skip to main content
research-article

Elastically Augmenting the Control-path Throughput in SDN to Deal with Internet DDoS Attacks

Published:23 February 2023Publication History
Skip Abstract Section

Abstract

Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called Scotch, to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. Scotch elastically scales up the control plane capacity by using an Open vSwitch-based overlay. Scotch takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated Scotch. Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that Scotch can elastically scale up the control channel bandwidth upon attacks.

REFERENCES

  1. [1] Kupreev Oleg. 2021. DDoS Attacks in Q1 2020 | Securelist. Retrieved from https://securelist.com/ddos-attacks-in-q1-2020/96837/.Google ScholarGoogle Scholar
  2. [2] Ballani H., Francis P., Cao T., and Wang J.. 2009. Making routers last longer with ViAggre. In NSDI.Google ScholarGoogle Scholar
  3. [3] Benson T., Akella A., and Maltz D.. 2010. Network traffic characteristics of data centers in the wild. In IMC.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. [4] Berman Mark, Chase Jeffrey S., Landweber Lawrence, Nakao Akihiro, Ott Max, Raychaudhuri Dipankar, Ricci Robert, and Seskar Ivan. 2014. GENI: A federated testbed for innovative network experiments. Comput. Netw. 61 (2014), 523.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. [5] Cai Zheng, Cox Alan L., and Ng T. S. Eugene. 2011. Maestro: Balancing Fairness, Latency and Throughput in the OpenFlow Control Plane. Technical Report TR11-07. Rice University.Google ScholarGoogle Scholar
  6. [6] Casado M., Freedman M. J., and Shenker S.. 2007. Ethane: Taking control of the enterprise. In ACM SIGCOMM.Google ScholarGoogle Scholar
  7. [7] Catalli Gaetano. 2011. Open vSwitch: Performance improvement and porting to FreeBSD. In CHANGE & OFELIA Summer school. https://tinyurl.com/mr47dnmw.Google ScholarGoogle Scholar
  8. [8] Ryu. 2020. Ryu: Component-based Software Defined Networking Framework. Retrieved from http://osrg.github.io/ryu/.Google ScholarGoogle Scholar
  9. [9] Andrew R. Curtis, Jeffrey C. Mogul, Tourrilhes Jean, Yalagandula Praveen, Sharma Puneet, and Banerjee Sujata. 2011. DevoFlow: Scaling flow management for high-performance networks. In Proc. of SIGCOMM.Google ScholarGoogle Scholar
  10. [10] Demianiuk Vitalii, Gorinsky Sergey, Nikolenko Sergey I., and Kogan Kirill. 2020. Robust distributed monitoring of traffic flows. IEEE/ACM Transactions on Networking 29, 1 (2020), 275–288.Google ScholarGoogle Scholar
  11. [11] Dhawan Mohan, Poddar Rishabh, Mahajan Kshiteej, and Mann Vijay. 2015. SPHINX: Detecting security attacks in software-defined networks. In NDSS.Google ScholarGoogle Scholar
  12. [12] Dixit A., Hao F., Mukherjee S., Lakshman T. V., and Kompella R.. 2013. Towards an elastic distributed SDN controller. In HotSDN.Google ScholarGoogle Scholar
  13. [13] Intel. 2016. Packet Processing - Intel DPDK vSwitch - OVS. Retrieved from https://01.org/packet-processing/intel-ovdk.Google ScholarGoogle Scholar
  14. [14] Erickson David. 2013. The Beacon OpenFlow controller. In HotSDN. ACM.Google ScholarGoogle Scholar
  15. [15] Ferguson Andrew D., Guha Arjun, Liang Chen, Fonseca Rodrigo, and Krishnamurthi Shriram. 2013. Participatory networking: An API for application control of SDNs. In SIGCOMM.Google ScholarGoogle Scholar
  16. [16] Floodlight. 2018. Floodlight. Retrieved from http://floodlight.openflowhub.org.Google ScholarGoogle Scholar
  17. [17] Foundation Open Networking. 2012. OpenFlow switch specification (version 1.3.0). (June2012). https://opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf.Google ScholarGoogle Scholar
  18. [18] Gude N., Koponen T., Pettit J., Pfaff B., Casado M., McKeown N., and Shenker S.. 2008. NOX: Towards an operating system for networks. In SIGCOMM CCR.Google ScholarGoogle Scholar
  19. [19] Hong Sungmin, Xu Lei, Wang Haopei, and Gu Guofei. 2015. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In NDSS.Google ScholarGoogle Scholar
  20. [20] Kali Linux. 2005. hping3. Retrieved from http://linux.die.net/man/8/hping3.Google ScholarGoogle Scholar
  21. [21] Huang Danny Yuxing, Yocum Kenneth, and Snoeren Alex C.. 2013. High-fidelity switch models for software-defined network emulation. In HotSDN.Google ScholarGoogle Scholar
  22. [22] Jin Xin, Li Li Erran, Vanbever Laurent, and Rexford Jennifer. 2013. SoftCell: Scalable and flexible cellular core network architecture. In ACM CoNEXT.Google ScholarGoogle Scholar
  23. [23] Kim Changhoon, Caesar Matthew, and Rexford Jennifer. 2008. Floodless in SEATTLE: A scalable Ethernet architecture for large enterprises. In SIGCOMM.Google ScholarGoogle Scholar
  24. [24] Koponen T. et al. 2010. Onix: A distributed control platform for large-scale production networks. In OSDI.Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. [25] Naga Krishna Krishna Puttaswamy, Hao Fang, and Lakshman T. V.. 812383-US-NP. Securing Software Defined Networks VIA Flow Deflection.Google ScholarGoogle Scholar
