TY - GEN
T1 - Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN
AU - Cai, Yun Zhan
AU - Lin, Ting Yu
AU - Wang, Yu Ting
AU - Tuan, Ya Pei
AU - Tsai, Meng Hsun
N1 - Publisher Copyright:
© 2022 IEICE.
PY - 2022
Y1 - 2022
N2 - In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.
AB - In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.
UR - http://www.scopus.com/inward/record.url?scp=85142072342&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85142072342&partnerID=8YFLogxK
U2 - 10.23919/APNOMS56106.2022.9919925
DO - 10.23919/APNOMS56106.2022.9919925
M3 - Conference contribution
AN - SCOPUS:85142072342
T3 - APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G
BT - APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022
Y2 - 28 September 2022 through 30 September 2022
ER -