IDEAS home Printed from https://ideas.repec.org/a/wly/intnem/v28y2018i1ne1996.html
   My bibliography  Save this article

A holistic approach to mitigating DoS attacks in SDN networks

Author

Listed:
  • Lobna Dridi
  • Mohamed Faten Zhani

Abstract

Software‐defined networking (SDN) has recently emerged as a new networking technology offering an unprecedented programmability that allows network operators to dynamically manage their infrastructures. However, despite these benefits, deny‐of‐service (DoS) attacks are considered a major threat to such networks, as they can easily overload the SDN controller and flood switch forwarding tables, resulting in a critical degradation of the network performance. To address this issue, we propose SDN‐Guard, a novel holistic approach to protect SDN networks against DoS attacks. Software‐defined networking–Guard leverages an intrusion detection system (IDS) to detect potential DoS attacks and then efficiently mitigate their impact by dynamically (1) rerouting malicious traffic, (2) adjusting flow time‐outs, and (3) aggregating flow rules. This paper extends our previous work by proposing solutions to minimize the switch‐to‐IDS traffic without impacting the IDS accuracy. We hence propose to use sampling techniques and devise an integer linear program to find the optimal placement for the IDS and to determine the switches that should mirror the flows towards it so as to minimize network bandwidth consumption. Extensive experiments using Mininet show that SDN‐Guard maintains network performance during DoS attacks and succeeds in reducing by up to 32% their impact on controller performance, usage of switch forwarding tables, and control plane bandwidth. Furthermore, our results show that carefully placing the IDS and selecting the switches mirroring, the traffic can reduce by up to 90% the switch‐to‐IDS traffic. They also show that the IDS accuracy remains at 100% by analyzing only 11% of the network traffic.

Suggested Citation

  • Lobna Dridi & Mohamed Faten Zhani, 2018. "A holistic approach to mitigating DoS attacks in SDN networks," International Journal of Network Management, John Wiley & Sons, vol. 28(1), January.
    • Handle: RePEc:wly:intnem:v:28:y:2018:i:1:n:e1996
    DOI: 10.1002/nem.1996
    as

    Download full text from publisher

    File URL: https://doi.org/10.1002/nem.1996
    Download Restriction: no
    File URL: https://libkey.io/10.1002/nem.1996?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Talaya Farasat & Akmal Khan, 2021. "Detecting and analyzing border gateway protocol blackholing activity," International Journal of Network Management, John Wiley & Sons, vol. 31(4), July.
    2. Babangida Isyaku & Mohd Soperi Mohd Zahid & Maznah Bte Kamat & Kamalrulnizam Abu Bakar & Fuad A. Ghaleb, 2020. "Software Defined Networking Flow Table Management of OpenFlow Switches Performance and Security Challenges: A Survey," Future Internet, MDPI, vol. 12(9), pages 1-30, August.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:wly:intnem:v:28:y:2018:i:1:n:e1996. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: https://doi.org/10.1002/(ISSN)1099-1190 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.