DoSGuard: Mitigating Denial-of-Service Attacks in Software-Defined Networks

Software-defined networking (SDN) is a new networking paradigm that realizes the fast management and optimal configuration of network resources by decoupling control logic and forwarding functions. However, centralized network architecture brings new security problems, and denial-of-service (DoS) at...

Full description

Saved in:
Bibliographic Details
Published inSensors (Basel, Switzerland) Vol. 22; no. 3; p. 1061
Main Authors Li, Jishuai, Tu, Tengfei, Li, Yongsheng, Qin, Sujuan, Shi, Yijie, Wen, Qiaoyan
Format Journal Article
LanguageEnglish
Published Switzerland MDPI AG 29.01.2022
MDPI
Subjects
anomaly detection
defense
Denial of service attacks
denial-of-service (DoS)
fake source address
OpenFlow
Performance evaluation
Software
software-defined networking (SDN)
anomaly detection
fake source address
defense
software-defined networking (SDN)
OpenFlow
denial-of-service (DoS)
Online AccessGet full text
ISSN1424-8220
1424-8220
DOI10.3390/s22031061

Cover

More Information
Summary:Software-defined networking (SDN) is a new networking paradigm that realizes the fast management and optimal configuration of network resources by decoupling control logic and forwarding functions. However, centralized network architecture brings new security problems, and denial-of-service (DoS) attacks are among the most critical threats. Due to the lack of an effective message-verification mechanism in SDN, attackers can easily launch a DoS attack by faking the source address information. This paper presents DoSGuard, an efficient and protocol-independent defense framework for SDN networks to detect and mitigate such attacks. DoSGuard is a lightweight extension module on SDN controllers that mainly consists of three key components: a monitor, a detector, and a mitigator. The monitor maintains the information between the switches and the hosts for anomaly detection. The detector utilizes OpenFlow message and flow features to detect the attack. The mitigator protects networks by filtering malicious packets. We implement a prototype of DoSGuard in the floodlight controller and evaluate its effectiveness in a simulation environment. Experimental results show the DoSGuard achieves 98.72% detecion precision, and the average CPU utilization of the controller is only around 8%. The results demonstrate that DoSGuard can effectively mitigate DoS attacks against SDN with limited overhead.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
content type line 23
ISSN:1424-8220
1424-8220
DOI:10.3390/s22031061