communication networks groupmidas1.e-technik.tu-ilmenau.de/~webkn/... · of openflow protocol,...

Some text cno! (cno!), also cno! and more text

Communication Networks Group

Majd Al saad

A Defence Mechanism for Defeating Forged PacketsAttack in Software-Defined Networking (SDN)

Master Thesis in Elektrotechnik und Informationstechnik

15. April 2019

Please cite as:Majd Al saad, “A Defence Mechanism for Defeating Forged Packets Attack in Software-Defined Networking (SDN),”Master Thesis (Masterarbeit), Technische Universität Ilmenau, Deptpartment of Electrical Engineering and InformationTechnology, April 2019.

Technische Universität IlmenauDepartment of Electrical Engineering and Information Technology


Helmholtzplatz 2 · 98693 Ilmenau · Germanyhttp://www.tu-ilmenau.de/kn

http://www.tu-ilmenau.de/kn

A Defence Mechanism for Defeating ForgedPackets Attack in Software-Defined Networking

(SDN)

Master Thesis in Elektrotechnik und Informationstechnik

submitted by

Majd Al saad

in the


Deptartment of Electrical Engineeringand Information Technology

Technische Universität Ilmenau

Advisors: Prof. Dr. rer. nat. Jochen SeitzM.Sc. Abdullah Soliman Al-shra’a

Submission Date: 12 April 2019

Declaration

I declare that the work is entirely my own and was produced with no assistance fromthird parties.I certify that the work has not been submitted in the same or any similar form forassessment to any other examining body and all references, direct and indirect, areindicated as such and have been cited accordingly.

(Majd Al saad)Ilmenau, 12 April 2019

Abstract

Software Defined Networking (SDN) is a new networking scheme provides high flexibilityand simple manageability of computer networks. Unlike traditional networks, SDN de-couples control plane from the networking devices. By decoupling, SDN provides simplemanagement of networking resources and the deployment of networking applications.Hence, SDN is suitable for a high bandwidth to enable today’s applications to performwell. Despite SDN brings huge success, various security vulnerabilities have appeared inthe structure of SDN and in OpenFlow protocol. On the one hand, controller in SDN islogically centralized has a global view of the network that rises the risk on compromisingthe controller, SDN controller is responsible for scheduling the entire network traffics.On the other hand, Network resources in SDN are relatively limited. Thus, SDN haslimited processing capacity. Therefore, Attackers break into the network and overloadits resources and processing capacity.

In this thesis, Different SDN vulnerabilities have been investigated as well as thecurrent detection and mitigation mechanisms of forged packets attacks in SDN have beenstudied. Moreover, a new defence mechanism against malicious users are introduced toprotect a compromised SDN controller from dealing with unauthenticated users and alsoto protect the network resources and services from exhausting. A simulated model hasbeen implemented in Ryu controller with assistance of hardware extension in Mininetsimulation environment. Results of our approach show improvements in performanceand time complexity by comparing to previous work. Our enhanced solution provides amutual protection for compromised controller and for compromised extension, as wellas it detects malicious users efficiently in the network and mitigates them as fast as it ispossible.

Master Thesis Majd Al saad iii

Kurzfassung

Software Defined Networking (SDN) ist ein neues Netzwerkschema, das hohe Flexibilitätund einfache Verwaltbarkeit von Computernetzwerken bietet. Im Gegensatz zu her-kömmlichen Netzwerken, entkoppelt SDN die Steuerungsebene von den Netzwerkgeräten.Durch die Entkopplung ermöglicht SDN eine einfache Verwaltung von Netzwerkres-sourcen und die Bereitstellung von Netzwerkanwendungen. Daher eignet sich SDN füreine hohe Bandbreite, damit die heutigen Anwendungen eine gute Leistung erbringenkönnen. Obwohl SDN großen Erfolg bringt, sind verschiedene Sicherheitslücken in derStruktur von SDN und im OpenFlow-Protokoll aufgetreten. Controller in SDN ist logischzentralisiert und hat eine globale Sicht auf das Netzwerk, wodurch das Risiko besteht,dass der Controller gefährdet wird. Der SDN-Controller ist für die Planung des gesamtenNetzwerkverkehrs verantwortlich. Andererseits sind die Netzwerkressourcen in SDNrelativ begrenzt. Somit hat SDN eine begrenzte Verarbeitungskapazität. Daher dringenAngreifer in das Netzwerk ein und überlasten Ressourcen und Verarbeitungskapazität.

In dieser Arbeit wurden verschiedene SDN-Schwachstellen untersucht sowie die aktu-ellen Erkennungs- und Abschwächungsmechanismen von gefälschten Paketangriffen inSDN untersucht. Darüber hinaus, wird ein neuer Abwehrmechanismus gegen böswilligeBenutzer eingeführt, um einen gefährdeten SDN-Controller vor nicht authentifiziertenBenutzern und die Netzwerkressourcen und -dienste vor Erschöpfung zu schützen. Einsimuliertes Modell wurde in der Ryu-Steuerung mit Unterstützung der Hardwareer-weiterung in der Mininet-Simulationsumgebung implementiert. Die Ergebnisse unseresAnsatzes zeigen Leistungsverbesserungen und zeitliche Komplexität im Vergleich zumvorherigen Ansatz. Unsere erweiterte Lösung bietet einen gegenseitigen Schutz für ge-fährdete Controller und für gefährdete Erweiterungen. Außerdem erkennt sie böswilligeBenutzer effizient im Netzwerk und reduziert sie so schnell wie möglich.

Master Thesis Majd Al saad iv

Contents

Abstract iii

Kurzfassung iv

1 Introduction 1

2 Fundamentals and Related work 42.1 Difference between traditional networks and SDN . . . . . . . . . . . . . 42.2 Software-defined Network Architecture . . . . . . . . . . . . . . . . . . . 6

2.2.1 Data plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.2 Control plane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.3 Application Plane: . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.3 OpenFlow Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.4 SDN and Network Security . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4.1 Principles of network security in General . . . . . . . . . . . . . . 132.4.2 Software-defined Network Security . . . . . . . . . . . . . . . . . 14

2.5 Distributed Danial of Service Attack (DDoS) . . . . . . . . . . . . . . . 152.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Proposed defence mechanism for detection and mitigation DDoS Attacksin SDN 233.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.2 developed approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.2.1 verification component in Inspector . . . . . . . . . . . . . . . . . 253.2.2 Monitoring component in Control Plane . . . . . . . . . . . . . . 283.2.3 Mitigation component . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Simulation and Evaluation 344.1 Simulation Tools and network topology . . . . . . . . . . . . . . . . . . 34

4.1.1 Network Topology Simulation . . . . . . . . . . . . . . . . . . . . 34

Master Thesis Majd Al saad v

Contents

4.1.2 Forged Packets Generation and Attack Simulation . . . . . . . . 354.2 Results Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.2.1 Time Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . 364.2.2 Evaluation of the proposed approach on the controller . . . . . . 374.2.3 Effectiveness of the proposed approach on web server GUI . . . . 40

5 Conclusion 43

Bibliography 47

Master Thesis Majd Al saad vi

Chapter 1

Introduction

In traditional Networks, flows traffic are forwarded between the networking devices tillthey reach their destination in the network. Networking devices, such as Routers andSwitches, are distributed around the World. In this type of Networks, networking devicestake the both roles of controlling and forwarding traffic flow. This type of Networksis familiar and widely separated but it has several Problems. On one hand, they donot have flexibility in their Structure that makes researching and adding new featurestoo difficult to researchers [1]. On other hand, Traditional Networks do not provideProgrammability so they cannot receive any commands to improve the functionality ofthe Networks and other features. The cost also of networking Device in type of networksis expensive because the networking device contains Control plane and data plane [2].Software-defined Networking (SDN) is a Network architecture, that based on three mainConcepts: first; separation of control and data planes, second; logical centralization ofthe control operations and global view of the network state and third; programmabilityof the network through applications running on the control plane. The combination andintegrity of these Concepts allow overcoming difficulties, which are typically associatedto some management tasks on legacy networks such as configuration of complex routingand security policies [3].However, Software Defined Networking (SDN) covers and solves most of problems oftraditional networks. SDN is a programmable and virtualized network that providesimproving towards researching and developing in the environment of SDN. SDN separatescontrol layer from Infrastructure layer. Control layer (or control plane) is responsiblefor handling information whereas infrastructure layer (or data plane) is only responsiblefor forwarding data. By working with SDN, researchers can do their own experiment innetwork without disturbing other people who depend on it. Multiple network devicescan be managed and configured by using single device which is the control plane. SDNcan deploy various types of networks such as LAN, WAN, enterprise networks and

Master Thesis Majd Al saad 1

1 Introduction

many other types because its infrastructure is simpler, programable and fixable not likeother types of networks, where the control plane and data plane are built in the samenetwork-device. However, SDN also has many challenges which have to be solved such asScalability, performance, and security [4]. Attacks on network have become a dangerousweapon which threat networks of Government, Banks, Universities, Companies andanother Facilities. These attacks may lead to destroy, steal, expose, change, and gainimportant information. SDN has vulnerabilities that attract attackers to perform theirmalicious actions, who can exploit these vulnerabilities and get unauthorized access toservers or clients to do their malicious purposes. Malicious users in SDN can targetthe main different Components of the network, control plane, data plane or applicationplane. As well as communications channels between the layers could be attacked tolimit its bandwidth [2].Although SDN has brought a great success in networking field, also it increases thesecurity concerns which have opened many debates. In SDN architecture there are manyvulnerabilities could be exploited by attackers to break down the network services. Bymaliciously injecting manipulated packets into SDNs, attackers can affect the servicesand networking applications in the control plane, and largely consume the resources inthe data plane. But the big threat could happen if the control plane in SDN architectureis compromised, since controller arranges all flows traffic in SDN and has a logical mapfor all entities within the Network. The consequences could be losing of entire networkfor the attacker. Moreover, Controllers are not Secure and robust [5]. Controller suchas, Ryu, Floodlight, Beacon and POX have several bugs and problems which make itattractive to the Attackers. The idea of adding an isolated hardware extension hasbeen proposed in [18], to protect compromised controller and to pass only authenticatedflows to the controller. Nevertheless, the hardware extension could be compromisedand be controlled from malicious users, that’s why it is considered as point of failurein SDN architecture. IN software Defined Networking (SDN), OpenFlow protocol hasalso some vulnerabilities, that attackers try to use them to spread their malicious flows.For example, a Packet-In message would be sent to the controller when the packet doesnot have a matching flow entry. Then, the packet is usually processed according to aPacket-Out message from the controller [6]. In the process, these unmatched packetswould consume the switch CPU, the bandwidth between the data and control plane,and the controller CPU resources. These limited resources would be a bottleneck of thenetwork and lead to new denial-of-service (DoS) threats.The aim of this thesis is to propose a lightweight detection and mitigation mechanismagainst forged packets attacks on network entities in SDN, as well as to protect thehardware extension from dealing with malicious users by providing mutual protection


1 Introduction

for control plane and for that added entity. The remining chapters of this thesis areorganised as follow. Chapter two provides an overview of the SDN architecture andof OpenFlow protocol, which have been used to build our defence mechanism, andthe general security problems in SDN have been mentioned in this chapter as well.In chapter three presents the proposed model and its developed components, whichintegrate together to achieve the goal of this thesis. In chapter four the approach issimulated and evaluated in terms of usage of network resources. Chapter five concludesour work and highlights the future work and research of the proposed approach.


