu A Q, Ren K. FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. In Proc. the 36th IEEE International Conference on Computer Communications, May 2017. DOI: 10.1109/INFOCOM.2017.8057009.

[16] Buragohain C, Medhi N. FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers. In Proc. the 3rd International Conference on Signal Processing and Integrated Networks, February 2016, pp.519-524. DOI: 10.1109/SPIN.2016.7566750.

[17] Hu D, Hong P, Chen Y. FADM: DDoS flooding attack detection and mitigation system in software-defined networking. In Proc. the IEEE Global Communications Conference, December 2017. DOI: 10.1109/GLOCOM.2017.8254023.

[18] Giotis K, Argyropoulos C, Androulidakis G et al. Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Computer Networks, 2014, 62: 122-136. DOI: 10.1016/j.bjp.2013.10.014.

[19] Da Silva A, Wickboldt J, Granville L, Schaeffer-Filho A. ATLANTIC: A framework for anomaly traffic detection, classification, and mitigation in SDN. In Proc. the IEEE/IFIP Conference on Network Operations and Management Symposium, April 2016, pp.27-35. DOI: 10.1109/NOMS.2016.7502793.

[20] Kotani D, Okabe Y. A packet-in message filtering mechanism for protection of control plane in OpenFlow networks. In Proc. the ACM/IEEE Symposium on Architectures for Networking and Communications Systems, October 2014, pp.29-40. DOI: 10.1145/2658260.2658276.

[21] Huang X, Xue K, Xing Y, Hu D, Li R, Sun Q. FSDM: Fast recovery saturation attack detection and mitigation framework in SDN. In Proc. the 17th IEEE International Conference on Mobile Ad Hoc and Sensor Systems, Dec. 2020, pp.329-337. DOI: 10.1109/MASS50613.2020.00048.

[22] Fisher R A. The use of multiple measurements in taxonomic problems. Annals of Eugenics, 1936, 7(2): 179-188. DOI: 10.1111/j.1469-1809.1936.tb02137.x.

[23] Shin S, Gu G. Attacking software-defined networks: A first feasibility study. In Proc. the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, August 2013, pp.165-166. DOI: 10.1145/2491185.2491220.

[24] Ambrosin M, Conti M, De Gaspari F, Poovendran R. LineSwitch: Tackling control plane saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking, 2017, 25(2): 1206-1219. DOI: 10.1109/TNET.2016.2626287.

[25] Sonchack J, Dubey A, Aviv A J et al. Timing-based reconnaissance and defense in software-defined networks. In Proc. the 32nd Annual Conference on Computer Security Applications, December 2016, pp.89-100. DOI: 10.1145/2991079.2991081.

[26] Bloom B H. Space/time trade-offs in hash coding with allowable errors. Communications of the ACM, 1970, 13(7): 422-426. DOI: 10.1145/362686.362692.

[1] Maryam Zarezadeh, Hamid Mala, Homa Khajeh. Preserving Privacy of Software-Defined Networking Policies by Secure Multi-Party Computation [J]. Journal of Computer Science and Technology, 2020, 35(4): 863-874.
[2] Jianjun Zheng, Akbar Siami Namin. A Survey on the Moving Target Defense Strategies: An Architectural Perspective [J]. Journal of Computer Science and Technology, 2019, 34(1): 207-233.
[3] LIU QingShan , HUANG Rui , LU HanQing and MA SongDe . Kernel-Based Nonlinear Discriminant Analysis for Face Recognition [J]. , 2003, 18(6): 0-0.
Full text



[1] Zhou Di;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] Chen Shihua;. On the Structure of Finite Automata of Which M Is an(Weak)Inverse with Delay τ[J]. , 1986, 1(2): 54 -59 .
[3] Feng Yulin;. Recursive Implementation of VLSI Circuits[J]. , 1986, 1(2): 72 -82 .
[4] Liu Mingye; Hong Enyu;. Some Covering Problems and Their Solutions in Automatic Logic Synthesis Systems[J]. , 1986, 1(2): 83 -92 .
[5] Wang Xuan; Lü Zhimin; Tang Yuhai; Xiang Yang;. A High Resolution Chinese Character Generator[J]. , 1986, 1(2): 1 -14 .
[6] C.Y.Chung; H.R.Hwa;. A Chinese Information Processing System[J]. , 1986, 1(2): 15 -24 .
[7] Sun Zhongxiu; Shang Lujun;. DMODULA:A Distributed Programming Language[J]. , 1986, 1(2): 25 -31 .
[8] Jin Lan; Yang Yuanyuan;. A Modified Version of Chordal Ring[J]. , 1986, 1(3): 15 -32 .
[9] Pan Qijing;. A Routing Algorithm with Candidate Shortest Path[J]. , 1986, 1(3): 33 -52 .
[10] Wu Enhua;. A Graphics System Distributed across a Local Area Network[J]. , 1986, 1(3): 53 -64 .

ISSN 1000-9000(Print)

CN 11-2296/TP

Editorial Board
Author Guidelines
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
  Copyright ©2015 JCST, All Rights Reserved