DDoS attacks on data plane of software-defined network: are they possible?

Wu, X; Liu, M; Dou, W; Yu, S

DDoS attacks on data plane of software-defined network: are they possible?

Wu, X Liu, M Dou, W Yu, S

Permalink

Publisher:: WILEY-HINDAWI
Publication Type:: Journal Article
Citation:: Security and Communication Networks, 2016, 9, (18), pp. 5444-5459
Issue Date:: 2016-12-01

Closed Access

	Filename	Description	Size
	Security Comm Networks - 2016 - Wu - DDoS attacks on data plane of software‐defined network are they possible.pdf	Published version	1.33 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Wu, X
dc.contributor.author	Liu, M
dc.contributor.author	Dou, W
dc.contributor.author	Yu, S https://orcid.org/0000-0003-4485-6743
dc.date.accessioned	2022-07-31T01:05:19Z
dc.date.available	2022-07-31T01:05:19Z
dc.date.issued	2016-12-01
dc.identifier.citation	Security and Communication Networks, 2016, 9, (18), pp. 5444-5459
dc.identifier.issn	1939-0114
dc.identifier.issn	1939-0122
dc.identifier.uri	http://hdl.handle.net/10453/159406
dc.description.abstract	With software-defined networking (SDN) becoming the leading technology for large-scale networks, it is definitely expected that SDN will suffer various types of distributed denial-of-service (DDoS) attacks because of its centralized control logic. However, almost all of existing works concentrate on the controller overloading DDoS attacks, while vulnerabilities exposed by data plane of SDN for DDoS attacks are largely ignored. In this paper, we firstly investigate a flow rule flooding DDoS attack. By thoroughly analyzing the flow table size and miss rate, we find that attackers are able to inflict significant performance degradation over the system with limited volume of attack resource. We then prove that it is possible for attackers to maximize the performance degradation and minimize the attack rate at the same time. Besides the flooding DDoS attack, we also study a novel DDoS attack targeting data plane of SDN. By utilizing the entry lifetime management mechanism of flow tables, this attack almost never exhibits an intensive controller access behavior. It flies under the radar by inflicting non-notable performance impact on the system, while it creates heavy long-term financial burden on the target application. Finally, we present a potential countermeasure for this stealthy DDoS attack. Through extensive experiments, we conclude that DDoS attacks targeting data plane are possible. Copyright © 2016 John Wiley & Sons, Ltd.
dc.language	English
dc.publisher	WILEY-HINDAWI
dc.relation.ispartof	Security and Communication Networks
dc.relation.isbasedon	10.1002/sec.1709
dc.rights	info:eu-repo/semantics/closedAccess
dc.subject	0802 Computation Theory and Mathematics, 0805 Distributed Computing, 0899 Other Information and Computing Sciences
dc.title	DDoS attacks on data plane of software-defined network: are they possible?
dc.type	Journal Article
utslib.citation.volume	9
utslib.for	0802 Computation Theory and Mathematics
utslib.for	0805 Distributed Computing
utslib.for	0899 Other Information and Computing Sciences
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2022-07-31T01:05:17Z
pubs.issue	18
pubs.publication-status	Published
pubs.volume	9
utslib.citation.issue	18

Abstract:

With software-defined networking (SDN) becoming the leading technology for large-scale networks, it is definitely expected that SDN will suffer various types of distributed denial-of-service (DDoS) attacks because of its centralized control logic. However, almost all of existing works concentrate on the controller overloading DDoS attacks, while vulnerabilities exposed by data plane of SDN for DDoS attacks are largely ignored. In this paper, we firstly investigate a flow rule flooding DDoS attack. By thoroughly analyzing the flow table size and miss rate, we find that attackers are able to inflict significant performance degradation over the system with limited volume of attack resource. We then prove that it is possible for attackers to maximize the performance degradation and minimize the attack rate at the same time. Besides the flooding DDoS attack, we also study a novel DDoS attack targeting data plane of SDN. By utilizing the entry lifetime management mechanism of flow tables, this attack almost never exhibits an intensive controller access behavior. It flies under the radar by inflicting non-notable performance impact on the system, while it creates heavy long-term financial burden on the target application. Finally, we present a potential countermeasure for this stealthy DDoS attack. Through extensive experiments, we conclude that DDoS attacks targeting data plane are possible. Copyright © 2016 John Wiley & Sons, Ltd.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/159406