Chapter 2

Fundamentals and Related work

This chapter presents differences between the traditional model of Networks and SDN.It shows Structure and main concepts of the SDN. It explains also OpenFlow Protocolas well as its Specifications. It presents security issues in SDN. Then it presents theDDoS attacks and countermeasures. Finally, it mentions the Related Works of attackson SDN.

2.1 Difference between traditional networks and SDN

In Traditional Networks, Network transport protocols and distributed control, thatcarry out inside the networking devices are responsible for handling and forwardingdata at the same time from one place to another [2]. Although 7 traditional networksare widely spread around the world, they are very complex to be managed. Traditionalnetwork configuration is time consuming and error-prone, many steps are needed whenadministrator wants to add or remove a single device in a traditional network [3]. Thisapproach of networking is not programmable, it is not able to process any new commandin the direction of improving functionality of the work. Moreover, Traditional networksdo not provide enough flexibility for the developers and researchers to implement theirnew ideas and features to the model like applications, security solutions and protocols.This type of networks has several backwards. It is not able to process any new commandsin the direction of improving the functionality of the work [1].Networking devices in this type of networks contain both control section and dataforwarding section, that is why the cost of these devices are expensive. Data plane inTraditional Networks has the Task of forwarding information while the control plane isadapted to handle data which are built inside the network devices as illustrated in figure2.1(i). That means, admins of the network have to configure each networking deviceindividually to adjust and update the network completely. further, using device-level


2 Fundamentals and Related work

management tools to update huge number configuration settings, such as ACLs, VLANsand Quality of Service. This configuration approach makes it that much more complexfor an administrator to deploy a consistent set of policies [3].

Figure 2.1 – Compare between traditional networks and SDN: (i) traditionalnetworks, (ii) SDN

The main motivation of SDN is solving the problems of traditional networks andto accelerate innovation. Software defined networking (SDN) is a programmable andvirtualized network provides a different Approach in network design and management[4]. The main concept of SDN is the decoupling of control plane and data plane wherecontrol plane takes the role of handling information from data plane which takes care ofonly data forwarding [1]. As it shown in figure 2.1(ii).One of the main differences between SDN and traditional networks is that the physicaldevices in SDN are just forwarding elements without control functions or any software.The intelligent control is removed from the infrastructure plane to separated controlplane. The ability to isolate the control plane from the data plane helps to evaluate,debug, and testthe new sdn design before deploying it on real network. The advantagesof SDN in various scenarios (e.g. the enterprise, the Datacentre etc.) and across variousbackbone networks have already been proven [1][4].Too much gain comes as a result of the decupling between Control plane and data plane.For example, developers and researchers can now simply add new features and protocolson fixed command through software programs. Moreover, they can control and managemany network devices which have different infrastructure plane from logical centralizedcontrol plane without the need for configuring devices in data plane each time. Controller



can also allocate information from data plan like bandwidth, statistics from the network-ing devices and other information in order to build global view of the network [4]. Also,SDN is not too expensive like other networking schemes. since it has logical centralizedcontroller which can configure and install networking policies to arrange traffic flows inthe network, that will lower the time for deploying and decreases management expensesin SDN [3]. Main differences between traditional networks and SDN are listed in table 2.1.

Criteria Traditional Network SDNNetwork Management Difficult Much easier with the

centralized controllerGlobal Network view Difficult to

haveSDN controller has aglobal view of the wholenetwork

Maintenance cost Higher LessIntegrity of forwarding tables And network state Important ImportantResource utilization Less High

Table 2.1 – Main differences between traditional networks and SDN.

2.2 Software-defined Network Architecture

Software defined networking (SDN) significantly simplifies the management of networkresources and the deployment of networking applications by decoupling the controllogic from forwarding devices, as well as using a logically centralized control. It pro-vides forwarding functionality between logical tables for choosing how to deal with theincoming packets, which based on characteristics such as MAC address, IP address,VLAN ID and etc. By decoupling the control plane from the data plane provides SDNflexible support according to different requirements [1][6]. Figure 2.2 introduces thebasic SDN components, SDN structure consists of infrastructure layer, control layerand application layer, which were designed in this approach as data. So, they are calledalso control plane, data plane and application plane. These three planes communicatewith each others through Application Programming Interfaces (APIs). SDN controllercan manage both of physical and virtual networking devices in data plane throughsouthbound application programming interface or control-data plane interface, as wellas SDN controller interacts with application plane through northbound applicationprogramming interface. The infrastructure layer (data plane) contains network elements,which expose their capabilities toward the control layer (controller plane) [6].



Figure 2.2 – Software Defined Networking architecture

2.2.1 Data plane

Infrastructure layer, or data plane, consists of forwarding devices such as switches,routers, servers, etc. The concept of a data plane in SDN architecture includes trafficforwarding and processing functions. A data plane may include the necessary minimumsubset of control and management functions. Switches are configured and adjusted bythe Intelligent controlling center in order to forward flow traffic to their destinations.The basic actions done in data plane can be explained by the way how it deals with thearriving packets, packets may be dropped, forwarded or replicated. For basic forwardingmethodology, devices in data plane choose the correct output port by following theinstalled flow entries in their flow entries tables [6].Switches in data plane called also dump switches since they could only perform theinstalled policy rules by the controller. Dump switches in data plane collect networkstatus storing it temporally after that sending the collected stored information to theController. This network information status includes information like traffic statistics,network usage and network Topology. Another function, also in data plane of SDN,that processing Packets. Traffic flows are processed in data plane based on networkingrules installed by the controller [1] [2].



Figure 2.3 shows main components of SDN switch and how it communicates with thecontrol plane. Flow entries are installed in flow tables inside the switch as entries inTernary Content-Addressable Memory (TCAM) [6]. Switches follow these flow entries toprocess the flow traffic and forward it to the right entities. SDN switches have at least oneflow entries table, also group table and dedicated secure channel to the controller. Thecommunication between network devices and controllers is via southbound interface. Viathe dedicated channel and this open Interface, controller can manage the behaviour ofthe networking devices. Management has actions such as adding, deleting and updatingflow entries in flow tables of the switches [4].

Figure 2.3 – OpenFlow Switch components

2.2.2 Control plane

Control plane in SDN is logically centralized and separated from the data plane. SDNcontroller is an entity that implements various functions in control plane. Controller inSDN is responsible for making decisions to define the traffic flows among the networkcomponents by installing instructions into flow tables for each packet inside the switches.SDN controller translates applications requirements and extends low-level control overthe network elements, while providing relevant information up to the SDN applications.An SDN controller may coordinate competing application demands for limited networkresources according to policy [1] [6].Controller in SDN requests periodically networking status information from data

plane to build global view of the network. Decisions are made by controller after getting



a view of entire network. It is also like operating system that builds and presents alogical map of the network devices in order to support flexible access to the services andapplications which are implemented on the Top of it [1] [4]. Controller also monitors allflow processing at data plane through installing forwarding policies in the data planeelements (e.g. OpenFlow switch).

Figure 2.4 – Components of SDN controller

Main components of SDN controller are shown in figure 2.4. Some of them are forinteracting with controller-application interface, meanwhile others are specified to dealwith lower level of network interface. Each component at control plane has its tasks,integrating the works of these components in control plane gives a global view of theentire network. Decisions would be taken by control plane are based on a logical mapcontains all networking information for the network.



Control plane communicates with other planes through Application programminginterfaces. There are three types of APIs allow controller interacting with other layers:1. Southbound Application programming Interface: it is used for downward connec-

tions, this southbound API specifics functions for controller to access functions providedby networking devices. For example, monitoring packet flow statistics and importingpacket forwarding pollicises, via these functions can controller always interact withthe infrastructure layer [1]. SDN controller not only relay information to data planevie southbound API also communicate with Application and business logic layer vianorthbound API. It acts like arbiter, abstracting the underlaying physical networkdesign from the applications which are programmed. OpenFlow protocol is the de-factostandard protocol that enables communication between the centralized controller and apacket forwarding elements [6].

2. Northbound application programming interface: it is used for upward communica-tions. It is like a link between control layer and application layer. As well as, it providessome services between them such as packet routing, traffic engineering, access controlbandwidth management and QoS etc. of the network management [1].

3. West/East application programming interface: if there are multiple controllers indata plane, they communicate with each other through west API or east API dependingon which side other controllers are located. Like other APIs, they have also componentsorganize information exchange between controllers in control plane [6].

