The simplified data plane of Software-Defined Network (SDN) should be able to process packets from the entire network. However, the flowtable size constrains the data plane forwarding capacity and may cause malicious...
详细信息
The simplified data plane of Software-Defined Network (SDN) should be able to process packets from the entire network. However, the flowtable size constrains the data plane forwarding capacity and may cause malicious attacks. In this paper, we study the slow-rate flowtableoverflow (SFTO) attack, which causes flowtableoverflow by sending unmatched packets at a slow rate to trigger flow entry installation, occupying the flowtable space. To protect the availability of flowtables and the forwarding efficiency of normal flows, we propose a real-time SFTO attack detection and mitigation system based on rule number prediction and adaptive eviction proportion called SFTO-Guard. The SFTO-Guard consists of three modules: rule prediction module, attack detection module and attack mitigation module. Rule prediction module monitors the rule number in the flowtables and makes real-time predictions. When the predicted value reaches the attack threshold, the module collects the rules in flowtables and extracts features, then starts the attack detection module. When SFTO attack is detected, the attack mitigation module adaptively calculates the rule eviction proportion based on the predicted rule number and the attack detection results, and evicts suspected flow entries to prevent flowtableoverflow. Experiments on SFTO-Guard show that the proposed system can mitigate SFTO attacks effectively with low system overhead and short response time, it can limit malicious rules in flowtables to less than 10% and it is practicable in SDN deployments.
As a new network structure, the decoupling of the control plane and forwarding plane makes Software-Defined Networking (SDN) widely used in large-scale network scenarios. However, the decoupling network architecture a...
详细信息
暂无评论