Summary
Asia-Pacific Network Operations and Management Symposium
2022
Session Number:PS1
Session:
Number:PS1-02
Mitigating New-Flow Attack with SDNSnapshot in P4-Based SDN
Yun-Zhan Cai, Ting-Yu Lin, Yu-Ting Wang, Ya-Pei Tuan, Meng-Hsun Tsai,
pp.-
Publication Date:2022/09/28
Online ISSN:2188-5079
DOI:10.34385/proc.70.PS1-02
PDF download
Summary:
In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocolindependent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeoutaware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate newflow attacks in practice.