2.2.3 Application Plane:

Application layer is placed above the control layer, it consists of applications to collectnetwork information for decision making purpose. SDN applications can access theglobal view of network via the northbound interface. Several types of applications areincluded such as Network configuration and management, network troubleshooting,network automation, network policies and security, Load balancing and dynamic accesscontrol ...etc [2].

2.3 OpenFlow Protocol

It is mentioned in previous section, in SDN structure, southbound API is used by controlplane to monitor the forwarding devices in data plane. OpenFlow protocol is the mostpopular protocol between SDN protocols, it has been chosen as the standard bearer inSDN for southbound APIs. SDN is commonly associated with the OpenFlow protocolsince 2011. The controller is separated from data plane, OpenFlow protocol enables



controllers to manage the flow traffic among the switches and to determine the path ofthe packet to their destinations [7].OpenFlow protocol is like a common language between SDN controller and the underlay-ing physical entities. The need to implement this protocol’s specifications is to translatethe exchanged messages between controller and switches correctly. OpenFlow messagesare like connection setup messages, configurations messages, get switch statistics, errormessages and more. Messages are exchanged in form of Packet-in and Packet-out mes-sages. Controller installs flow rules in networking devices for controlling data processing.OpenFlow messages go through OpenFlow channel, it a secure path for transmittingdata between control plane and data plane in OpenFlow protocol [12].

Figure 2.5 – table entry structure in OpenFlow Switch

Flow table entry contains mainly three sections: Header fields section that describeswhich of the Packet is applicable. The match field in header is a component of tableentries in the switch, which consists of Ingress Port, Ethernet Source and DestinationAddresses, IPv4 or IPv6 Protocol Number, IPv4 or IPv6 Source Address and DestinationAddress, Transmission Control Protocol (TCP) Source and Destination Ports, UserDatagram Protocol (UDP) Source and Destination Ports [6] .The second main componentin flow table are Counters which are reserved for storing the gathered information andstatistics about the flow traffic. Finally, Actions field in flow table determines how theexchanged packets will be processed, actions such as forward, drop, modify, etc. Inother words, A flow entry includes a header that identifies the individual flow that thepackets are matched against and a set of actions that are to be taken by the switch forthe matched packets. The matching is made on packet header fields. The actions takencan vary from packet forwarding, drop, further lookups in other flow tables, rewriting of



the header fields and etc [7]. Figure 2.5 illustrates the form of flow table entry structureinside OpenFlow Switch.

Counters in OpenFlow table entry are available statistic scopes kept in the flow table.Controller can instruct the switch to forward the statistics. Controller requests fromentities in data plane statistic scopes per table, per flow, per port and per queue whichwill be stored after gathering in flow table [12]. Whenever flow traffic is received atswitches, switches search for matching rule. If the flow hits the matching fields thenthe packets will be processed and forwarded according to these rules. If not, then theswitch sends OpenFlow message to the controller (packet-in message) containing theheader or the entire packet in order to decide how to deal with this packet. When thisPacket-in message arrives at controller, controller will process the packet through twodecisions, that can it take. Either controller will discard this message or will send backa FlowMod message in form of packet-Out message, which contains the packet itself andthe required flow entries to be installed in flow entry table in the OpenFlow devices [7].

Figure 2.6 – OpenFlow process procedure

There are several types of OpenFlow messages between Control plane and Data Plane.Controller to switches messages or (Packet-out messages) are sent from the controllerto the underlaying data plane to inject packets which are generated form the controllayer. Asynchronous messages are also one of the OpenFlow messages, this type ofmessages is sent from switches to the controller in order to inform the controller of a newevent, which is considered as a change in the switch or in network status. It is called



also Packet-In messages. Finally, symmetric messages are used to assist in diagnosingproblems in the data plane and controller connection. Hello and echo messages areamong this group of messages [2] [6]. Figure 2.6 shows process of initiation switch bythe controller, in case it sends for first time, an example of port statistics request message.

2.4 SDN and Network Security

2.4.1 Principles of network security in General

In general, information security has been divided into three different sections: confi-dentiality, integrity and availability. The main characteristics of a network securitywould be ensure the confidentiality, integrity of the transmitted data and availabilityof network resources even when the network is under attacked. Where Confidentialitydenotes that only authorized parties are able to get access to information. The Integritymeans the consistency of information. Unauthorized people should not be able to modifyinformation and, which in turns must be also protected against external threats such assystem crash or network break. Finally, Availability or planned availability is reachedwhen authorized people can access the information whenever they need to [8].

A security policy is a rule in a high level of abstraction, which is describing securitygoals of an organization. Policies are based on the threat analysis and security needs.In case of network security, security policies are usually defining the network devices orlogical networks that another device or network can communicate with [8]. A securitypolicy can be enforced for example by implementing a firewall rule to a network gatewaywhich denies the all traffic from the Internet to a private network except the trafficwhich is destined to a web server’s port 80. We have several security techniques in orderto secure the network such as Firewall, a firewall is a network security device protectingnetwork by preventing any unwanted traffic or attacks. The concept of firewall is tofilter traffic between trusted and untrusted. The filtering is done based on beforehandcreated firewall rules where the firewall compares a network packet going through it.Usually the untrusted network is the Internet and the trusted and protected networkis a private network of a company, campus or user’s home. Firewall can locate alsobetween two different logical networks that have different security policies [8].Another example of Security Technique is Intrusion detection system IDS, A system,which monitors network traffic and is trying to detect malicious activity. When IDSsystem is detecting some abnormal actions, it will trigger alert for network administratorand upgrade the event to security logs. IDS work in communication networks like a firealarming system on building which triggers alarm when it detects smoke. An intrusion



prevention system (IPS) is a system which has the functionality of IDS system added toautomatic response capability. It will automatically trigger some needed operation tostop the detected intrusion. Usually, it is desirable to have IDS functionality on somelevel, because it is possible that the network administrator is not able to solve securityincidents immediately. Sometimes, the term next generation firewall is used to mean adevice which will combine the functionality from IDS, IPS and application firewalls [8].

2.4.2 Software-defined Network Security

SDN is relatively new networking architecture, introducing this new model opens manydebates, such if the idea of centralized controller could bring new vulnerabilities forthe structure or it will improve the security level of the network. SDN architecturecan be exploited to enhance network security with the provision of a highly reactivesecurity monitoring and analysing of flow traffic. One of the most important features inSDN is the Programmability, this feature makes mitigation of any abnormal injectedpacket in the network easier, quicker and more efficient. If the controller has newsecurity rules or another FlowMod messages such as block/delete, it can easily installthese new flow rules inside the networking devices so easily threats can be defeated [6] [10].

Furthermore, most of the proposed methods for detection and mitigation attacks in SDNare open source and light weight, that leads to security improvement in network security.In SDN, security policies can be added easily by developing new security components orby implementing the existing security approaches more efficiently [9]. The combinationof both network visibility and programmability supports also a process of croppingintelligence from existing Intrusion Detection Systems (IDS) and Intrusion PreventionSystems (IPS), for example, followed by analysing and centralized reprogramming ofthe network. Features, such that, can make SDN more robust to malicious attack thantraditional networks. Traffic analysing or anomaly-detection methods could be deployedin the network to generate security-related data, which can be regularly transferred tothe central controller. Applications can be run at the controller in order to process andanalyse the entire network traffics. After analysing, controller installs new or updatessecurity policy across the network in shape of new flow rules [10].Although the big success and popularity of SDN, but many security issues and multiplechallenges in SDN remain unsolved for researchers. The features provided by SoftwareDefined Networking (SDN) like centralized management and network visibility could beexploited to improve security application, but SDN architecture has some vulnerabilitieswhen it comes to using SDN for security. SDN components have limited processingresources as well as OpenFlow protocol introduces new security challenges. The big



threat that forces SDN security is that the damage if control plane is compromised,or if communication channel between control plane and data plane cut off [9]. Sincemanagement in SDN is centralized, as I explained in previous section, that leads tomake it a target for most of attackers. If controller is compromised, then it could beexploited to manipulate the entire Network. A Centralized controller, if not carefullydesigned and implemented, can result in a single point of failure for the entire network,and makes the network vulnerable to a new set of threats that are unique to SDN [11].The SDN controller is a vital part of the security discussion, because successful attackson the controller can totally disrupt network operationsOpenFlow protocol has also some vulnerabilities since it allows switch to deal with

new flow of packets although it does not have forwarding entry, incoming packets willbe ruled by the controller for the initiation process at least. The switch forwards allnew packets to the controller in form of Packet-In message, controller will reply withPacket-out message to install new flow entries in the switch’s flow table. That would beconsidered as point of failure in SDN, attacker can send an enormous number of spoofedpackets to exhaust network’s resources and to increase the workload on the network’selements. Two types of attacks are commonly classified to decrease the available level ofservice: The first type is the active attack where the attacker breaks into the networkcomponents and transmits data in order to over load the component as well as topotentially modify data within the network, e.g., Denial of Service (DoS) attack, ablackhole, data falsification, etc. The second type is the passive attack to monitoror read along the data traffic [17][19]. Therefore, this Master thesis aims to improveexisting methods in order to enhance the SDN network behaviour under malicious userattack conditions.

2.5 Distributed Danial of Service Attack (DDoS)

Dos or DDoS attacks are one of the major security threats in today’s network security.A Denial-of-Service (DoS) attack in OpenFlow SDN networks involves overwhelmingcomputing or networking resources such that a switch is unable to forward packetsas expected. By flooding the network with enormous number of spoofed packets, itcan consume resources of the network. A successful attack contains launching a largenumber of packets into the switch possibly initiating new flow entries. At networkingdevices in data plane if the incoming packets do not hit the match field of the flow entryin the flow table then the switch will send the entire packet or a part of its header to thecontroller in order to get new flow rule for this packet. Flow rules then will be installed



in the flow table as entries. Packets are stored inside the switch until getting new flowentry [13]. DDoS attack is generated by sending a vast number of spoofed packets to thenetwork from multiple compromised machines. Three main steps for DDoS execution:selection, compromise, communication and attack execution [14].Attacker aims to break down the network services by consuming most of the networkresources that will limit accessing to the network entities which provide these servicesin the network. Resources such as Memory, CPU and bandwidth of OpenFlow channelsare relatively limited resources inside the network. Experienced attackers target theseresources with big number of unwanted packets to limit the services of the network, thatwill lead to reserve and occupy the whole processing capacity of the network’s nodes[13]. Any DDoS attack consists of four elements which are:

• The attacker who coordinates and plans the attack behind the scenes.

