A Novel OpenFlow-Based DDoS Flooding Attack Detection and Response Mechanism in Software-Defined Networking

A Novel OpenFlow-Based DDoS Flooding Attack Detection and Response Mechanism in Software-Defined Networking

Rui Wang (Shandong University, Jinan, China), Zhiyong Zhang (Shandong University, Jinan, China), Lei Ju (Shandong University, Jinan, China) and Zhiping Jia (Shandong University, Jinan, China)
Copyright: © 2015 |Pages: 20
DOI: 10.4018/IJISP.2015070102


Software-Defined Networking (SDN) and OpenFlow have brought a promising architecture for the future networks. However, there are still a lot of security challenges to SDN. To protect SDN from the Distributed denial-of-service (DDoS) flooding attack, this paper extends the flow entry counters and adds a mark action of OpenFlow, then proposes an entropy-based distributed attack detection model, a novel IP traceback and source filtering response mechanism in SDN with OpenFlow-based Deterministic Packet Marking. It achieves detecting the attack at the destination and filtering the malicious traffic at the source and can be easily implemented in SDN controller program, software or programmable switch, such as Open vSwitch and NetFPGA. The experimental results show that this scheme can detect the attack quickly, achieve a high detection accuracy with a low false positive rate, shield the victim from attack traffic and also avoid the attacker consuming resource and bandwidth on the intermediate links.
Article Preview


The Open Networking Foundation (ONF) a non-profit consortium has promoted SDN and OpenFlow (OF) protocol (McKeown et al., 2008) as a new norm for networks. OpenFlow-based SDN technologies enable IT to address dynamic nature of the current application, reduce operations and management complexity.

However, SDN is still not completely designed. The attributes of centralized control and programmability also bring many challenges, as discussed in (Yan, Zhang, & Vasilakos, 2015). Specially, DDoS attack (Mirkovic, & Reiher, 2004) is still a huge threat to SDN (Kreutz, Ramos, & Verissimo, 2013). This paper focuses on DDoS flooding attack which usually originates from distributed zombies and targets to exhaust victim’s bandwidth or resources. A lot of people have done researches on DDoS detection and migration in SDN e.g., (Braga, Mota, & Passito, 2010) and (Mehdi, Khalid, & Khayam, 2011). Most researches collect the flow tables from the switch and do the anomaly detection in the controller. However, when the network scale becomes larger, the collecting process burdens the communication overload between the switch and the controller (Giotis, Argyropoulos, Androulidakis, Kalogeras, & Maglaris, 2014). And also the attack response time is depended on the polling time (Moshref, Yu, & Govindan, 2014). Sampling technologies, such as sFlow and NetFlow, may relieve this overload, but bring a new tradeoff between sampling rate and detection accuracy.

To protect the victim, as discussed in (Zargar, Joshi, & Tipper, 2013), the system can traceback the real sources of the attack traffic which may use IP Spoofing, filter or mitigate the attack traffic based on the attack signature. IP traceback in traditional network has been well researched e.g., Deterministic Packet Marking (DPM) (Xiang, Zhou, & Guo, 2009) and Probabilistic Packet Marking (PPM) (Park, & Lee, 2001) approaches. Now, it also draws more and more attention in SDN e.g., (Zhang, Reich, & Rexford, 2015) and (Francois, & Festor, 2015). However, these existing works do the traceback relying on the complex algorithms running in the controller and mostly focus on identifying the potential paths of an anomaly.

To deal with the DDoS flooding attack, this paper proposes a complete detection and response mechanism in SDN. In order to lighten the overhead caused by flow collection and detect the DDoS attack proactively at the edge switch, the authors propose an entropy-based distributed detection mechanism. Then leveraging the first ingress edge router’s information provided by DPM and the global topology capacity of the controller, the authors propose a novel SDN IP traceback and source filtering mechanism. The main contributions of this paper can be summarized as follows:

  • Extending the OF flow entry by adding a copy of the packet number counter and a local host flag, the edge switch can get the flow traffic information during the monitoring period and identify the flow to its local network;

  • By running DDoS detection mechanism in the OpenFlow edge switch, the heavy communication between the controller and the switch can be reduced;

  • To the best knowledge of the authors, this paper is among the first combining the DPM with the character of OpenFlow to realize IP traceback system in SDN;

  • Utilizing the proposed novel communication manner from the victim to the controller, this paper achieves a source filtering mechanism that avoids resource and bandwidth consumption on the intermediate links.

The remainder of this paper is organized as follows. The authors firstly describe the related work, secondly explain the entropy-based distributed DDoS detection mechanism in detail, then state the novel SDN IP traceback and source filtering response mechanism, and then presents the experimental setups and results, and offer the concluding remarks finally.

Complete Article List

Search this Journal:
Open Access Articles
Volume 14: 4 Issues (2020): 2 Released, 2 Forthcoming
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing