All Rights Reserved © 2019 IJARCET
404
Speculative Study on DDoS Security Threats in
Software Defined Networks
Rajni Samta
1, Satish Kumar
2Department of Computer Science, Himachal Pradesh University, Shimla, India
Abstract— Security aspect for any type of networks is the first and foremost aspect which is dominant over every other feature of the network. Traditional networks have their own way of dealing with the security issues, since these kinds of networks are rigid in nature. But keeping Software Defined Networks in mind that are way more flexible than traditional networks and are considered as open networks, this nature of openness creates various security related issues for SDN. And hence, there is a need to study and analyze these security issues, so that appropriate suggestions can be derived to take care of these concerns. The architecture of is open and is easier to hamper with, thus the architecture is analyzed for its threat prone areas and how these security threats find a way to attack the functionalities of Software Defined Networks. Each layer and component of the network is analyzed so as to know how these components become vulnerable to threats like man-in-middle, DDoS attacks, ARP poisoning, DNS spoofing etc. These attacks did not arrive with the arrival of new type of the network, but existed long before its arrival. These attacks have been tampering the network’s functionalities and caused serious threats to the clients of those networks. So with the launch of a new technology arrives various kinds of issues, and these issues need to be analyzed carefully for successful and smooth usage of the technology.
Keywords — Software Defined Network, Cloud, IOT, Flooding based DDoS attack, Open flow controller, OVS switches.
I. INTRODUCTION
Information centric technologies are advancing and software defined networks is one of the most popular ones, like Cloud, Big data and IOT (Internet of Things). Hence, these are very complex and highly time consuming to maintain. In such situations the software defined networks provides a flexible network environment that dynamically manages the requirements of high bandwidth and easily accommodates the frequent changes in the requirements of an organization or any network user. The special features of SDN are the separation of the data plane and the control plane which simplifies and improves the network management process [1].
Advantages of SDN over Traditional way of Networking are:
1. Open Flow Support:
Various network entities are possibly being placed physically apart from each other and hence, need to communicate with one another (entities mainly are open flow compliant switches and controllers). It is interesting, how the controller instructs these switches in various situations, which are mainly done using open flow protocol, new versions of protocols and design choices for SDN using open flow [2]. 2. API Controllers:
API open flow controllers are the key features for the uniqueness of the software defined network and also this feature plays a major role for its vulnerability. Attacker has a easy loop hole for injecting the malicious code into the network using the remote controllers which can be physically be placed wide apart from the network [3].
3. No Vendor Dependence:
The networking components such as switches, routers and hubs are manufacturer proprietary. As the functionalities of these components cannot be programmatically changed, neither can they be updated frequently without command line interface. Unlike, in software defined networks the components are merely dumb hardware that takes instructions from controllers as per the networks requirements [54].
4. Security:
The software defined networks have their own way to handle various security threats like entropy and controller based solutions. As the dynamic nature of the software defined networks they also provide reliability as a feature. In such cases the traditional way of networking has lacked, It in such situations [5].
A. TECHNOLOGIES ADOPTING SDN
All Rights Reserved © 2019 IJARCET
405
the sensor nodes in the case where Wireless Sensor Networks are large in size. Second popular technology is the Edge Computing that enables the end user to take charge of computational infrastructure and hence narrowing the gap between management of services and end use, and is capable of managing the complexities of the network on its own. Collaboration of SDN-Edge computing lowers the complexity barriers and enables he efficient use of Edge computing [6].
B. RISKS IN IMPLIMENTING THE SDN ENVIRONMENT
As software defined network makes the network open flow and programmable and currently open flow is the key feature of its uniqueness and weakness. It is most deployed concept of programmable networks, various attack prone areas in the Software defined network’s architecture are:
1. Attack Prone Controllers:
The whole and soul of the network is the centralized logic control, which is capable of handling the entire network with variety of its features. But in contrast with the specialty that it provides comes with various vulnerabilities and the weakness for the network is that it is easy for intruders to tamper with the controller of the network [7].
