ZTE Communications ›› 2017, Vol. 15 ›› Issue (3): 13-19.DOI: 10.3969/j.issn.1673-5188.2017.03.003
收稿日期:
2017-06-03
出版日期:
2017-08-25
发布日期:
2019-12-24
XU Xiaoqiong, YU Hongfang, YANG Kun
Received:
2017-06-03
Online:
2017-08-25
Published:
2019-12-24
About author:
XU Xiaoqiong (xiaoqiongxu@std.uestc.edu.cn) is currently a Ph.D. student in University of Electronic Science and Technology of China, China. Her research interests include software defined networking and cloud computing.|YU Hongfang (yuhf@uestc.edu.cn) received her B.Sc. degree in electrical engineering in 1996 from Xidian University, China her M.Sc. degree and Ph.D. degree in communication and information engineering in 1999 and 2006 from University of Electronic Science and Technology of China, respectively. From 2009 to 2010, she was a visiting scholar at the Department of Computer Science and Engineering, University at Buffalo (SUNY), USA. Her research interests include network survivability and next generation Internet, and cloud computing.|YANG Kun(kunyang@uestc.edu.cn)received his Ph.D. from the Department of Electronic & Electrical Engineering of University College London (UCL), UK, and M.Sc. and B.Sc. from the Computer Science Department of Jilin University, China. He is currently a Chair Professor in the School of Computer Science & Electronic Engineering, University of Essex, leading the Network Convergence Laboratory (NCL), UK. He is also an affiliated professor at University of Electronic Science and Technology of China, China. Before joining in University of Essex at 2003, he worked at UCL on several European Union (EU) research projects for several years. His main research interests include wireless networks and communications, future Internet technology and network virtualization, mobile cloud computing. He manages research projects funded by various sources such as UK EPSRC, EU FP7/H2020 and industries. He has published 100+ journal papers. He serves on the editorial boards of both IEEE and non-IEEE journals. He is a senior member of IEEE (since 2008) and a Fellow of IET (since 2009).
Supported by:
. [J]. ZTE Communications, 2017, 15(3): 13-19.
XU Xiaoqiong, YU Hongfang, YANG Kun. DDoS Attack in Software Defined Networks: A Survey[J]. ZTE Communications, 2017, 15(3): 13-19.
SDN-supported | Solution | SDN capabilities exploited | Description |
---|---|---|---|
DDoS Detection | Sequential& concurrent method [ | Global monitoring | Scaling the range of detected IP addresses |
FlowTrApp [ | Traffic analysis | Using some bounds on two per flow based traffic parameters | |
CloudWatcher [ | Programmability | Protect network by writing a simple policy script | |
DDoS Defense | SDN/NFV security policy [ | Centralized-control or programmability | Combining SDN and NFV |
Collaborative framework [ | Centralized-control or programmability | A self-management scheme |
Table 1 SDN-supported DDoS attack
SDN-supported | Solution | SDN capabilities exploited | Description |
---|---|---|---|
DDoS Detection | Sequential& concurrent method [ | Global monitoring | Scaling the range of detected IP addresses |
FlowTrApp [ | Traffic analysis | Using some bounds on two per flow based traffic parameters | |
CloudWatcher [ | Programmability | Protect network by writing a simple policy script | |
DDoS Defense | SDN/NFV security policy [ | Centralized-control or programmability | Combining SDN and NFV |
Collaborative framework [ | Centralized-control or programmability | A self-management scheme |
Defense techniques | DDoS treats | ||
---|---|---|---|
Switch overload | Channel congestion | Controller resource saturation | |
IP filtering [ | √ | ||
Scotch [ | √ | ||
Lightweight [ | √ | ||
FlowSec [ | √ | ||
FloodDefender [ | √ | √ | √ |
MLFQ [ | √ | ||
FRESCO [ | √ | √ | √ |
FloodGuard [ | √ | ||
FlowRanger [ | √ | ||
Avant-Guard [ | √ | ||
SDNShield [ | √ | ||
SDN-Guard [ | √ | √ | √ |
Table 2 An overview of DDoS countermeasures in SDN system
Defense techniques | DDoS treats | ||
---|---|---|---|
Switch overload | Channel congestion | Controller resource saturation | |
IP filtering [ | √ | ||
Scotch [ | √ | ||
Lightweight [ | √ | ||
FlowSec [ | √ | ||
FloodDefender [ | √ | √ | √ |
MLFQ [ | √ | ||
FRESCO [ | √ | √ | √ |
FloodGuard [ | √ | ||
FlowRanger [ | √ | ||
Avant-Guard [ | √ | ||
SDNShield [ | √ | ||
SDN-Guard [ | √ | √ | √ |
[1] |
S. Stuart , “Akamai releases prolexic Q2 2014 global DDoS attack report,” Database & Network Journal, vlo. 44, no. 4, Aug. 2014.