  26. [26] Li Guanyu, Zhang Menghao, Wang Shicheng, Liu Chang, Xu Mingwei, Chen Ang, Hu Hongxin, Gu Guofei, Li Qi, and Wu Jianping. 2021. Enabling performant, flexible and cost-efficient DDoS defense with programmable switches. IEEE/ACM Transactions on Networking 29, 4 (2021), 1509–1526.Google ScholarGoogle Scholar
  27. [27] Nayak Ankur Kumar, Reimers Alex, Feamster Nick, and Clark Russ. 2009. Resonance: Dynamic access control for enterprise networks. In Proceedings of the 1st ACM Workshop on Research on Enterprise Networking.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. [28] Pfaff Ben, Pettit Justin, Koponen Teemu, Jackson Ethan, Zhou Andy, Rajahalme Jarno, Gross Jesse, Wang Alex, Stringer Joe, Shelar Pravin, et al. 2015. The design and implementation of open vSwitch. In NSDI. 117130.Google ScholarGoogle Scholar
  29. [29] pica8. [n. d.]. Personal Communication with Pica8. http://www.pica8.com/.Google ScholarGoogle Scholar
  30. [30] Pica8: Open Networks for Software-Defined Networking. 2012. Pica8: Open Networks for Software-Defined Networking. Retrieved from http://www.pica8.com/.Google ScholarGoogle Scholar
  31. [31] pkttrace. [n. d.]. Packet Trace at a Switch in a Data-center. Retrieved from http://pages.cs.wisc.edu/tbenson/IMC10_Data.html.Google ScholarGoogle Scholar
  32. [32] Ray Saikat, Guerin Roch, and Sofia Rute. 2007. A distributed hash table based address resolution scheme for large-scale Ethernet networks. In ICC.Google ScholarGoogle Scholar
  33. [33] Rottenstreich Ori, Kulik Ariel, Joshi Ananya, Rexford Jennifer, Rétvári Gábor, and Menasché Daniel S.. 2021. Data plane cooperative caching with dependencies. IEEE Transactions on Network and Service Management (2021).Google ScholarGoogle Scholar
  34. [34] Shang Gao, Zhe Peng, Bin Xiao, Aiqun Hu, and Kui Ren. 2017. FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. In IEEE INFOCOM. IEEE.Google ScholarGoogle Scholar
  35. [35] Shin Seugwon, Porras Phillip, Yegneswaran Vinod, Fong Martin, Gu Guofei, and Tyson Mabry. 2013. FRESCO: Modular composable security services for software-defined networks. In NDSS.Google ScholarGoogle Scholar
  36. [36] Shin Seungwon, Yegneswaran Vinod, Porras Phil, and Gu Guofei. 2013. AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks. In CCS.Google ScholarGoogle Scholar
  37. [37] Tcpreplay. 2022. Tcpreplay. Retrieved from http://tcpreplay.synfin.net/.Google ScholarGoogle Scholar
  38. [38] Tootoonchian A., Gorbunov S., Ganjali Y., Casado M., and Sherwood R.. 2012. On controller performance in software-defined networks. In HotICE. 1–1.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. [39] Tu William, Wei Yi-Hung, Antichi Gianni, and Pfaff Ben. 2021. revisiting the open vSwitch dataplane ten years later. In ACM SIGCOMM.Google ScholarGoogle Scholar
  40. [40] networkheresy. 2012. The Overhead of Software Tunneling. Retrieved from http://networkheresy.com/2012/06/08/the-overhead-of-software-tunneling/.Google ScholarGoogle Scholar
  41. [41] Xing Jiarong, Wu Wenqing, and Chen Ang. 2019. Architecting programmable data plane defenses into the network with fastflex. In Hot Topics.Google ScholarGoogle Scholar
  42. [42] Xu Yang and Liu Yong. 2016. DDoS attack detection under SDN context. In IEEE INFOCOM. IEEE.Google ScholarGoogle Scholar
  43. [43] Chu Yang-hua, Rao Sanjay, Seshan Srinivasan, and Zhang Hui. 2002. A case for end system multicast. In IEEE J. Select. Areas Commun, Vol. 20, 1456–1471.Google ScholarGoogle Scholar
  44. [44] Yu Liangcheng, Sonchack John, and Liu Vincent. 2020. Mantis: Reactive programmable switches. In SIGCOMM.Google ScholarGoogle Scholar
  45. [45] Yu Minlan, Rexford Jennifer, Freedman Michael J., and Wang Jia. 2010. Scalable flow-based networking with DIFANE. In SIGCOMM.Google ScholarGoogle Scholar

Index Terms

  1. Elastically Augmenting the Control-path Throughput in SDN to Deal with Internet DDoS Attacks

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Internet Technology
          ACM Transactions on Internet Technology  Volume 23, Issue 1
          February 2023
          564 pages
          ISSN:1533-5399
          EISSN:1557-6051
          DOI:10.1145/3584863
          • Editor:
          • Ling Liu
          Issue’s Table of Contents

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 23 February 2023
          • Online AM: 2 September 2022
          • Accepted: 8 August 2022
          • Revised: 13 April 2022
          • Received: 17 February 2021
          Published in toit Volume 23, Issue 1

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
        • Article Metrics

          • Downloads (Last 12 months)248
          • Downloads (Last 6 weeks)18

          Other Metrics

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Full Text

        View this article in Full Text.

        View Full Text

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!