DDoS attacks on data plane of software-defined network: are they possible?

With software-defined networking (SDN) becoming the leading technology for large-scale networks, it is definitely expected that SDN will suffer various types of distributed denial-of-service (DDoS) attacks because of its centralized control logic. However, almost all of existing works concentrate on the controller overloading DDoS attacks, while vulnerabilities exposed by data plane of SDN for DDoS attacks are largely ignored. In this paper, we firstly investigate a flow rule flooding DDoS attack. By thoroughly analyzing the flow table size and miss rate, we find that attackers are able to inflict significant performance degradation over the system with limited volume of attack resource. We then prove that it is possible for attackers to maximize the performance degradation and minimize the attack rate at the same time. Besides the flooding DDoS attack, we also study a novel DDoS attack targeting data plane of SDN. By utilizing the entry lifetime management mechanism of flow tables, this attack almost never exhibits an intensive controller access behavior. It flies under the radar by inflicting non-notable performance impact on the system, while it creates heavy long-term financial burden on the target application. Finally, we present a potential countermeasure for this stealthy DDoS attack. Through extensive experiments, we conclude that DDoS attacks targeting data plane are possible.