2. Open Flow Programmable Interfaces Risks: Open flow and programmable dynamic nature of the software defined network is the key feature for its extraordinary performance. But at the same time this feature serves as a plus point for the attackers to openly manipulate the network’s services. With the help of the programmability of the network the intruders may inject the malicious code inside the network itself. The attackers can also see what the network is providing as a service to a particular host in the network [7].
3. Inter-Communication between Nodes:
In a network environment where there are multiple controllers that are operating the network, as to synchronize about their activities they should be communicating therefore the next attack prone area is necessarily is the link between the controllers. The link between the controllers needs to support the highly secure communication [8]. All forwarding rules are inserted into switches by the controller. The data packets that contain these rules can be tampered with by attacker through eavesdropping on the link between the controller and switch, which will result in a fake rule insertion or malicious rule modification. Once fraudulent rules are installed in the switch, the data packets will not be forwarded correctly [9].
4. Network Applications:
The application can be more attack prone as the malicious program or code can directly be injected using application software into the controller of the network. Hence it would be communicated to every other component in the network. It not only be tampering with the network’s services but it also may lead to accommodating virus programs in the parts of the network as well. So it is a very important feature and necessarily be checked for the malicious code it accommodates, as it is a part of software defined network that cannot be ignored [10].
All Rights Reserved © 2019 IJARCET
406
Figure 1: Security Threats in SDN Architecture [11].
C. SDN BASED DDoS FLOODING ATTACKS Distributive Denial of Service attack is a process of making network’s services unavailable like degrading the link utilization or bandwidth utilization and it attempts to make any node of network incapable of processing the requests it receives. Such things are mainly achieved when multiple malicious nodes deploy massive amount of unnecessary packets towards any victim host, hence making the victim temporarily or may be permanently unavailable.
All Rights Reserved © 2019 IJARCET
407
Figure 2: DDoS Attack in SDN Environment [11].
SDN has very vulnerabilities specially that it supports open flow interface. Open flow controllers might go unaware of the situation and he affect of the problem on the network as a whole.
II. LITERATURE REVIEW
B. Raghavan et al. [12] the Software Defined Network has gained extensive strength because of its archetype. It is being looked as a network that has the ability to alter the traditional way of networking. This paper reflects progressive practice of dynamic networks and gives a perspective of how software defined network evolutes. Various open flow standards are discussed and SDN architecture has been shaped. Mainly the focus is on the future SDN application and its evolution.
Y. Jarraya et al. [13]Software defined networking (SDN) has accommodated new features and new opportunities in networking by control plane and the data plane separate and hence making the network open flow, programmable and dynamic in nature. Such facilities which are provided by Software Defined Networks are very beneficial for trends lke
cloud computing and for organizations that want the network to be modified according to their needs. Software Defined Networks are being utilized in various other fields and are in practice for year. Many changes are made to fill the gaps where as there are still much alterations to be made. This article has proposed the taxonomy of software defined network-based cloud computing and their functionalities in detail, various other aspects like network virtualization, traffic engineering are also analyzed.
All Rights Reserved © 2019 IJARCET
408
contains. They have analyzed the loop holes in existing network architecture and proposed a security based architecture for Software Defined Network.
S. Scott-Hayward et al. [15] Software-Defined Networking (SDN) has given its impact in almost every field. The big question that arises in case of software defined network is that the new features that it has provided will benefit exactly who? The network operators which are going to use the network or the network intruders? These features also make the network vulnerable. This article has proposed the security aspects for SDN as it has hit the market so fast and is widely accepted network. What changes are required in the Software Defined Network’s architecture to enhance its security and future research suggestions are provided.
