Iycee Charles de Gaulle Summary Mogahed is the application layer consists of

Mogahed is the application layer consists of

Mogahed Abdullah
ALquhali, AnwarAl-shamairiSana’a
University, Faculty of Computer & Information Technology E-mail:
[email protected] , [email protected] Abstract:SDN
networks architecture has core concept based on separating control plan from
data plan driving to easier controlling an managing large datacenters or cloud
networks it also help on improving flexibility, and lowering cost. In other
hand SDN have many challenges one of most impact challenge is the security
threats such as DDoS witch can cause full or partition network deadlock enforcing
itself on the top of most dangerous attacks can face SDN networks due to that
this study define the DDoS attack mechanism and compare between some common
solutions proposed to detect or prevent this attack.Keywords: SDN,Cloud,
Security threats, deadlock,DDoS, attack mechanism.Introduction:SDN networks come as a survive technology to reduce
managerial challenges witch increase in parallel with any increasing of
networks size ,it divide the whole networks into three tiers infrastructure
layer witch consist of the whole networking infrastructure ,control layer witch
consist of control switches and contain the network operating system NOS ,this
layer also responsible of interfacing the two other layers,the last tier is the
application layer consists of servers ,routers and other components that
performing network services and applications , this architecture separate the
control operations and data plane operation by control switches to improve
manageability ,reduce power usage,increase performance and prevent many
security threats .however it come with other challenges it may have larger
impact on SDN comparing with its impact on the traditional network such as
deniel of service attacks witch can hung up SDN network component resulting
fully deadlock of the network ,the infected component can be the control switch
or the links between component or even client on the network,these various
component can be infected by various methods depending on the vulnerability
founded on the device or technology.the impact of the attack relay on the
number of attacking sources ,to make DoS 
more powerful the attackers exploit the clients to perform the attack
with catastrophic impact by spreading botnets code within the network elements
converting them into slave devices called zombies perform attacker commands
,the attacker can make flood DoS attak,ping of death attack,TCP ack attak ,sync
attacks or smurf attack to achieve the promary goal of attack represent of
stopping victim response.the goal can be achieved in differ methods depending
on the victim type for example it can overflow the memory of the switch with
redundant data about fake entries causing table fulfilled with heap data,other
form of attack based in limited capacity of link between controller and
switches and transmit large bandwidth data congested the channel and stop other
legal transmissions.many DDoS attacks successfully done on the last three years
the most common attack performed on September 2016 by IoT networks exploit
vulnerability of IoT devices from HKvision company and Mirai
 botnet to be ran in network clients make
huge transmissions upto 600 Gbps on  the
global network resulting stop the response on many hosting services and
stopping many website world wide.  

Figure 1
SDN aproach

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now



DDos Attack scenarios
In sdn :Traditional
DDoS attacks such as UDP, ICMP, flood DoS attak, TCP ack  ,sync , smurf,NTP amplification, and ping of
death are also viable in SDN. Since SDN infrastructure based on a centralized
management for network flows, SDN is very attractive for DDoS attackers. When any
unknown source IP packet message arrive to the network SDN policy command the
switch to transfer it directly to the controller ,controller then forward a flow
rule to the switch for the source IP. attackers here will send a huge number of
packets from large number  IPs, all of
them will be forwarded into the controller. Then a huge number of attack
packets will drop the network response for legal users. A sample topology for
SDN is illustrated in Fig. 1. Some DDoS attack forms in SDN can be scripted as
follows. In the First form The attack target will be the SDN controller
Attacker(s) may dumbed data traffic with fake IPs , attacker(s) on the segment
of any switch this switch will resend the whole packets to the controller because
they  coming from unknown IP addresses
.the link between the attacked switch and controller is potentially congestedin
the second form of attack is blind DDoS attack the target will be the system
resource because the attack come from different switches under the same
controller.the fake traffic is coming from various switches, the attack load is
divided, and it is intrinsically fuzzey to be detectable. 2. Third one is
memory overflow attack infecting the limited Switch memory, switch memory while
it needs to store a new entry for each unmatched traffic. the switch will
suffer from inflated table size in general. When an attacker generates new
flows, the table will be fully dumbed with fake IPs entries making no ability
to add new legal entry in other mean stopping the legal transmissions. Besides,
the target switch can also be unavailable in a more sophisticated methods. It
can be blocked by blocking the links to this switch. Not all traffic flow have large
bit rate; thus, it is difficult to detect. However, as a result it makes the
target unreachable . Coremelt attack in this attack target will be the link
between switches can also be the target. This attack can be facilitated by
communication between attackers under various switches. 4. Finally clients
attack in this attack the victim is a client om the network for instance the
attack target can be  cloud server. The
attacker can be run from the same switch either another switch. This  server capabilities will be out of service if
the controller didn’t detect the attack.simply Compared to conventional
networks, SDNs architecture represent best environment for DDoS attacks due to
three inherent dynamics of attacks, Propagation ,Aggregation of and Widespread
Impact of Attacks,A DDoS attack can rapidly affect the whole network with
aggregated source of attack making more difficult to detect the orginal source
of attack .two category of solution can be defense from DDoS attacks first one
dedicated for the old style unmanaged switches whereas the other category
provide solutions can be implemented only on the newer smart manageable
switches  the next section discussed five
defense approaches.solutions Against DDos
Attacks In the SDN environment  :In
order to cope with various DDoS scenarios in SDN environments, several
solutions are proposed in the literature. In fact, it is a novel research topic
in which almost all mechanisms have been formulated in the last few years. In
this section, these solutions are analyzed to examine their properties. Since
all models have their own pros and cons, it is not possible to state that one
of these mechanisms is a superior solution. For this reason, security
practitioners need to choose the appropriate one(s) according to their
requirements. In order to provide a clear way to analyze and decide,
classifications of these methods in terms of several aspects are also provided
in this section. For that purpose, we elaborate on two dichotomies: one
focusing on which elements they rely on (network elements vs. flows) and
another focusing on their defense functionalities. Solutions in the literature
can be classified according to whether they are intrinsic or extrinsic. A
property that is inherited and essential is named intrinsic, whereas a property
that varies depending on exterior factors is called extrinsic. In our case, some
solutions are related to structural attributes of the SDN environment, whereas
others are mostly related to the properties of network flows. For this reason,
we propose to classify identified mechanisms as intrinsic vs. extrinsic
solutions. This classification is illustrated in Fig. 2.


