DDoS flooding attack mitigation in software defined networks

Abstract

Distributed denial of service (DDoS) attacks which have been completely covered by the security community, today pose a potential new menace in the software defined networks (SDN) architecture. For example, the disruption of the SDN controller could interrupt data communication in the whole SDN network. DDoS attacks can produce a great number of new and short traffic flows (e.g., a series of TCP SYN requests), which may launch spiteful flooding requests to overcharge the controller and cause flow-table overloading attacks at SDN switches. In this research work, we propose a lightweight and practical mitigation mechanism to protect SDN architecture against DDoS flooding threats and ensure a secure and efficient SDN-based networking environment. Our proposal extends the Data Plane (DP) with a classification and mitigation module to analyze the new incoming packets, classify the benign requests from the SYN flood attacks, and perform the adaptive countermeasures. The simulation results indicate that the proposed defending mechanism may efficiently tackle the DDoS flood attacks in the SDN architecture and also in the downstream servers.