DoS vulnerabilities and mitigation strategies in software-defined networks

Abstract Software defined networking (SDN) significantly simplifies the management of network resources and the deployment of networking applications by decoupling the control logic from forwarding devices, as well as using a logically centralized control. While SDN brings huge success, the characteristics of SDN architecture also raise new security concerns. The software control agents on the switches, the bandwidth between switches, and the controller have limited processing capacity. These resources can be exhausted by SDN-aimed DoS attacks easily. In this paper, we investigate the DoS attack methods and mitigation strategies in SDN. We launch DoS attacks by injecting malicious packets with random source addresses. We find that these packets can overload the software control agents, the secure channel, and the controller. To defend against such attacks, we present DosDefender, an extension module for SDN controller to filter the malicious packets from the data plane in an online manner. We implement a prototype of DosDefender in the floodlight controller and evaluate the effectiveness of the defense mechanism. The results show that DosDefender can mitigate the DoS attacks and protect the software control agents, secure channel and controller resources simultaneously.