DOI URL PMID |
[2] | C. Jin, H. Wang, K. G. Shin , “Hop-count filtering: an effective defense against spoofed DDoS traffic,” in Proc. ACM Conference on Computer and Communications Security( CCS 03), Washington, USA, Oct. 2003. |
[3] |
Z. S. Taghavi, J. Joshi, D. Tipper , “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046-2069, 2013. doi: 10.1109/SURV.2013.031413.00127.
DOI URL PMID |
[4] |
Q. Liao, D. A. Cieslak, A. D. Striegel, N. V. Chawla , “Using selective, short-term memory to improve resilience against DDoS exhaustion attacks,” Security and Communication Networks, vol. 1, no. 4, pp. 287-299,2008. doi: 10.1002/sec.22.
DOI URL |
[5] | H. Jiang, S. Chen, H. Hu, M. Zhang , “Superpoint-based detection against distributed denial of service (DDoS) flooding attacks,” in IEEE International Workshop on Local and Metropolitan Area Networks, Beijing, China, 2015, pp. 1-6. doi: 10.1109/LANMAN.2015.7114724. |
[6] |
Z. Tan, A. Jamdagni, X. He , et al., “Detection of denial-of-service attacks based on computer vision techniques,” IEEE Transactions on Computers, vo. 64, no. 9, pp. 2519-2533, 2015. doi: 10.1109/TC.2014.2375218.
DOI URL |
[7] |
Z. Tan, A. Jamdagni, X. He, P. Nanda, R. P. Liu , “A system for denial-of-service attack detection based on multivariate correlation analysis,” IEEE Transactions on Parallel & Distributed Systems, vol. 25, no. 2, pp. 447-456, 2014. doi: 10.1109/TPDS.2013.146.
DOI URL PMID |
[8] |
P. Xiao, W. Qu, H. Qi, Z. Li , “Detecting DDoS attacks against data center with correlation analysis,” Computer Communications, vol. 67, no. C, pp. 66-74, 2015. doi: 10.1016/j.comcom.2015.06.012.
DOI URL |
[9] | N. McKeown, T. Anderson, H. Balakrishnan , et al., “OpenFlow: enabling innovation in campus networks,” ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008. doi: 10.1145/1355734.1355746 |
[10] | M. Antikainen, T. Aura, M. Särelä , “Spook in your network: attacking an SDN with a compromised OpenFlow switch,” in Proc. 19th Nordic Conference on Secure IT Systems (NordSec14), Tromsø, Norway, Oct. 2014. doi: 10.1007/978-3-319-11599-3_14. |
[11] | D. Kreutz, F. M. Ramos, P. Verissimo , “Towards secure and dependable software-defined networks,” in Proc. Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, ser. HotSDN ’13. New York, USA, 2013, pp. 55-60. doi: 10.1145/2491185.2491199. |
[12] | X. Yang and Y. Liu , “DDoS attack detection under SDN context,” in Proc. IEEE International Conference on Computer Communications IEEE(INFOCOM16), San Francisco, USA, 2016. doi: 10.1109/INFOCOM.2016.7524500. |
[13] | B. Chaitanya and N. Medhi, “FlowTrApp: an SDN based architecture for DDoS attack detection and mitigation in data centers,” in Proc. 3rd International Conference on Signal Processing and Integrated Networks, Noida, India, 2016. doi: 10.1109/SPIN.2016.7566750. |
[14] | S. Shin and G. Gu, “CloudWatcher: network security monitoring using OpenFlow in dynamic cloud networks,” in IEEE International Conference on Network Protocols, Austin, USA, 2012, pp. 1-6. doi: 10.1109/ICNP.2012.6459946. |
[15] | S. K. Fayaz, Y. Tobioka, V. Sekar, M. Bailey , “Bohatei: flexible and elastic DDoS defense,” in 24th Usenix Conference on Security Symposium, Washington, D. C., USA, 2015, pp. 817-832. |
[16] |
C. Lorenz, D. Hock, J. Scherer, et al., “An SDN/NFV-enabled enterprise network architecture offering fine-grained security policy enforcement, ” IEEE Communications Magazine , 2017, vol. 55, no. 3, pp. 217-223. doi: 10.1109/MCOM.2017.1600414CM.