J. Mirkovic et al. [16] Distributed denial of service (DDoS) is a pace growing downside for a network. The multitude and style of each the attacks and therefore the defense approach accordingly. This paper presents various categories of attacks and its mitigation techniques, and hence giving taxonomy about the current situation of the DDoS attacks. The commonalities and other features of the classified attacks are highlighted. The taxonomy for defense shows the frame of current DDoS defenses techniques and decisions; and also highlights how these techniques dictate the advantages and loopholes of proposed solutions.
S.T. Zargar et al. [17]Distributed Denial of Service (DDoS) is biggest concerns about flooding attacks for security mangers. DDoS flooding attacks are the best ways for the intruders to tamper the network. Usually attack armies are set up by gaining control over a large number of computers by tampering their vulnerabilities (i.e., Bonnets). After setting attack army the attacker can cause damage to possibly large number of users. The main aim is to provide a defense mechanism for same categories of DDoS flooding attacks and research communities are currently working on such issues. The thorough understanding of the problem and the techniques for the development of such a mechanism are required that are used till now in detecting and mitigating various flooding based DDoS attacks. The paper comprises, area of DDoS flooding attack problem and attempts to overcome it are mainly proposed. Their main focus is on understanding how the existing counter measures prevent, respond and detect to DDoS flooding attack. Their primary aim is to highlight creative, effective, efficient, and comprehensive prevention, detection, and response
mechanisms for the flooding based DDoS problem while under an actual attack.
S. Dotcenko et al. [18]this paper gives the solutions for DDoS attacks using the open flow service of Software Defined Networks. As open flow keeps the statistics of the every activity that has taken place in the network and can detect the DDoS attacks as well as using many ways. After detection the controller can analyze the type of the issue that has arrived and its progress and what are sources of the attacker. They have proposed two methods of realizing the DDoS attacks one is the packet symmetry to identify malicious traffic and the second method has a way to block the outgoing packets and checks for the active host at that time. Then appropriate solutions are figured out for the attacker host in the network. All the techniques are achieved using the open flow controller itself. This paper has given a clear view of how the DDoS attack damage the software defined networks and hoe the correct countermeasures can be taken in order to overcome such issues in the network.
T. Chin et al. [19]Software Defined Networking and Open Flow are accumulating new features and security services as well as various applications. Even this research issue is an interesting domain as we look at what next can be achieved, in this paper the attack analyzed is novel attack and its detection approach using centralized controller and open virtual switch (OVS), it is inspecting the traffic flowing between the network links. Software defined networks differ from networks as it views and information availability, these are major collaborative element to detect an attack, like wise a quick alert can be generated for such threats and along with a high accuracy, as the support of OVS switches. In this paper they have used the mitigation and detection techniques for TCP-SYN flood attack on Global Environment for Network Innovations which is helpful to understand what such type f flooding based DDoS attacks need to dealt with. This research has contributed United States with perceptive searching useful towards an imperial methodology of SDN based attack detection and countermeasure.
All Rights Reserved © 2019 IJARCET
409
heavily practiced to tamper the networks across the world.
III. CONCLUSION
Security of SDN has become a center of attention as this dynamic network paradigm experiences design complexities and conventional open-flow shortcomings, such as issues related to single controller. It is very important to analyze and evaluate security of Software Defined Network (SDN) architecture in order to protect them against various security threats. No doubt that SDN has been perceived as a standout among the most common ideal model for the networks because of its property of isolation of control and information planes. But various malicious activities have managed to affect the network performance and Distributed Denial of Service (DDoS) attacks have been one of the most crucial issues as far as the dependability of the Internet is concerned. DDoS attack makes the administration of any host or hub connected to the system difficult due to wide variety of its approaches to hamper the normal functioning of the network. Due to its simplicity, the SDN is easily vulnerable to DDoS attacks but at the same time, the inherent robustness of SDN makes it easy to identify and respond to the DDoS attacks. We present the SDN based techniques to detect flooding DDoS attacks and once detected, three types of mitigation techniques have been shown to be implemented for SDN. In addition, a comparison of the performance of traditional networks and SDN under this type of DDoS attack has been illustrated.
