Beruflich Dokumente
Kultur Dokumente
in SDN Network
Y Request statistic
ci k counter s from switch.
Do nothing. Y
sn Block.
Fig. 2. Simulation network topology
N
- Update its entries DDoS attacking user, 01 malicious user and 01 frequent user)
with normal timeout; connected to the SDN network (Fig. 2).
In the switch, the flow table has capacity of 10.000
Fig. 1. The workfow of proposed method
entries. Initially, it is empty. The normal entry has
hard timeout and idle timeout equal to 600 seconds
and 60 seconds. The entry for DDoS attacking user
Therefore, the characteristics of DDoS addresses are to
has hard timeout and idle timeout equal to (60, 10)
initiate less than k connections (in a constant duration) and
seconds.
to generate less than n packets per connection.
The malicious user has IP address 10.0.0.1. It injects
B. The proposed method spoofed packets to the switch infinitely. For each
packet, the destination IP address is generated ran-
We define a temple table (T table) in the controller. The T domly.
table is used to store source IP addresses of forwarded packets
from the switch. Each unique IP address has a counter ci to The DDoS attacking user sends spoofed packets to
track the number of arrived packets. the switch infinitely. For each packet, the source and
destination IP addresses are generated randomly.
During attack time, whenever a new packet forwarded by
the switch arrives at the controller, the controller assumes The frequent user has IP address 10.0.0.2. It es-
that it might be from the DDoS attacking address firstly. The tablishes 5 different connections to the server, and
controller creates a new specific entry with hard timeout and transmits 10 packets per connections.
idle timeout, of which values are smaller than those of normal Assume that we already analyzed the collected data of
entries, to limit its lifetime. Then, the source IP address is frequent users and set the values of k and n to 3 and 7,
updated into T table for tracking, and its counter ci is increased respectively. The network topology is simulated by OPNET
by 1 (Fig. 1). modeler.
When ci reaches k, we need to analyze its data traffic char-
acteristic by requesting the average number of packet counter s. B. Evaluation and discussion
If s is greater than n, this means the source address established
The simulation results are shown below:
and transmited real data connections. In other words, it is
a frequent user. Hence, the controller issues a modification The packets from the malicious user are dropped after
message to reset all hard timeout and idle timeout of its it floods 3 packets. The entry has source address
existing entries to normal value [6]. 10.0.0.1 and action DROP is installed in the flow table.
In vice versa, if s is smaller than n, this is malicious traffic. The DDoS attacking users packets are handled by
The controller dispatches a dropped rule for the address to the corresponding entries with short hard timeout 60s and
switch. idle timeout 10s.
The frequent user is served by normal entries which
IV. S IMULATION AND EVALUATION have hard timeout 600s and idle timeout 60s.
A. Simulation network topology
In the switch, the number of entries is derceased 49%
To simulate the proposed method, we build a small topol- after 100s because of block entries of malicious traffic and
ogy which consists of 01 webserver and 03 PC clients (01 flow entries with short timeouts (Fig. 3). The number of
310
550 20
400
14 w/o proposed method
350 w/ proposed method
12
300
10
250
200 8
150 6
100
4
50
2
0 100 200 300 400 500 0 100 200 300 400 500
Time (seconds) Time (seconds)
Fig. 3. Numer of entries in flow table Fig. 5. Bandwidth occupation in the controller-switch channel
4500
V. C ONCLUSION AND FUTURE WORK
4000
SDN is expected to replace the existing traditional network
w/o proposed method
with a lot of advanced features. However, it is facing with
Number of packets arrive at the controller
w/ proposed method
3500 many security challenges. In this paper, we propose a feasible
method to combat against DDoS flooding attack. Although
3000
the method can decrease the impact of DDoS attack, but not
2500 enough when the amount of attack traffic is very huge.
2000
In future work, we need to optimize the method for
adaptive with variable environments and protocols. Implemen-
1500 tation in real SDN network is required for confirmation of its
performance and effect.
1000
500 ACKNOWLEDGMENT
This research was supported by Basic Science Research
0 100 200 300 400 500
Time (seconds) Program through the National Research Foundation of Korea
(NRF) funded by the Ministry of Science, ICT & Future
Planning (NRF-2013R1A1A1076105)
Fig. 4. Number of packets arrive at the controller
R EFERENCES
entries remains around 265 entries (includes normal entries [1] https://www.opennetworking.org.
for frequent users, block entries for malicious user, and short [2] S. Sezer, S. Scott-Hayward, P. Chouhan, B. Fraser, D. Lake, J. Finnegan,
N. Viljoen, M. Miller, and N. Rao, Are we ready for SDN? Implemen-
timeouts entries for DDoS attacking users). The bandwidth tation challenges for software-defined networks, IEEE Communications
occupation in controller-switch channel and the total packets Magazine, vol. 51, no. 7, 2013.
arrive at the controller are decreased 51% and 49% respectively [3] S. Scott-Hayward, G. OCallaghan, and S. Sezer, SDN security: a
(Fig. 4 and Fig. 5). survey, in Proc. IEEE SDN4FNS, 2013.
[4] S. Shin and G. Gu, Attacking Software-defined networks: a first fea-
Because we set short values to the hard timeout and sibility study, in Proc. the second ACM SIGCOMM workshop on Hot
idle timeout of all new forwarded packets from the switch to topics in software defined networking, 2013.
the controller, the impact of DDoS attack is downgraded and it [5] T. Peng, C. Leckie, and K. Ramamohanarao, Protection from distributed
denial of service attacks using history-based IP filtering, in Proc. IEEE
improves the protection against the entry overflow attack. After ICC, 2003.
the controller analyzes the data traffic behavior reported from [6] OpenFlow Switch Specification Version 1.3.4, ONF Specifications,
the switch, the malicious source addresses are also cancelled Open Networking Foundation, 2014.
by block entries. However, the frequent users still are treat as
normal.
311