• Masters are compromised hosts which have threatened programs to control manyagents.

• The compromised host which launch the attack and generate the packet flow withthe destination of the targeted victims.

• The targeted victims in the network.

DDoS attacks can be launched mainly in three ways, UDP flood attack, TCP floodattack and ICMP flood attack. In UDP flood attack, a large volume of UDP packetsare sent to random or specified port forcing the system to look for the applicationattached to this port. Since no waiting application is usually found an ICMP destinationunreachable message is sent back to the spoofed source address [16]. TCP SYN floodattack takes advantage of the nature of TCP three-way connection setup handshakes.Upon receiving an initial SYN the server replies back with a SYN/ACK and waits forthe final ACK that is never replied back by the attacking host. In ICMP flood attackthe compromised hosts, send a large number of ICMP-ECHO-REQUEST packets alsoknown as ping packets to the target address. The target shall reply back to all therequests simultaneously which causes it to crash [15]. In figure 2.7, an ICMP floodattack simulation.



Figure 2.7 – ICMP flood attack

In addition to the mentioned attacks that target specific machines in the network,another type of DDoS attack is more dangerous to the SDN. This attack is independentof the traffic type, every new packet received with no matching flow is processed by theswitches and the controller. After a path is installed for a new flow, switches forward thepackets of the flow along with the installed path. Attacker could use the characteristicsof different traffic types to attack machines in the network. Many studies have beenproposed defence mechanisms based on identifying the traffic characteristic, but theywere not much effective since neither controller nor switches take notice on the type ofthe traffic [13] [14]. In SDN, Both the size of the packet queue and capacity of flow tableare restricted within the switch. Receiving a large number of incoming spoofed packetsleads to overflow in both the queue and flow table buffer very quickly and to breakdownthe switch. No matter the power of the controller, it will eventually run out of resourcesand cannot handle any Packet-In requests. The crash of the controller will mean thecrash of the entire SDN network. This single point of failure in SDN networks is thevulnerability that the DDoS attacks can use to cause the utmost damages. This thesisconcentrates on the switch and controller attacks although the server specific attackswill also be detected effectively. Vulnerable on application protocol like HTTP, HTTPS,



DNS, SMTP, FTP and other application protocol can be exploited with malicious intentlike a DDoS attack [16].

2.6 Related Work

Despite the large number of DDoS attack detection and mitigation techniques, thatcurrently exist, DDoS attacks continue to grow in attacks frequency, attacks volume bytreating the network security. Different research studies have been conducted to addressthe problem DDoS attack in SDN. As it explained, DDoS attacks can target any entityin the network. Such as the Controller, OpenFlow Switches, OpenFlow Communicationchannel and other entities in the network. many of the studies have focused on theproblem if the controller is compromised, the reason is clear whenever SDN controlleris compromised that can damage the whole network and exhaust its resources. otherstudies have addressed if the Attacks are on data plane in order to overload the bufferwithin the networking devices.

Some studies have tried to prevent DDoS attacks from their sources, like Authorsin [17], they proposed a new DoS defender strategy in software-defined network. Theresearchers investigated in the DoS attacks detection strategies in SDN and launchedDoS attacks by injecting packets with random source address, they found that thesepackets can consume all the resources in the network. They added Dos Defender whichis an extension entity for the controller of SDN, it filters the malicious packets from thedata plane in online manner. Back to DoS attack which is a large number of maliciousinjected packet-in messages which are generated from unmatched packets, so the DoSdefender in the presented solution discards any unmatched packets. In this new defend-ing strategy, the focusing is on cashing and scheduling Policies. Authors proved that itcannot defend the attack traffic without additional hardware extension. The experimen-tal results show that the new hardware extension can effectively defend the DoS attacksfrom the sources. However, the compromised extension in this approach is not protected.

In contrast to [17], authors in [18] proposed a solution to prevent any packet injected tocompromised controller in SDN. The researchers added a new hardware device to theSDN architecture called Inspector, it protects the SDN compromised controller from theinjected packets by verifying the accessibility of these packet-in messages to the networkresources. Inspector checks each new packet before it reaches the SDN controller. If itcomes from authenticated source it will be allowed to use the network resources, if not it



will be dropped. All information for the authenticated hosts will be stored in databaseinside the inspector, host information such as Data path, IP address, Mac address andin-port number. If any host would to send for first time, the connected edge switchwill send a packet-in to the inspector which verifying the header of this packet fieldinformation to check if this host is authenticated to use the network resources or not.Results of this approach show that Inspector minimises the CPU usage approximatelyto null because it prevents all the forged packets to enter the network without dealingwith them. It decreases OpenFlow channel workload and also it decreases the memoryusage. Nevertheless, the compromised hardware extension is still point of failure in thenetwork and could be exploited in order to break down the network services.Researchers in [13] have introduced a DDoS detection and mitigation mechanism.

They monitor the entire network flow traffic and statistics which are generated fromeach open flow switch in order to search any sign could be an attack’s sign. When thecontroller finds spikes in the traffic, it searches for the source of this attack packets.This is done as mitigation functions are installed on the networking devices in order todrop those attack packets from the source. The proposed detection techniques includealso using packet symmetry and temporary blocking of the traffic. In routine trafficstate a symmetrical behaviour exists between the two sides of a communication. Inthe learning phase the symmetry ratio is analysed in the network and sources withhigh asymmetric ratio are suspected of an attack. In temporary blocking the flows areblocked for a short period and the traffic behaviour to this blocking is used to analyseif the traffic is legitimate or not. The three phases of this strategy include: sampling,blocking and analysis. however, the introduced model abuse the memory and cpu usageof the controller.

Authors in [19] introduced a novel attack called ‘Packet Injection Attack, in SDN.Attackers can inject the network by maliciously injecting manipulated packets intoSDNs, that can affect the services on the control plane and consumes the resources ofthe data plane. To defend such attacks, the researchers present PacketChecker hardwareextension for detecting and mitigating packet injection attacks. They implement aprototype in the Floodlight controller and evaluate the effectiveness and performanceof PacketChecker. The experimental results show that the packet injection attack canlargely consume the resources of the SDN controller, and even lead to denying theservice. The evaluation shows that the PacketChecker module can effectively mitigatethe attack with a minor overhead to the SDN controller. PacketChecker is still vulnerableand compromised. As well as the network resources are highly consumed in this approach.



For early detecting DDoS attacks in SDN, authors of [20] have developed a simple andlightweight algorithm to detect these attacks in an early stage. since the controlleris single point of failure and DDoS attacks make it unreachable, that single point offailure is addressed by utilizing the controller to detect such attacks and protect theSDN architecture of the network in its early stage. The research objective is to makeusing of the controller’s global view of the network to detect DDoS attacks and proposea solution that is effective and lightweight in terms of the resources that it uses. Theproposed model for detecting attacks is based on the entropy variation of the destinationIP address. In the proposed solution, randomness of the incoming packets is measured.A good measure of randomness is entropy. Entropy measures the probability of an eventhappening with respect to the total number of events. However, if one of a few hostsin the network receive excessive incoming packets, the randomness decreases and theentropy drops. Beside attack detection, there are two other factors that can make adetection method efficient: (1) limited resource usage and (2) fast detection. Usingentropy, it is possible to see its value drop when a large number of packets are attackingone host or a subnet of hosts. Algorithm in this proposed method is based on the conceptof entropy to detect any abnormal variations within the flow traffic. Two functionsare added to the controller, the first one is to collect the destination IP addresses andthe second function is to compute the entropy and compare it to predefined threshold.The proposed solution can detect the first 250 packets of the attack traffic that carriesmalicious packets. Also, the threshold that was chosen is set to the lowest possible rateof attack traffic. Nonetheless, the detection rate for this threshold was 96%.

In [21] researchers assumed that attackers trigger their switches, where they are con-nected, in order to launch large number of Packet-in messages to the SDN controller.They send new and vast number of low-traffic flows to the open flow switches. Thisattack will reduce the system availability and break the services of the network down.They generated a comparative study for detection any DDoS attack target the SDNController. They could to recognise the interfaces of the switches which are compromised.In this approach, flows are classified to either low-traffic flow or normal flow since theattackers generated new and low-traffic flows. The result after the sorting is as inputfor the detection mechanism. Many methods are generated in this approach such asCD, PD, ED and CUSUM. As explained in the research, all of these detection methodsare based on statistical approaches. Each of those detection methods has to component:widow size and threshold. These algorithms need to divide dataset to small window sizesthat are based on either time slot or packets number. The authors of this research setfinally a comparative study between these methods to know which one had the lowest



average time for detecting the attack. They suggest many detection methods, but itabuses the buffer of switches, which could be exploited to abuse the network .

In [22], researchers have studied the current SDN based attack detection methodswhich have some limitations. In this research, authors have investigated two of those lim-itations which are misbehaviour attack and new flow attack. Their approach consists ofseveral Modules which together achieve detection of: typical DDoS attack, Misbehaviourattack and new flow attack. They designed an adaptive and intelligent secure systemas a machine learning (ML) algorithm to detect and mitigate the DDoS by integratingmachine learning algorithm to detect and mitigate any DDoS attack on the network.The proposed secure model collects periodically statistics from the forwarding nodes andapply this machine learning algorithm. The security models of ML are implemented asapplications in SDN Controller. They proved after getting the results that they limit theaccess of the attacker to the network resources while keeping network services availablefor the other authorised hosts.Nevertheless, this way is not efficient to prevent or detectslow attack types, in particular with an enormous attack size.

