Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN

Yun Zhan Cai, Ting Yu Lin, Yu Ting Wang, Ya Pei Tuan, Meng Hsun Tsai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.

Original languageEnglish
Title of host publicationAPNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium
Subtitle of host publicationData-Driven Intelligent Management in the Era of beyond 5G
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9784885523397
DOIs
Publication statusPublished - 2022
Event23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022 - Takamatsu, Japan
Duration: 2022 Sept 282022 Sept 30

Publication series

NameAPNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G

Conference

Conference23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022
Country/TerritoryJapan
CityTakamatsu
Period22-09-2822-09-30

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Hardware and Architecture
  • Information Systems and Management

Fingerprint

Dive into the research topics of 'Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN'. Together they form a unique fingerprint.

Cite this