DOI URL |
[17] | R. Sahay , et al. “Towards Autonomic DDoS Mitigation using Software Defined Networking.” NDSS Workshop on Security of Emerging networking Technologies, 2015. doi: 10.14722/sent.2015.23004. |
[18] | M. Jarschel, T. Zinner, T. Hossfeld, P. Tran-Gia, W. Kellerer , “Interfaces, attributes, and use cases: a compass for SDN,” IEEE Communications Magazine, vol. 52, no. 6, pp. 210-217, 2014. doi: 10.1109/MCOM.2014.6829966. |
[19] | Q. Duan, N. Ansari, M. Toy . “Software-defined network virtualization: an architectural framework for integrating SDN and NFV for service provisioning in future networks,” IEEE Network, vol. 30, no. 5, pp. 10-16, 2016. doi: 10.1109/MNET.2016.7579021. |
[20] | S. Shin and G. Gu , “Attacking software-defined networks: a first feasibility study,” in ACM SIGCOMM Workshop Hot Topics Software Defined Network (HotSDN13), Hong Kong, China, 2013, pp. 165-166. |
[21] | A. Wang, Y. Guo, F. Hao, T. V. Lakshman, S. Chen , “Scotch: elastically scaling up SDN control-plane using vSwitch based overlay,” in ACM International Conference on Emerging NETWORKING Experiments and Technologies, Sydney, Australia, 2014, pp. 403-414. doi: 10.1145/2674005.2675002. |
[22] | N. Katta, O. Alipourfard, J. Rexford, D. Walker, “CacheFlow: dependency-aware rule-caching for software-defined networks, ” in ACM Symposium on SDN Research, Santa Clara, USA, 2016, article no. 6. doi: 10.1145/2890955.2890969. |
[23] |
Q. Yan, F. R. Yu, Q. Gong, J. Li , “Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges,” IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 602-622, 2016. doi: 10.1109/COMST.2015.2487361.
DOI URL PMID |
[24] | S. M. Mousavi and M. St-Hilaire . “Early detection of DDoS attacks against SDN controllers,” in Proc. IEEE International Conference on Computing, Networking and Communications, Anaheim, USA, 2015, pp. 77-81. doi: 10.1109/ICCNC.2015.7069319. |
[25] | P. Dong, X. Du, H. Zhang, T. Xu , “A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows,” IEEE International Conference on Communications, Kuala Lumpur, Malaysia, 2016, pp. 1-6. doi: 10.1109/ICC.2016.7510992. |
[26] | R. Braga, E. Mota, A. Passito , “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in 35th Annual IEEE Conference on Local Computer Networks, Denver, USA, 2011, pp. 408-415. doi: 10.1109/LCN.2010.5735752. |
[27] |
K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, V. Maglaris , “Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments,” Computer Networks, vol. 62, no. 5, pp. 122-136, 2014. doi: 10.1016/j.bjp.2013.10.014.
DOI URL |
[28] | R. T. Kokila, S. T. Selvi, K. Govindarajan , “DDoS detection and analysis in SDN-based environment using support vector machine classifier,” in Proc. IEEE Sixth International Conference on Advanced Computing, Chennai, India, 2015. doi: 10.1109/ICoAC.2014.7229711. |
[29] | L. Barki, A. Shidling, N. Meti , “Detection of distributed denial of service attacks in software defined networks,” in Proc. IEEE International Conference on Advances in Computing, Communications and Informatics (ICACCI), Jaipur, India, 2016, pp. 2576-2581. doi: 10.1109/ICACCI.2016.7732445. |
[30] | R. Wang, Z. Jia, L. Ju , “An entropy-based distributed DDoS detection mechanism in software-defined networking,” IEEE Trustcom/BigDataSE/ISPA, Helsinki, Finland, 2015, pp. 310-317. doi: 10.1109/Trustcom.2015.389. |
[31] |
B. Wang, Y. Zheng, W. Lou, Y. T. Hou , “DDoS attack protection in the era of cloud computing and software-defined networking,” Computer Networks, vol. 81, pp. 308-319, 2015. doi: 10.1109/ICNP.2014.99.