Researchers in [26] has proposed are proposed a detection method to defend againstthe DoS attack on SDN controller. A FloodGurad is designed to defend against thedata-to-control plane saturation attack. It uses a packet migration module to cachethe flooding packets and send them to the controller with a rate limit in round-robinscheduling. Although it can limit the rate of Packet-In messages to the controller, itdoes not check the validity of the Packet-In messages, and cannot prevent the packetinjection attack. however, that FloodGurad is compromised can be attacked. As well asit detects the malicious flow with delay.

Author in [23] proposed a DDoS defence mechanism which monitors traffic flow on eachOpenFlow networking device. The author adjust threshold at 3000 packets per 5 seconds,if one of the controlled nodes exceeds these 3000 packets then the number of packetswill be analysed in per second duration. If number of received packets exceeds 800packets for 5 continues time units then it is considered as detected attack after that theproposed DDoS defender will start the mitigate mechanism by dropping the incomingunwanted packets till the flow entry is time out. The Goal was to detect any attackon the network through adjusted threshold to be compared with the received packetsin each OpenFlow Switch. This method needs a vast number of instructions stored in



the affected switch and it gives the attacker the opportunity to manipulate the controller.

DoS attack basically causes overflow of the switch buffers cause the large count ofthe arrival packets, that will decrease the switch performance and degrade the grad-ual exhaustion of its buffering capacity. Due to the centralized structure of SDN, itcan be an easy target for various malicious attacks such as Denial of Service (DOS).Authors in [24], have devised algorithms that can ease the construction created in thenetwork due to the attack. The created algorithms are based on threshold values aswell as they use timer and hashing mechanism in detecting phase, With the help of ahashing mechanism that is triggered on the basis of threshold values, they diagnose andprevent a DOS attack from disrupting the entire network. In the termination phase,the algorithm works with the TTL of the Packets following which the attacker is blocked.

Some approaches have been proposed for detecting and mitigating DDoS attacks byexamining the traffic flow behaviour in the networks, however like these approaches taketoo much time to process all the received packets. That will lead to high bandwidthconsuming and delays in the detection of DDoS attacks. Researchers in [25], haveproposed a new approach to detect DDoS attacks in the SDN. The proposed approach isdesigned to detect the presence of DDoS attacks accurately, reduce false positive/nega-tive flow rates, and minimize the complexity of targeting SDN controllers according to astatistical analysis of packet features. The proposed approach passively captures networktraffic, filters traffic, and selects the most significant features that contribute to DDoSattack detection. The approach is called the statistical-based approach for detectingDDoS against the controllers of software-defined networks. The general steps of theproposed approach are (i) data pre-processing, (ii) statistical analysis, (iii) correlationidentification between two vectors, and (iv) rule-based DDoS detection. Data collectionand pre-processing, aims to receive network traffic and filter TCP and UDP traffic. Theproposed approach aims to detect UDP and TCP DDoS attacks by monitoring thebehaviour of UDP and TCP traffic packets.


Chapter 3

Proposed defence mechanism for detec-tion and mitigation DDoS Attacks in SDN

3.1 Introduction

A high efficiency, lightweight DDoS defence mechanism with minimum delay that canbe easily integrated into the SDN Structure has been implemented in this thesis. Inaddition, malicious flow mitigation mechanism has been developed for helping theSDN administrators to handle the attack better. As well as, protecting compromisedcontroller and the hardware extension have been achieved in this approach. Chapter twointroduces the SDN stack and the new security challenges which appeared with SDNmodel. Each layer in SDN architecture has some vulnerabilities, which attackers try toexploit in order to attack network’s nodes and to spread their threads. Many studies andsolutions have been proposed for detecting and mitigating DDoS attacks in data planeand control plane. It is mentioned in OpenFlow protocol specifications, unmatchedpackets will be forwarded to the controller to get flow entries allowing them to usethe network resources. Attackers exploit that point of failure in OpenFlow protocolto inject the network with an enormous number of spoofed packets. In order to limitthe buffer capacity of the switches and increase the workload on the entire network[17]. A hardware extension (Inspector) has been added to our approach, that acts asassistance for the control plane in SDN [18], it reduces the pressure of flows traffic on thecontroller. However, the idea of adding a new extension is still poor for security solutionsif that entity is compromised. Thus, we have worked in the direction of protectionSDN controller and the Inspector at the same time without affecting the workload ofthe network. Our defence mechanism is distributed between the controller and theInspector, it run in the both sides simultaneously. The implemented approach savesalso the network resources from exhausting by malicious users.


3 Proposed defence mechanism for detection and mitigation DDoSAttacks in SDN

3.2 developed approach

During the procedures of this thesis, most of vulnerabilities in SDN architecture havebeen studied, compromised controller is considered as the big threat in SDN layers[10][11]. If control plane in SDN is compromised, that will allow attackers to manageand manipulate network structure and consume the network resources as they want. Forthat reason, the hardware extension has been added to our approach to verify the sourceof the incoming packets as it implemented in [18], but with improvement in the timecomplexity and adding smart searching method in its structure. However, Inspectoris also a programmed entity Vulnerable to DDoS attacks and could be compromised,since it deals also with flows traffic which are generated from data plane. The serversin such architectures can also be a potential target for DoS and/or DDoS attacks, bysending big number of services requests can break the server down. In order to protectthe Inspector from dealing with malicious users and to protect the services level of thenetwork, a monitor component has been implemented in the Controller to analyze theflow traffic which data plane receives from the connected hostsIn other words, our implemented mechanism for detecting and mitigating forged

packets in SDN is distributed between Controller and the Inspector. Each entity ofthem includes developed components aim to protect the other compromised entityfrom dealing with forged packets and to secure network resources from exhausting. ByIntegrating the work of these distributed components, it can detect malicious flow trafficin the network and can protect compromised controller and compromised Inspector, aswell as the services of the network will be saved during the attack. Based on analysingresults of traffic flow, both controller and Inspector will take the suitable decision todefeat malicious users in the network.

The implemented defence mechanism runs simultaneously the following components:

• Verifying component checks each new incoming packet that requests flow for thefirst time.

• Monitor component requests periodically statistical information for each connectedhost to data plane. It analyses this information to build logical map for the nodesin the network and their traffic flow.

• Based on the results of analysing the incoming flow, mitigation procedures runsimultaneously in controller and in Inspector to defeat compromised hosts if theydetected in data plane.

In figure 3.1, a prototype of our implemented defence mechanism. It consists ofdetection and mitigation components which run in controller and in Inspector.



Figure 3.1 – logical view of the mechanism’s components

3.2.1 verification component in Inspector

The hardware extension (Inspector) has been implemented as assistant for the controlplane in the SDN structure. A new version of that Inspector in [18] has been developedwith improving in the time complexity of its searching process, as well as mitigationcomponent has been added in Inspector structure, it will run immediately if malicioususer is detected by the controller. In infrastructure plane there are core switches andedge switches, the main difference between core switches and edge switches that coreswitches do not always require address of hosts for forwarding, meanwhile end hostaddress are important for forwarding packets in edge switches. The Inspector solutionconsiders that the complex network logic should exist only at edge switches while coreswitches should be kept as simple as possible [27].

Traffic flows are sequence of packets that share the same identity fields. These fieldscould be (source IP address, destination IP address, source port number, destinationport number, and/or protocol type). Such as information are contained in the headerof packets, they can be extracted from each incoming packet for further processing asit illustrated in figure 2.5. In general, packets flow that is based on TCP and UDPprotocols could contain these five fields. Meanwhile, flows based on ICMP protocolcould be grouping of all packets which share same Source/destination IP addresses andprotocol type [17]. In our approach, Inspector has a Database contains networking,such as Source IP address, source MAC address, data path identifier of the connected



switch (dpid) and ingress port (In-port), for all authenticated hosts [18]. All hosts inthe topology share this networking information, which are kept inside that database. Inour approach, each switch in data plane has a unique data path id (dpid), each host isconnected to ingress port at edge switch. IP address and MAC address are assignedindividually to each host.

Figure 3.2 – Form of the created Database

Figure 3.2 shows a sample row of the created database form in Inspector; Database isin form of table contains only the required networking information in our implementedsolution as tuples (src IP address, src MAC address, dpid, In-port). Each authenticatedhost is stored in this database to guarantee that no malicious users reside in data plane.Controller has also a copy of that database for authenticated hosts as a backup for thatin Inspector in case if malicious flows are detected by the controller.In our approach, if any host requests a service in infrastructure plane for first time,

the responsible edge switch will send the request to the Inspector in form of packet-inmessages, the other packet types can use the OpenFlow channel directly. Inspectorreceives that request in form of flow packets then it will extract the required networkinginformation from the header of each packet for authenticating process. After gettingthis information, Inspector will search for the matched information in its database. Forverification process, the main operation is comparing the incoming element’s value withthe target value in the database. For the searching process in the database, a binarysearch algorithm has been developed in structure of the Inspector. It reduces the time tofind the matched information in the database. Inspector will search between the storedhosts in its database to take the decision if that flow comes from authenticated host ornot. If the host is found then the request will be forwarded to the SDN controller, if itdoesn’t exist then all incoming flow from that malicious host will be dropped. Figure3.3 illustrates the process of verification component in Inspector structure.



Figure 3.3 – Verification process in Inspector

A Binary Search Tree (BST) algorithm has been developed in the structure of theInspector for finding the matched host with minimum time [29]. The aim of this smartmethod is to reduce the time complexity during the authentication process. A BSTis a tree which divides all its sub trees into two segment, left subsegment and rightsubsegment, the dividing process follows the key’s value of each node. The Searchingmethod contains comparing the incoming value with the value existing nodes, herenode will be traversed from left to right and finally then with parents [30]. Since ourimplemented approach consists of running-time components, therefore the most commonattributes we need for searching process in database of Inspector: the choice of the nextelement on which to perform some action is one of several possibilities, and only onewill be chosen for further processing.

