Professional Documents
Culture Documents
Abstract—In this paper, we propose a history-based dynamic degradation [12]. To prevent incoming packets from being
timeout scheme to alleviate the flow table overflow attack which is dropped, OpenFlow [4] that is the most common SDN protocol
one of typical attacks against Software Defined Networks (SDN). supports a flow eviction mechanism since version 1.4.0. It
We investigated hard timeout and idle timeout used in OpenFlow
which is the most popular protocol for SDN, and developed the makes switches able to automatically remove flow rules with
proposed scheme that dynamically adjusts both hard timeout and low importance when the flow table is full.
idle timeout to reduce the number of flow rules. The experiment OpenFlow produces new flow rules for corresponding flows
results shows it can protect SDN switches from the flow table
overflow efficiently. and processes packets according to rules. Therefore insuf-
Index Terms—Software-Defined Network, Flow Table Over- ficient memory capacity for the flow table may cause an
flow, Dynamic Timeout. overflow. In the same context, this kind of DoS attack can be a
significant threat to SDN. Although the DoS attack is simple,
I. I NTRODUCTION it may affect not only switch also a communication channel
As a network getting advanced, a new network architecture between switch and controller or computational resource of
has appeared, Software-defined Network (SDN). Unlike a the controller. In other words, it can affect whole network
traditional network, SDN network can be divided into three performance in the SDN environment. Furthermore, low rate
layers; application layer, control layer, and the data layer. The DDoS having a broad IP address range is more threatening
control layer is a logically centralized controller managing the since low rate DDoS is hard to distinguish with naive traffic.
whole network by installing rules into the data layer. The data To protect SDN networks from the flow overflow attack, We
layer is the others just forwarding packets according to the propose a history-based dynamic timeout that can effectively
rules. The data layer has to inquire controller where to forward reduce the number of flow rules. The intuition is simple.
an arrived packet if the packet does not match any of the rules. Because a flow having more packets in the past is less
Lastly, the application layer is where SDN applications work. suspicious, a long timeout is given to the flow. On the other
SDN brings about a lot of advantages. Because the centralized hand, a flow having less packet is given a short timeout since
controller takes charge of routing computation, the data plane it might be from an attacker.
can concentrate on forwarding packets. The programmability
of SDN and decoupled structure makes managing and chang- A long timeout avoids unnecessary traffic between a con-
ing a network much more flexible. The controller can handle troller and switches, and a short timeout reduces the number
frequently changing network topology and deploy flow rules of flows that unnecessarily occupy the flow table. To manage
that are suitable at that time. the flow history efficiently, we develop a 2D counting bloom
Because of the structural difference between traditional filter that stores the past statistics, i.e., the number of packets
network and SDN, existing security solutions are not suitable of each flow for a certain amount of time. We also propose
for SDN. In addition, SDN also has some problems that cannot a dynamic timeout adjustment mechanism that determines
be ignored. Those have continuously been addressed by other both hard timeout and idle timeout according to the historical
researches. One of the problems is the limited capabilities of statistics. In our scheme, at first, every flow is installed with
SDN switches. SDN switches use TCAM(Ternary Content- static timeouts. Then a controller derives flow duration and
Addressable Memory) as a device for a flow table. Because packet count from each Flow removed message. Packet count
TCAM is expensive and has high power consumption, the should be saved in the bloom filter at this time and the
memory capacity of SDN switches is limited. So the storage controller calculate average flow duration using Exponential
for flow table is targeted by malicious attackers. When many Moving Average. Once an average flow duration is calculated,
flow rules caused by a lot of traffic overflows the memory the controller starts to install flow rules with a dynamic
capacity, incoming packets of new flows will be dropped. hard/idle timeout computed according to the packet count
Then this will lead to a denial of service and performance of corresponding flow. With the dynamic timeouts based on
historical statistics, the proposed scheme can protect SDN
∗ Corresponding author switches from the overflow attack efficiently.
Authorized licensed use limited to: UNIVERSITY OF WESTERN ONTARIO. Downloaded on May 25,2021 at 15:10:07 UTC from IEEE Xplore. Restrictions apply.
II. R ELATED W ORK
A. Denial of Service Attack
A Denial of Service(DoS) attack is addressed as a severe
issue for SDN. A DoS attack has been around since traditional
networks, but centralized control of SDN makes SDN more
vulnerable to DoS attack. Despite its simplicity, it can cause
many critical problems like buffer saturation, flow table over-
flow, congestion of control-data plane channel, and controller
saturation [5]. Moreover, these may occur simultaneously.
Once these occur, the performance of the entire network
decrease, and also the whole network may even stop working.
In this paper, we concentrated on a flow table overflow attack
that is a kind of DoS attack.
