Publications

Abstract : Software-defined networking (SDN) is emerging as a paradigm shift, drastically changing the modern networking, as it simplifies and automates the orchestration, administration of large applications and data centers. SDN architecture offers an easy programmable interface, centralized control and distributed state management model for modern networks. However, in classical implementation of SDN, the intelligence is centralized at the controller and the role of the switches is reduced to perform simple forwarding of packets. Thus, it is obvious that the controller, in addition to control and management operations, it must gather the runtime state and information from switches all over the network. This essentially poses some huge risks: (a) controller overload, (b) congestion in the control channel because of the dependence of switches on controller for even rudimentary forwarding operations (c) making the entire network infrastructure itself vulnerable and (d) eventually leading to resource saturation attacks on the servers in the network. As SDN opened up such new attack vectors, several solutions were proposed in terms of control plane extensions, data plane innovations, improved programming abstractions, augmenting OpenFlow channel. In this paper, we present our observations on emerging stateful SDN architectures and propose a stateful/application-aware SDN architecture. We developed a security-aware framework to detect threats and mitigate saturation attacks in SDN stack and to defend Denial-of-Services (DoS) attacks on other network services and present our experiments with DoS/Flooding attack tools, datasets from popular sources, simulation of real-world attack scenarios on transport protocols TCP, UDP/IP and HTTP, NTP services. The attack detection mechanism has no significant performance impact to good traffic and average detection confidence over 99.99% of traffic states, the mitigation response is comparable with the state of the art, but with our extensible secure architecture we can defend future attacks at scale.