The developed algorithm takes as input the following arguments: database, the targetvalue x [(IP, mac, dpid, port num)], start and end points as pointers. Our implementedbinary search tree algorithm has two cases, iteration case and recursion case. It is basedon divide and conquer, it searches for specific information in the database by repeatedlydividing the search interval in half. Our method starts by comparing the last elementof the entire database with target value, if they are not equal, then the entire databasewill be mainly divided into two subsegments lower subsegment and upper subsegment.The lower half of the database will currently be set aside. The algorithm starts thesearching on the upper subsegment of the database by calling the searching functionagain but with new start and end points, where it divides the upper subsegment again



Figure 3.4 – Flowchart of our implemented BST

into two new subsegments lower and upper.If the end value of the new subsegment isequal the target value, that means the host is founded and it is authenticated to sendits request to the controller. If not, it will repeat the same methodology till it finds thetarget element. If the algorithm ends up with an empty main upper subsegment, then itwill take back the lower subsegment of the entire database and applies the same methodon it, which was applied on the upper subsegment. It starts again by comparing the lastelement of the lower subsegment, which is the middle element of the entire database. ifthe search ends up also with the lower half being empty, that means the target does notexist, so it is not authenticated host. all traffic flow generated from it will be dropped.As it illustrated in figure 3.5, practical show of the verification component in Inspectorin our simulation.

3.2.2 Monitoring component in Control Plane

SDN controller has the ability of gathering information from all nodes in data planein order to build its own logical map for the entire network. These Information suchas network information, statistical information and other various information will besent from networking devices to SDN controller in form of message based on requestfrom the control layer [12]. In data plane active hosts are connected to ingress ports inEdge switches. Thus, all generated packets from hosts in data plane will be received



Figure 3.5 – Authentication process in the simulation

over these ports in Edge switches then they will be forwarded to the upper layer to getan admission for using the network resources.A monitor component has been added to the controller in our approach, it controls

the incoming flows traffic from data plane. The monitor component functions controlonly the ports in the edge switches, where the active hosts are sending and receivingflows traffic, it considers that the complex network logic should exist only at edgeswitches [27]. Monitoring mechanism has been developed to control and to analyseall generated packets from hosts in data plane, it requests periodically flow statisticalinformation for each host in data plane to analyse them and then to install new flowrules if it is required. The Monitor component instructs the controller to send OpenFlowport statistical request (OFPT-Port-Stat-request) for all edge switches periodically,then each edge switch will reply to the controller with an OpenFlow port statisticalmessage (OFPT-Port-Stat-reply). These OpenFlow port stat reply messages containstatistical information for each port at each edge switch, statistical information such as(Port number, received packets, transmitted packets, received bytes, transmitted bytes,dropped packets, duration in second, etc.) [12]. Request and Reply messages betweenthe controller and edge switches in our approach are illustrated in figure 3.6.



Figure 3.6 – Flow statistics messages between Controller and edge switches

DDoS attacks sent by attackers today target specific service on the network, spoofedpackets look like legitimate packets are sent to compromise the server of the network.Such smart attacks could not be detected or blocked by only using anomalous trafficstatistics. What is matter in our detection mechanism that the transmission rate ofpackets for each host in data plane, therefore a predefined threshold has been set fordetecting malicious flows in the network [17][28]. In our approach, authenticated hostssend flow rate under that threshold, meanwhile only malicious users will deviate andflood the network with spoofed packets. When controller receives OpenFlow replymessages, it extracts and stores all statistical information for each port at edge switches.As long as each host transmits packets lower than the threshold within interval of time,controller considers it as authenticated host can request services from the network. Onceone of the hosts exceeds the threshold and sends packets not as usual by comparing withits previous sending rate, it will be considered as malicious user should be mitigated. Infigure 3.7, an explanation for the detection mechanism in control layer.

Monitor component in controller sends and receives periodically OpenFlow port statusmessages in order to build logical counters for the transmission rate for all hosts indata plane. Each time controller receives statistical information from edge switches, theprevious transmission rate of packets (prev-packet) for each port will be subtracted fromthe current transmission rate (diff=port.tr-packet-port.pre-packet). If the differencebetween the previous transmission rate and the current transmission rate is larger thanthe threshold (T), then the user at that port will be considered as malicious user. Thedetection method in this case sends (dpid, port num) for that attacker to the mitigation



Figure 3.7 – Monitor component mechanism in control layer

component for further processing. If the difference is smaller than (T), monitor willrepeat again the same operation periodically.

3.2.3 Mitigation component

Once the malicious flow is dropped at one of the OpenFlow switches’ ports, it will bedetected by the monitoring mechanism, which is implemented in the controller. At themoment of detecting malicious flow, that mitigation mechanism in controller starts toprevent the attacker from dealing with the Inspector and of using the network resources.Monitor component passes (dpid, port number) to the mitigation component in orderto allocate the attacker in data plane.

Mitigation mechanism starts when monitor component sends an instruction to informthe mitigation component that a malicious user is detected. As it shown in figure 3.8,



Figure 3.8 – Mitigation mechanism in controller and in Inspector

experimental logical illustration for the mitigation mechanism in both Controller and inInspector. Mitigation mechanism consists of the following phases:

• Monitor sends to the mitigation component in controller an instruction containsdata path ID of the edge switch and port number where that attacker was detected(dpid, port num).

• Then Mitigation component will send two OpenFlow Mod messages to the edgeswitch in form of Packet out message. One of them is to block that port wherethe attacker is active and is sending the spoofed packets, and the other messageinstructs the switch to delete the entire installed flow entries for that attacker toprevent it from sending and using network resources.

• Since the attacker can send spoofed packets with either fake IP address or fakeMAC address, mitigation component will verify the identity of that attacker inits backup database. It can find the information of that attacker since it has the(dpid, port num) of the attack source.

• controller sends to the Inspector an event message to notify it about the detectedattacker. That message contains the real networking information for that malicioususer in form of (IP source address, MAC source address, dpid, port num).

• Inspector modifies then its own database, which is used for the authenticationprocess, with the correct networking information for that compromised host as it



shown in figure 3.8. In this way, Inspector will not deal again with that malicioushost.

Figure 3.9 – process of receiving notification from the controller

Figure 3.9 shows the process how Inspector gets a notification from the controller ifan attack is detected, that notification message contains as I mentioned previously thereal networking information for that host. Inspector then updates the database withthat information in order to drop any packet come from it. In this way, the implementedsolution protects the Inspector from dealing with malicious hosts. As well as our defencemechanism can detects any malicious flows flood the network with saving the networkresources from exhausting.


Chapter 4

Simulation and Evaluation

The simulation and testing of the proposed model for detection and mitigation forgedpackets is explained in the next sections. The presented model is implemented in pythonprogramming language-based in Ryu controller [32], simulated in Mininet virtualizednetwork environment [31]. Nping tool has been used to generate both spoofed packetsduring the attack simulation and to launch legitimate packets [34]. The results of thepresented approach are evaluated compared to the proposed solution in [18].

4.1 Simulation Tools and network topology

4.1.1 Network Topology Simulation

Mininet is an emulator, that creates realistic virtual Software Defined Network, it createsvirtual hosts, switches, controllers and links, which running standard in Linux software.It allows creating, interacting and customizing prototypes for Software Defined Networkapplications. Switches in Mininet support OpenFlow protocol for flexible customizationand Software defined networking. It runs real kernel and application codes on a machine.Interacting with the simulated network can be done in commands form by using theMininet Command Line Interface (CLI) and Application Programming Interface (API)[31]. Our implemented approach is tested in Mininet emulator, running on ubuntu14.04 in one process on an Intel Core i5-8400 2.80 GHz CPU and 12GB memory. Fattree topology [33] has been used in our approach to build the network topology, itis popular and widely used in data centers and it is a universal network for provablyefficient communication. Ryu controller [33] has been implemented in our approach,as well as two Inspector entities have been created in the topology. The southboundprotocol is OpenFlow 1.3. In data plane 20 openflow switches have been created in twocategories, where 8 edge switches are connected directly to the network hosts responsible


4 Simulation and Evaluation

for interacting with physical entities in data plane, meanwhile 12 core switches are onlyto forward the packets between edge switches and control plane. Figure 4.1 illustratesthe experimental topology of our topology.

Figure 4.1 – Experimental Topology of the presented model Each edge

Each edge switch (from S1 to S8) connects up to 10 hosts, where one of these hostsacts as the attacker. Hosts in data plane are grouped through Virtual LANs [37], whereVlan Id has been assigned for each host in our approach. Edge switches from (S1 toS4) are connected to Inspector1, where edge switches from (S5 to S8) connected to theInspector2 directly. The idea of adding two inspectors instead of one, that to let thepackets reaching faster and with more flexibility to the responsible Inspector withoutthe need to go through multiple hopes. Our topology contains also web server withrunning Firefox browser GUI [36], which acts as web accessing provider for the networkhosts.

4.1.2 Forged Packets Generation and Attack Simulation

Nping [34] is an open source tool for packets generation, it has been used in thispresented approach to generate forged packets during the attack [35]. Nping is usedalso for response analyse , response time measurement, as well as it can be used as rawpacket generator network stack stress testing, ARP poisoning and Danial of Serviceattacks, etc. Nping’s echo mode lets the developer to see how packets change in transitbetween the source and destination hosts. Nping also can generate network packets formost of protocols, that gives the developers full control over protocol headers. Over afixable and powerful command line interface (CLI), Nping grants the users full control



on the generated packets. It has too much features, for example: it can customise TCP,UDP, ICMP and ARP packet generation. It supports multiple target host specification,echo modes for non-roots users, Ethernet frame generation, IPv6 is also supported inNping. The form of Nping on CLI is: Nping [ <Options>] <targets>. In figure 4.2, anexample of Nping CLI instruction.

Figure 4.2 – an example of nping implementation

As it is shown in figure 4.2, each field in the packets’ headers can be customised asthe users want. As well as the source field, IP or MAC address, can be also forged. Inour approach, the implementation starts with a pingall to install the necessary flowrules on the switches. Thereafter, the simulation starts where each host ping the webbrowser to sure the reachability of the web server for the hosts. Attack simulation startsby a malicious user in data plane at the second 20 from the begin of the simulations,the attack is simulated to be launched in rate 1000/second of forged packets. Attackerssend ICMP forged packets to the web server in the network in order to break down thebrowse GUI. Legitimate packets have been also generated using ping utility, which letonly authenticated hosts send ping packets to the web server periodically during thesimulation.