487
Authorized licensed use limited to: UNIVERSITY OF WESTERN ONTARIO. Downloaded on May 25,2021 at 15:10:07 UTC from IEEE Xplore. Restrictions apply.
statistic collect module extracts packet-count, duration, and proportion to a packet-count and inversely proportional to the
source/destination information from the message. Then it average flow duration. In other words, a longer idle timeout
updates the average flow duration according to Exponential is assigned to a flow with more historical records.
Moving Average and records the packet-count in the bloom
filter using the source/destination information. We used
source MAC and destination MAC in our experiment. By Algorithm 2: Timeout Calculate Module
using the exponential moving average to update average flow Input: AFD, packet count
duration, we can expect that average flow duration becomes Output: TH , TI
more sensitive to a recent change of the network. 1 if packet count == 0 then
2 T H ← AF D + 0
According to equation 1, a hard timeout uses the average In short, our bloom filter has m*n buckets and each bucket
flow duration as its baseline. This makes a hard timeout able consists of 8-bit. And we used source/destination MAC as a
to assign a short hard timeout to a new and unreliable flow. key to select a bucket for packet count.
For example, if an attacker sends attack packets to a switch,
the average flow duration of the network will be decreased. In IV. E VALUATION
this case, a hard timeout of a relible flow could be shortened as
well. To prevent this situation, the timeout calculate module We implemented the proposed scheme using a Ryu con-
determines a hard timeout by adding additional seconds to troller in a virtual machine. To test the proposed scheme
the average flow duration. The extra seconds logarithmically properly keep the number of flow rules low under the DoS
increase in proportion to corresponding packet-count. We can attack, we recorded the number of flow rules and bandwidth
expect that nearly the same value as the average flow duration between a controller and a switch that is a target of the attack.
will be assigned to new and malicious flows. Because the The topology of an experiment network is like Fig. 3 and the
average flow duration decrease when an attack occurs, the process of the experiment is as follows:
shorter hard timeout will be set to new flows. i) one of the hosts replay captured packets [14].
After the hard timeout calculation, the timeout calculate ii) another host, an attacker, generates packets that have
module calculates and assigns an idle timeout to detect random source/destination IP/MAC address and forward
long packet interval within the calculated hard timeout. The them to a victim a little after the replay begins. We used
idle timeout calculation follows equation 2 that increases in Scapy, a python program, to generate packets.
488
Authorized licensed use limited to: UNIVERSITY OF WESTERN ONTARIO. Downloaded on May 25,2021 at 15:10:07 UTC from IEEE Xplore. Restrictions apply.
Fig. 2: 2D Counting Bloom Filter
Fig. 4: The number of normal flows over time
1) The number of flow rules: Because Statistics Module in the proposed scheme sends
The number of flow rules is the most important parameter messages to keep track of per-flow packet count, it could
to monitor whether the proposed scheme successfully alle- consume much more bandwidth than other schemes. In fact,
viates a table overflow attack. We made the controller issue however, we can see that the proposed scheme takes just a few
ofp flow stats request message periodically and log the reply hundred KiB more bandwidths than the others through Table
for the experiment. II.
Through Environment 2 in Fig. 4 and Fig. 5, we can see that
installing flow rules with only idle timeout keep the most flow
rules and DoS flow rules either. To alleviate this ineffectiveness Hard Timeout Idle Timeout
we set a hard timeout to 10 seconds and reduce an idle timeout Environment 1
to 5 seconds for Environment 3 by our intuition. By setting 1∼10 1∼8
(Propose Scheme)
both kinds of timeout simultaneously, we got a more improved Environment 2 None 10
result than Environment 2. However, setting timeouts with Environment 3 10 5
a static value doesn’t bring a satisfactory result because it Environment 4
doesn’t consider whether each flow rule is normal or not. None None
(FTGuard)
Fig. 4 and Fig. 5 shows that the proposed scheme outper-
formed the other environments. The proposed scheme effec- TABLE I: Evaluation Environments
tively reduced the number of DoS flow rules while it keeps
the number of normal flow rules at an appropriate level. It is Environment 1 Environment 2 Environment 3 Environment 4
also better than FT Guard in terms of the number of DoS flow Bandwidth RX: 304 KiB RX: 184 KiB RX: 190 KiB RX: 451 KiB
under attack TX: 344 KiB TX: 320 KiB TX: 328 KiB TX: 189 KiB
rules.
2) Bandwidth: TABLE II: Bandwidth Measurement under DoS attack
489
Authorized licensed use limited to: UNIVERSITY OF WESTERN ONTARIO. Downloaded on May 25,2021 at 15:10:07 UTC from IEEE Xplore. Restrictions apply.
