DDoS attacks on data plane of software-defined network: are they possible?

Wu, Xiaotong, Liu, Meng, Dou, Wanchun and Yu, Shui 2016, DDoS attacks on data plane of software-defined network: are they possible?, Security and communication networks, vol. 9, no. 18, pp. 5444-5459, doi: 10.1002/sec.1709.

Attached Files
Name Description MIMEType Size Downloads

Title DDoS attacks on data plane of software-defined network: are they possible?
Author(s) Wu, Xiaotong
Liu, Meng
Dou, Wanchun
Yu, ShuiORCID iD for Yu, Shui orcid.org/0000-0003-4485-6743
Journal name Security and communication networks
Volume number 9
Issue number 18
Start page 5444
End page 5459
Total pages 16
Publisher John Wiley & Sons
Place of publication Chichester, Eng.
Publication date 2016-12
ISSN 1939-0114
Keyword(s) software-defined network
flooding DDoS
stealthy DDoS
DDoS detection
Summary With software-defined networking (SDN) becoming the leading technology for large-scale networks, it is definitely expected that SDN will suffer various types of distributed denial-of-service (DDoS) attacks because of its centralized control logic. However, almost all of existing works concentrate on the controller overloading DDoS attacks, while vulnerabilities exposed by data plane of SDN for DDoS attacks are largely ignored. In this paper, we firstly investigate a flow rule flooding DDoS attack. By thoroughly analyzing the flow table size and miss rate, we find that attackers are able to inflict significant performance degradation over the system with limited volume of attack resource. We then prove that it is possible for attackers to maximize the performance degradation and minimize the attack rate at the same time. Besides the flooding DDoS attack, we also study a novel DDoS attack targeting data plane of SDN. By utilizing the entry lifetime management mechanism of flow tables, this attack almost never exhibits an intensive controller access behavior. It flies under the radar by inflicting non-notable performance impact on the system, while it creates heavy long-term financial burden on the target application. Finally, we present a potential countermeasure for this stealthy DDoS attack. Through extensive experiments, we conclude that DDoS attacks targeting data plane are possible.
Language eng
DOI 10.1002/sec.1709
Field of Research 080303 Computer System Security
080501 Distributed and Grid Systems
Socio Economic Objective 970108 Expanding Knowledge in the Information and Computing Sciences
HERDC Research category C1 Refereed article in a scholarly journal
ERA Research output type C Journal article
Copyright notice ©2016, John Wiley & Sons
Persistent URL http://hdl.handle.net/10536/DRO/DU:30090681

Connect to link resolver
Unless expressly stated otherwise, the copyright for items in DRO is owned by the author, with all rights reserved.

Version Filter Type
Citation counts: TR Web of Science Citation Count  Cited 3 times in TR Web of Science
Scopus Citation Count Cited 5 times in Scopus
Google Scholar Search Google Scholar
Access Statistics: 338 Abstract Views, 2 File Downloads  -  Detailed Statistics
Created: Wed, 18 Jan 2017, 11:21:09 EST

Every reasonable effort has been made to ensure that permission has been obtained for items included in DRO. If you believe that your rights have been infringed by this repository, please contact drosupport@deakin.edu.au.