4.2 Results Evaluation

Time complexity of the SDN-aimed forged packets attack detection and mitigationcomponents has been analysed first. Then, the effectiveness of the of the proposeddefence mechanism is tested on the controller. Thirdly, the evaluation of the proposedscheme on the web browser GUI, which runs on the web server, has been tested. Theresults of the proposed model in this thesis are compared with the presented solution in[18].

4.2.1 Time Complexity

The methodology of the developed Binary search tree in Inspector is illustrated in figure4.3, where it considered a group of 7 nodes. The algorithm starts by dividing the wholegroup into two sides, right and left, then starts the checking from the last element of



the group, which is in the left side. Then it goes up to the node number 3 and againdown to the node 6. If the target does not exist in the left side, the checking operationwill be switched to the right side. It starts again from the bottom at the node number5, then to the node 2 and again down to the node 6. Finally it checks the first node.

Figure 4.3 – Binary Search Tree methodology

For the authentication process in Inspector, which is added to our approach, the mainoperations are dividing the database and comparing the incoming value with the targetvalue in the mentioned database. Since the implemented search algorithm in Inspectorworks by discarding large amount of unexamined input each step into two sides upperand lower and it does not check each host, thence the time complexity that requiredfor such algorithms is O(log(n)) at worst case, where n is number of stored elements indatabase. that means, Inspector will need O(log(n)) times of operations at worst casefor finding the stored host’s information in its database if it exists. Openflow channelsin SDN use TCP to transfer the messages between the switches [12], as a result of thethat, time complexity to use the openflow channel is constant as long as there is noattack on the network. As well as, time complexity of send a packet out of the switchis measured in (ns), which approximate to null [6]. As a result, the proposed defencemechanism does not affect on the time complexity of the network.

4.2.2 Evaluation of the proposed approach on the controller

A series of experiments has been conducted to test the effectiveness of our proposedmodel on the controller from the following aspects: CPU usage and Memory usage of thecontroller, and the Bandwidth of the secure OpenFlow channel between the OpenFlow



device and controller. The usage of CPU and Memory on the controller during the simu-lation has been measured by using the Psutil (process and system utilities) library, Psutilis a cross-platform library for retrieving information on running processes and systemutilization in Python [38]. The results of the implemented approach (Improvedversion)are compared to the results of the proposed solution (Oldversion) in [18] for the threeaspects. The comparisons result between the (Improvedversion) and the (Oldversion)show, that both approaches have almost the same effect on the CPU and Memory usageof the controller as well as on consumption of the secure OpenFlow channel is almostthe same in both implemented approaches. That means, although the new defencemechanism components have been developed and added in Controller and Inspector,nonetheless that does not make much different impact on the controller parametersand on the consumption of the OpenFlow channel bandwidth. In this way, we prove,that the new developed approach has almost the same impact of the Oldversion on thecontroller parameters.

CPU and Memory usage of the controller: the CPU and Memory usage of the con-troller is tested for both approaches, the new implemented scheme and for the oldversion,which is implemented in [18]. The application starts with pingall to install the necessaryflow rules for all hosts in data plane, thereafter the simulation starts. As it is illustratedin figure 4.4, the results show us that there are not many differences and variationsbetween the CPU usage of our improved approach and the solution in [18] during thesimulation. Since the both versions prevent and drop the unauthenticated packets toreach the controller.

Figure 4.4 – CPU usage of the controller



Figure 4.5 shows the comparison result for the both approaches from the aspectMemory usage of the controller during the implementation. As is it is illustrated, theMemory usage of the controller in both models are almost the same, where the bothapproaches do not allow the forged packets to enter the management service of thenetwork, hence the memory usage stay constant on both models.

Figure 4.5 – Memory usage of the controller

Bandwidth of the secure channel: the OpenFlow channel is a secure channel to transmitand receive OpenFlow messages that are exchanged between OpenFlow controller andOpenFlow device [12]. The OpenFlow channel bandwidth aspect is measured as thenumber of different packets per interval of time that use the secure channel duringthe implementation. Figure 4.6 depicts the comparison results at each second duringthe simulation. We notice that the openflow channel bandwidth consumption forboth approaches are almost identical, which means, the developed scheme consumesapproximately the same bandwidth of the OpenFlow channel at the oldversion.

Figure 4.6 – Bandwidth of secure OpenFlow channel



4.2.3 Effectiveness of the proposed approach on web server GUI

Modern forged packet attacks exploit a potentially large number of bots, or compromisedhosts. Since these otherwise innocent hosts issue legitimate looking service requests tothe attacked server, the attack traffic looks like normal traffic in terms of pps (packetsper second), packet size, and packet contents so that it is harder for existing forgedpackets solutions to block them out from normal packets. In this thesis, the attackhas been launched toward the web server. Effectiveness of the proposed componentshas been tested on a web Firefox browser with GUI, running on that web server, todisplay the impact of the attack on the web service. The evaluation is based on theCPU and Memory usage of web server as well as on the bandwidth of the link, whichis between the web server and connected OpenFlow edge switch. The measurement ofthe simulation has started from 0 to around 130 second, when the simulation ends, theattack is started after 20s from the beginning of the simulation.

CPU and Memory usage of the web server GUI: usage of CPU and Memory of the Firefoxprocess has been measured to illustrate the effectiveness of the new presented model.The percentage of CPU and Memory used by a process is defined as the proportion ofthe elapsed CPU and Memory time occupied by the task to the total simulation time.The same simulation has been shared in the developed scheme of this thesis and in theimplemented approach in [18]. The usage of the CPU and Memory of Firefox browserprocesses is measured by using also Psutil.

Compromised Inspector in our approach is protected from dealing with maliciouspackets because the controller can detect and mitigate these packets effectively. Mean-while, the compromised Inspector in [18] is not protected. Thus, it can’t defeat themalicious packets during the attack, which help to install malicious entries in the flowtables in switches. The results of the simulation have proved that.The results of the CPU usage of the Firefox browser are shown in Figure 4.7, the

impact of our proposed model on CPU usage of the web server compared to the (Old-version) in [18] is noticeable. Our implemented defence mechanism decreases the serverCPU usage to approximately 0 % and to 25 % at worst case during the simulationbecause the new developed components immediately detect and mitigate the maliciousflow short after the attack beginning, while the forged packets will be able to reach theserver and maximise its CPU usage in the oldversion.



Figure 4.7 – CPU usage of the web server

Figure 4.8 shows a comparison for the Memory usage of the web browser in bothImproved and oldversion during the simulation. Our proposed approach decreases theMemory usage of the web browser to 20 % at worst case compared to the oldversion in[18], which reaches more than 110 % of the memory usage during the simulation. Sinceonly authenticated hosts will ping the web browser in our developed scheme during thesimulation, so the memory usage of the web server will not exceed the normal limits.Malicious users will be detected and mitigated short after launching their forged packetson the server in our approach, that what is still short for solution in [18].

Figure 4.8 – Memory usage of the web server



Bandwidth of the link between web server and the connected edge switch: this pa-rameter is measured as the number of packets which use the link between the webserver and the responsible edge switch during our simulation in both approaches. Figure4.9 shows the difference between the bandwidth usages of that link in both models.Our implemented approach does not let forged packets to overload the bandwidth ofthe server link, since it drops the malicious packets immediately after the launching,meanwhile the oldversion can’t detect the attack on the server, which will lead toconsume the most bandwidth of the link and thus, web server will be down for the otherusers during the attack simulation.

Figure 4.9 – Bandwidth of the Server Link


Chapter 5

Conclusion

SDN can provide innovative solutions in network security. However, the security of SDNarchitecture has not been widely addressed. SDN architecture has multi vulnerabilities,which attackers exploit them to break down the network services. SDN controller couldbe compromised, this problem has been addressed as the big threat in SDN. Protectingthat compromised controller has been solved by adding a new hardware extension, thatverifies each incoming packet before it reaches the controller, but this new hardware isalso compromised and could be a point of failure for the whole network since it forwardsthe flow to the controller. In case of an attack, network resources consumption will behigh, and this could lead to exhausting these resources.

In this thesis, a new defence mechanism has been developed to protect both com-promised controller and compromised Inspector, resources of the network as well asresources of the server have been also protected from the exhausting in our new approach.The results of comparisons of the proposed defence mechanism and the implementedapproach in [18] show, that the both approaches have approximately the same impact onthe controller during the simulation, although new detection and mitigation componentshave been added to our approach. As well as the defence mechanism effectiveness hasbeen tested on the web server of the network, the results prove that the new approachdecreases the CPU usage of the web server to approximately 0 % and to 25 % at worstcase compared with the results of the scheme in [18], which maximise the usage of theCPU in the server to 75 % during the attack simulation. The proposed mechanismminimizes also the usage of the memory in the server during the simulation to 20 % atworst case, where the memory usage percentage of the proposed solution in [18] exceeds110 % during the attack on the server. Bandwidth’s consumption of the link betweenthe web server and the edge switch in our approach is also very low compared to thescheme in [18]. The proposed model decreases the consumption to approximately to


5 Conclusion

20 % compared to the old version of the Inspector. As future work, another controllercould be added to the structure of the network, which works as backup for the maincontroller. In case the main controller is compromised or down then that backup couldtake the control role. The hosts in this approach have been grouped by virtual LANs,we can use MPLS (Multiprotocol labelling switching) to address the hosts in data plane.