DOI URL |
[32] | M. Dhawan, R. Poddar, K. Mahajan, V. Mann , “SPHINX: detecting security attacks in software-defined networks,” in Network and Distributed System Security Symposium, San Diego, USA, 2015. doi: 10.14722/ndss.2015.23064. |
[33] | S. Ostermann, B. Tjaden, M. Ramadas , “Detecting anamalous network traffic with self-organizing maps,” in Proc. 6th International Workshop on Recent Advances in Intrusion Detection, Pittsburgh, USA, 2003, pp. 36-54. doi: 10.1007/978-3-540-45248-5_3. |
[34] | T. Ha, S. Yoon, A. C. Risdianto, J. Kim, H. Lim , “Suspicious flow forwarding for multiple intrusion detection systems on software defined networks,” IEEE Network, vol. 30, pp. 6, pp. 22-27, 2016. doi: 10.1109/MNET.2016.1600106NM. |
[35] | N. N. Dao, J. Park, M. Park, S. Cho , “A feasible method to combat against DDoS attack in SDN network,” in International Conference on Information Networking, Cambodia, Cambodia, 2015, pp. 309-311. doi: 10.1109/ICOIN.2015.7057902. |
[36] | O. I. Abdullaziz, Y.-J. Chen and L.-C. Wang , “Lightweight authentication mechanism for software defined network using information hiding,” in IEEE Global Communications Conference (GLOBECOM), Washington, D.C., USA, 2016. doi: 10.1109/GLOCOM.2016.7841954. |
[37] | M. Kuerban, Y. Tian, Q. Yang , et al., “FlowSec: DOS attack mitigation strategy on SDN controller,” in IEEE International Conference on Networking, Architecture and Storage, Long Beach, USA, 2016, pp. 1-2. doi: 10.1109/NAS.2016.7549402. |
[38] | P. Zhang, H. Wang, C. Hu, C. Lin , “On denial of service attacks in software defined networks,” IEEE Network Magazine, vol. 30, no. 6, pp. 28-33, 2016. doi: 10.1109/MNET.2016.1600109NM. |
[39] | L. Wei and C. Fung , “FlowRanger: a request prioritizing algorithm for controller DoS attacks in software defined networks,” in IEEE International Conference on Communications, London, UK, 2015, pp. 5254-5259. doi: 10.1109/ICC.2015.7249158. |
[40] | H. Wang, L. Xu, G. Gu . “FloodGuard: a DoS attack prevention extension in software-defined networks,” in 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Rio de Janeiro, Brazil, 2015, pp. 239-250. doi: 10.1109/DSN.2015.27. |
[41] | K. Chen, A. R. Junuthula, I. K. Siddhrau, Y. Xu, H. J. Chao , “SDNShield: towards more comprehensive defense against DDoS attacks on SDN control plane,” in Proc. IEEE Conference on Communications and Network Security (CNS), Philadelphia, USA, 2016. doi: 10.1109/TPDS.2013.146. |
[42] | S. Shin, V. Yegneswaran, P. Porras, G. Gu , “AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks,” in ACM Sigsac Conference on Computer & Communications Security, Berlin, Germany, 2013, pp. 413-424. doi: 10.1145/2508859.2516684. |
[43] | L. Dridi and M. F. Zhani , “SDN-guard: DoS attacks mitigation in SDN networks,” in IEEE International Conference on Cloud Networking IEEE, Pisa, Italy, 2016. doi: 10.1109/CloudNet.2016.9. |
[44] | S. Gao, Z. Peng, B. Xiao, A. Hu, K. Ren , “FloodDefender: protecting data and control plane resources under SDN-aimed DoS attacks,” in Proc. IEEE International Conference on Computer Communications (INFOCOM), Atlanta, USA, 2017, pp. 1-9. |
[45] | S. Shin, P. Porras, V. Yegneswaran , et al., “FRESCO: modular composable security services for software defined networks,” In Proc. Network & Distributed Security Symposium, San Diego, USA, 2013, pp. 319-332. |
No related articles found! |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||