REFERENCES
[1] Masoudi, R., & Ghaffari, A. (2016). Software defined networks: A survey. Journal of Network and Computer Applications, 67, 1–25.
[2] Y. Jarraya, T. Madi, and M. Debbabi, “A Survey and a Layered Taxonomy of Software-Defined
[3] Openflow Switch Specification v1.0–v1.4, Available at https://www.opennetworking.org/sdn-resources/onf-specifications, last accessed on 22.12.2018.
[4] A. Wool, “A quantitative study of Software Defined Network,” Computer, vol. 37, no. 6, pp. 62–67, 2004. [5] D. Clark, R. Braden, K. Sollins, J. Wroclawski, and D.
Katabi, “New Arch: future generation Internet architecture,” DTIC Document, Tech. Rep., 2004.
[6] Ndiaye, M., Hancke, G., & Abu-Mahfouz, A. (2017). Software Defined Networking for Improved Wireless Sensor Network Management: A Survey. Sensors, 17(5), 1031. doi:10.3390/s17051031
[7] Li, W., Meng, W., & Kwok, L. F. (2016). A survey on OpenFlow-based Software Defined Networks: Security challenges and countermeasures. Journal of Network and Computer Applications, 68, 126–139
[8] J. Mirkovic, and P. L. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”, Association of Computing Machinery, pp. 39-53, vol. 34, no. 2, April, 2004. [9] M. Liyanage, A. Gurtov, and M. Ylianttila, Software Defined
Mobile Networks (SDMN): Beyond LTE Network Architecture. John Wiley & Sons, 2015.
[10] S. J. Vaughan-Nichols, “OpenFlow: The Next Generation of the Network?” Computer, vol. 44, no. 8, pp. 13–15, 2011. [11] T. Tsou, H. Yin, H. Xie, and D. Lopez, “programmability
with Software Defined Networks,” 2012.
http://www.opennetworking.com/url?=sat&ghb-1167=web&scrt04, acessed on 15 March,2018
[12] J. Mirkovic, and P. L. Reiher, “A Taxonomy of DDoS Attack and DDoS Defense Mechanisms”, Association of Computing Machinery, pp. 39-53, vol. 34, no. 2, April, 2004. [13] B. Raghavan, M. Casado, T. Koponen, S. Ratnasamy, A. Ghodsi, and S. Shenker, “Software-defined-network in contrast with Traditional Networks ,” in Proceedings of the 11th ACM Workshop on Hot Topics in Networks. ACM, pp. 43–48,2012.
[14] Y. Jarraya, T. Madi, and M. Debbabi, “A Survey and a Layered Taxonomy of Software-Defined Networking,” Communications Surveys Tutorials, IEEE, vol. PP, no. 99, pp. 1–1, 2014.
[15] S. Murphy, E. Lewis, R. Puga, R. Watson, and R. Yee, “Strong security for active networks,” in Open Architectures and Network Programming Proceedings, 2001 IEEE, pp. 63– 70,2001.
[16] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN Security: A Survey,” in Future Networks and Services (SDN4FNS), 2013 IEEE SDN for. IEEE, pp. 1–7,2013. [17] S.T. Zargar, J. Joshi, D. Tipper, and S. Member, “A Survey
of Defense Mechanisms Against Distributed Denial of Dervice (DDoS)”, IEEE Communication Survey Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013.
[18] S. Dotcenko, A. Vladyko, and I. Letenko, “A Fuzzy Logic-Based Information Security Management for Software Defined Networks”, In Proceedings of 16th International Conference on Advanced Communication Technology (ICACT), pp. 167-171, IEEE, 2014.
[19] T. Chin, X. Mountrouidou, X. Li, and K. Xiong, “Selective Packet Inspection to Detect DoS Flooding using Software Defined Networking (SDN)”, In Proceedings of IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 95-99. IEEE, 2015.