V. C ONCLUSION [13] Zhang, M., Bi, J., Bai, J., Dong, Z., Li, Y., & Li, Z. (2017). Ftguard: A
priority-aware strategy against the flow table overflow attack in sdn. In
In this paper, we propose a new scheme mitigating flow Proceedings of the SIGCOMM Posters and Demos (pp. 141-143).
table overflow attack. We address that using either timeout [14] Retrieved from https://s3.amazonaws.com/tcpreplay-pcap-
can cause some problems and propose using both. Next, we files/bigFlows.pcap
develop an application to assign proper dynamic timeouts
to flows by calculating based on the per-flow packet count.
The results of our experiments demonstrate that our proposed
scheme reduces the number of flow rules properly under the
DoS attack.
ACKNOWLEDGMENT
This work was partly supported by the National Research
Foundation of Korea(NRF) grant funded by the Korea govern-
ment(MSIT) (No. 2020R1F1A1076795), and by Institute for
Information & communications Technology Promotion(IITP)
grant funded by the Korea government(MSIT) (No.2018-0-
00254, SDN security technology development).
R EFERENCES
[1] Scott-Hayward, Sandra, Gemma O’Callaghan, and Sakir Sezer. ”SDN
security: A survey.” 2013 IEEE SDN For Future Networks and Services
(SDN4FNS). IEEE, 2013.
[2] Chica, Juan Camilo Correa, Jenny Cuatindioy Imbachi, and Juan Felipe
Botero. ”Security in SDN: A comprehensive survey.” Journal of Network
and Computer Applications (2020): 102595.
[3] Chuang, Ching-Chih, et al. ”Minimization of TCAM usage for SDN
scalability in wireless data centers.” 2016 IEEE Global Communications
Conference (GLOBECOM). IEEE, 2016.
[4] Open Networking Foundation, Openflow Switch Specification(2014),
http://www.opennetworking.org
[5] Ubale T., Jain A.K. (2020) Survey on DDoS Attack Techniques and
Solutions in Software-Defined Network. In: Gupta B., Perez G., Agrawal
D., Gupta D. (eds) Handbook of Computer Networks and Cyber Secu-
rity. Springer, Cham
[6] L. Zhang, R. Lin, S. Xu and S. Wang, ”AHTM: Achieving efficient
flow table utilization in Software Defined Networks,” 2014 IEEE Global
Communications Conference, Austin, TX, 2014, pp. 1897-1902, doi:
10.1109/GLOCOM.2014.7037085.
[7] H. Zhu, H. Fan, X. Luo and Y. Jin, ”Intelligent timeout master: Dynamic
timeout for SDN-based data centers,” 2015 IFIP/IEEE International
Symposium on Integrated Network Management (IM), Ottawa, ON,
2015, pp. 734-737, doi: 10.1109/INM.2015.7140363.
[8] B. Sooden and M. R. Abbasi, ”A Dynamic Hybrid Timeout Method
to Secure Flow Tables Against DDoS Attacks in SDN,” 2018 First
International Conference on Secure Cyber Computing and Communi-
cation (ICSCCC), Jalandhar, India, 2018, pp. 29-34, doi: 10.1109/IC-
SCCC.2018.8703307.
[9] X. Li and Y. Huang, ”A Flow Table with Two-Stage Timeout Mechanism
for SDN Switches,” 2019 IEEE 21st International Conference on High
Performance Computing and Communications; IEEE 17th International
Conference on Smart City; IEEE 5th International Conference on Data
Science and Systems (HPCC/SmartCity/DSS), Zhangjiajie, China, 2019,
pp. 1804-1809, doi: 10.1109/HPCC/SmartCity/DSS.2019.00248.
[10] T. Xu, D. Gao, P. Dong, C. H. Foh and H. Zhang, ”Mitigating
the Table-Overflow Attack in Software-Defined Networking,” in IEEE
Transactions on Network and Service Management, vol. 14, no. 4, pp.
1086-1097, Dec. 2017, doi: 10.1109/TNSM.2017.2758796.
[11] G. Shang, P. Zhe, X. Bin, H. Aiqun and R. Kui, ”FloodDefender:
Protecting data and control plane resources under SDN-aimed DoS
attacks,” IEEE INFOCOM 2017 - IEEE Conference on Computer
Communications, Atlanta, GA, 2017, pp. 1-9, doi: 10.1109/INFO-
COM.2017.8057009.
[12] M. Zhang, J. Bi, J. Bai and G. Li, ”FloodShield: Securing the SDN
Infrastructure Against Denial-of-Service Attacks,” 2018 17th IEEE In-
ternational Conference On Trust, Security And Privacy In Computing
And Communications/ 12th IEEE International Conference On Big Data
Science And Engineering (TrustCom/BigDataSE), New York, NY, 2018,
pp. 687-698, doi: 10.1109/TrustCom/BigDataSE.2018.00101.
490
Authorized licensed use limited to: UNIVERSITY OF WESTERN ONTARIO. Downloaded on May 25,2021 at 15:10:07 UTC from IEEE Xplore. Restrictions apply.