List of Figures

2.1 Compare between traditional networks and SDN: (i) traditional networks,(ii) SDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Software Defined Networking architecture . . . . . . . . . . . . . . . . . 72.3 OpenFlow Switch components . . . . . . . . . . . . . . . . . . . . . . . . 82.4 Components of SDN controller . . . . . . . . . . . . . . . . . . . . . . . 92.5 table entry structure in OpenFlow Switch . . . . . . . . . . . . . . . . . 112.6 OpenFlow process procedure . . . . . . . . . . . . . . . . . . . . . . . . 122.7 ICMP flood attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.1 logical view of the mechanism’s components . . . . . . . . . . . . . . . . 253.2 Form of the created Database . . . . . . . . . . . . . . . . . . . . . . . . 263.3 Verification process in Inspector . . . . . . . . . . . . . . . . . . . . . . . 273.4 Flowchart of our implemented BST . . . . . . . . . . . . . . . . . . . . . 283.5 Authentication process in the simulation . . . . . . . . . . . . . . . . . . 293.6 Flow statistics messages between Controller and edge switches . . . . . 303.7 Monitor component mechanism in control layer . . . . . . . . . . . . . . 313.8 Mitigation mechanism in controller and in Inspector . . . . . . . . . . . 323.9 process of receiving notification from the controller . . . . . . . . . . . . 33

4.1 Experimental Topology of the presented model Each edge . . . . . . . . 354.2 an example of nping implementation . . . . . . . . . . . . . . . . . . . . 364.3 Binary Search Tree methodology . . . . . . . . . . . . . . . . . . . . . . 374.4 CPU usage of the controller . . . . . . . . . . . . . . . . . . . . . . . . 384.5 Memory usage of the controller . . . . . . . . . . . . . . . . . . . . . . . 394.6 Bandwidth of secure OpenFlow channel . . . . . . . . . . . . . . . . . . 394.7 CPU usage of the web server . . . . . . . . . . . . . . . . . . . . . . . . 414.8 Memory usage of the web server . . . . . . . . . . . . . . . . . . . . . . 414.9 Bandwidth of the Server Link . . . . . . . . . . . . . . . . . . . . . . . 42


List of Tables

2.1 Main differences between traditional networks and SDN. . . . . . . . . . 6


Bibliography

[1] B. Raghavan et al., Software-defined internet architecture: Decoupling architecturefrom infrastructure, Proc. 11th ACM Workshop Hot Topics Netw., p. 43–48, 2012..

[2] D. Kreutz et al., Software-Defined Networking: A Comprehensive Survey, Proceed-ings of the IEEE, vol. 103, no. 1, pp. 14-76, 2015.

[3] Benson, T., Akella, A., and Maltz, D. (2009). Unraveling the Complexity of NetworkManagement. Proceedings of the 6th USENIX Symposium on Networked SystemsDesign and Implementation, pages 335-348.

[4] H. Kim and N. Feamster, Improving network management with software definednetworking, IEEE Communications Magazine, vol. 51, no. 2, pp. 114-119, 2013.

[5] S. Sakir et al., Are we ready for SDN? Implementation challenges for software-definednetworks, IEEE Communications Magazine, pp. 36-43, 2013.

[6] Paul Göransson, Chuck Black, Software Defined Networks A Comprehensive Ap-proach, Morgan Kaufmann is an imprint of Elsevier, 225 Wyman Street, Waltham,MA 02451, USA, 2014

[7] Xia, W., Wen, Y., Foh, C. H., Niyato, D., and Xie, H. (2015). A survey onsoftware-de_ned networking. IEEE Communications Surveys Tutorials, 17(1):27-51.

[8] C. Pfleeger, S. Pfleeger, and J. Margulies, Security in Computing. PearsonEducation, 2015.

[9] Sezer, Sakir; Scott-Hayward, Sandra; Chouhan, Pushpinder Kaur; Fraser, Barbara;Lake, David; Finnegan, Jim; Viljoen, Niel; Miller, Marc; Rao, Navneet;, Are weReady for SDN? Implementation Challenges for Software-Defined Networks, IEEECommunication Magazine, pp. 36-43, July 2013.

[10] Sandra Scott-Hayward , Gemma O’Callaghan , Sakir Sezer, SDN Security: ASurvey, in IEEE SDN for Future Networks and Services (SDN4FNS), Trento , Italy,2013.


BIBLIOGRAPHY

[11] Kreutz, Diego, et al. Software-defined networking: A comprehensive survey, Pro-ceedings of the IEEE 103.1 (2015): 14-76

[12] Open Networking Foundation, OpenFlow Switch Specification v.1.4.0, Oct. 2013.

[13] M. B. C. Dillon, OpenFlow DDoS Mitigation, Amsterdam, 2014.

[14] Yan, Q., Yu, F. R., Member, S., Gong, Q., and Li, J. (2015). Software- DefinedNetworking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Com-puting Environments: A Survey, Some Research Issues, and Challenges. 18(c):2{23.

[15] C. Douligeris and A. Mitrokotsa, DDOS attacks and defense mechanisms: classifi-cation and state-of-the-art, Computer Networks 44, pp. 643-666, 2004.

[16] Andry Putra Fajar and Tito Waluyo Purboyo, A survey Paper of distrbuiteddanial of serive (DDoS) attack in Software Defined Networking (SDN), CollegeStudent Faculty of Electrical Engineering Telkom University, Bandung, Indonesia,International Journal of Applied Engineering Research ISSN 09734562 Volume 13Number 1 (2018) pp.476-482

[17] Shuhua Deng a, Xing Gaob, Zebin Lua, Zhengfa Li a, Xieping Gao, Key Laboratoryof Intelligent Computing and Information Processing of Ministry of Education,Xiangtan University, Xiangtan 411105, China, University of Memphis, Memphis,TN, USA , DoS vulnerabilities and mitigation strategies in software-defined networks

[18] Abdullah Soliman Alshra’a, and Jochen Seitz, Communication Networks Group,Technische Universität Ilmenau, Germany, Using INSPECTOR Device to Stop PacketInjection Attack in SDN

[19] Xieping Gao, Shuhua Deng, Xing Gao, Zebin Lu, IEEE Transactions on InformationForensics and Security · October 2017, Packet Injection Attack and Its Defense inSoftware-Defined Networks

[20] Seyed Mohammad Mousavi, Marc St-Hilaire, Early Detection of DDoS AttacksAgainst Software Defined Network Controllers, J Netw Syst Manage (2018) 26:573–591.

[21] Al-Mafrachi, Basheer Husham Ali. M.S.C.E., Department of Computer Scienceand Engineering, Wright State University, 2017. Detection of DDoS Attacks againstthe SDN Controller using Statistical Approaches

[22] Adel Alshamrani, Ankur Chowdhary, Sandeep Pisharody, Duo Lu, Dijiang Huang,Arizona State University, 2017 A Defense System for Defeating DDoS Attacks inSDN based Networks


BIBLIOGRAPHY

[23] C. Y. Hunag, T. MinChi, C. YaoTing, C. YuChieh and C. YanRen, A NovelDesign for Future On-DemandService and Security IEEE, pp. 385-388, 2010.

[24] Akhil Raj, Anjali S Bhat and Leena Vishnu Namboothiri, Department of ComputerScience and IT, Amrita School of Arts and Sciences, Kochi, ISSN: 1311-8080,Effective Threshold Defence against DOS Attack on SDN Controller

[25] Mohammad A. AL-Adaileh*, Mohammed Anbar*, Yung-Wey Chong 1, and AhmedAl-Ani1 1National Advanced IPv6 Centre, Universiti Sains Malaysia, 11800 Gelugor,Penang, Malaysia, Proposed statistical-based approach for detecting distribute denialof service against the controller of software defined network (SADDCS)

[26] H. Hu, W. Han, G. J. Ahn, and Z. Zhao, FLOWGUARD: Building robustfirewalls for software-defined networks in Proc. ACM SIGCOMMWorkshop HotTopics Softw. Defined Netw., 2014, pp. 97–102.

[27] Y.-K. Chang, Y.-T. Huang, and Y.-T. Chen, An Efficient Label-Based PacketForwarding Scheme in Software Defined Networks, in 2018 Tenth InternationalConference on Ubiquitous and Future Networks (ICUFN). IEEE, 2018, pp. 191–196

[28] 28- S. Lim, J. Ha, H. Kim, Y. Kim, S. Yang, School of Informatics, NextCommunication Research Laboratory, Korea University, A SDN-Oriented DDoSBlocking Scheme for Botnet-Based Attacks, IEEE, 2014

[29] 29- SAMUEL CHAMPAGNE AND PADRAEC ROBINSON, A Practical AdaptiveSearch Tree for Locally Self-Adjusting Software Defined Networks (SDN), DalhousieUniversity, 2018

[30] Michał Komorowski, Tomasz Trzciński, Departments of Computer Science andMathematics, Carnegie-Mellon University, Random Binary Search Trees for approxi-mate nearest neighbour search in binary spaces, Applied Soft Computing, June 2019,Pages 87-93

[31] http://mininet.org/

[32] Ryu controller. [Online]. Available: https://osrg.github.io/ryu/

[33] A. C. de S. Araujo, L. N. Sampaio, and A. Ziviani, Beep: Balancing en-ergy, redundancy, and performance in fat-tree data center networks, IEEE InternetComputing, vol. 21, no. 4, pp. 44–53, 2017.

[34] https://nmap.org/nping/


BIBLIOGRAPHY

[35] Saifei Li ; Yunhe Cui ; Yongfeng Ni ; Lianshan Yan, An Effective SDN Con-troller Scheduling Method to Defence DDoS Attacks, Chinese Institute of ElectronicsReceived 20/03/2018, Accepted 02/05/2018, Published 01/03/2019

[36] Saksit Jantila, Kornchawal Chaipah, A Security Analysis of a Hybrid Mechanism toDefend DDoS Attacks in SDN, Khon Kaen University, Procedia Computer Science86:437-440 · December 2016

[37] Jue Chen ; Jinbang Chen ; Junchen Ling ; Wei Zhang , Department of ComputerScience and Technology, East China Normal University, China,Failure recovery usingvlan-tag in SDN: High speed with low memory requirement, IEEE, 19 January 2017

[38] Psutil. [Online]. Available: https://pypi.org/project/psutil/


communication networks groupmidas1.e-technik.tu-ilmenau.de/~webkn/... · of openflow protocol,...

Documents