Figure 2
Classification of solution against DDOS attacks in SDN


switches solutions:These
solutions proposed to be done with older switches to avoid eth need to replace
these switch with newer one rising the solution cost into unreasonable
expensive process.the most SDN networks work on this type of switches and the
compatibility feature is the core advantage of SDN architecture , thus this
solution have high importance than the second type.the solutions can be can be
classified as intrinsic table-entry-based, scheduling-based, and architectural.
Table-entry-based  solutions in this propose are to reduce size
of table in swithches every flow needs to enter to switch memory which  cause bottleneck when DDos attack accour
thats contains diffrent ip address inside packets. For example, 5, 6 have suggestion
to solve this problem  . In 5, the
impact of a DDoS attack in SDN is presented. the DDos attack in sdn impact that
should mange the data flow into table is important ,also modified polices with
new multiple processing  such as packets
number ,properties of flow entry and putting the date rather than one parameter
such as earliest module that present expiration time , beside that we should
have temporary storing the flow entries and managing them inside controller. These
solution classified as mitigate methodology Similarly, Katta et al. 6 propose
memory-focus solution based on avoid overflow the switch memory because that
the switch specification limitations such as small memory capacity enable the
switch store limited amount of entries on its memory. From this point a strict
control policy must be applied to ensure entry tables on switch with valid
information and to drop any packets sending or receiving operations.this
solution didn’t  actually  mitigate DDoS attacks impact.other Scheduling-based
solutions presented to be applied on the controller.it assumed that it
is the most important defense should be applied on the core of the SDN system witch
is the controller. It based on scheduling algorithms ran on the controllers to
enforce the entire network component have a chance to send and receive and no
any device can take all bandwidth during long time on these solutions the main principle
target to prevent unmanaged link reservation for single point ,the attacker
will continue its traffic flow and will not be detectable to be blocked .. The
approach in 7 provides flexibility with accepted level of availability. Hsu
et al. proposed a hash-based algorithms to be performed on the controller to improve
network availability and flexibility. Their solution use round-robin scheduling
giving minute (tiny) slice of time for each packet to be transmitted in case of
need more time for packet it will need to wait for its next quota  . In 8, Lim et al. proposed also to give the
controller defense higher importance to prevent the case of hung up the whole network
by block controller response for the valid traffics even that the network has
more the one controller the attacker only will need to infect all controllers
on by one until stopping all SDN controllers. In order to prevent probability of
infecting on switch resulting isolating all network traffics under this switch
on the previous proposed solutions, they proposed to establish multiple queues
on the switch .oppositely of the solution presented in 7solution proposed on
8attempt to ensure controller response and never be hanged up. In same manner
this solution didn’t give any signs about attacker with absence of detecting mechanism.thus,
it does not differentiate legal and illegal packets because it does not provide
packet-based details. Architectural solutions based on
network components location and responsibilities providing ability to prevent
DDoS attacks. References 9, 10 suggest to enabling the controller to perfume controlling
functions and monitoring functions simultaneously. They also suggest a master
that manages these controller functionalities. The proposed model in 9 proposed
that the controller must be able to monitor an element beside of controlling another
one. DDoS attacks can be resolved by access to number of packets only so it
classified as low resolution attacks, whereas as to detect ARP caching and
poisoning it required to accessing all attack packets . In their architecture,
the monitor/controller units cooperate no detect and mitigate attacks commanded
by orchestrator instructions. When an attack has been detected the controller
will reduce bandwidth limit instead of blocking the whole bandwidth.solution
presented on presented in 10. Similar to 9, they split application /packet
monitoring in the controller. In addition, to take improve security and take advantages
of load-balance they proposed to distribute controllers .avoiding single point
of failure threat.They also suggest another level-based  methodology in which the controller is
separated into two layers consisting of a delegator and lower-level helper controllers.
However, it doesn’t provide detection mechanism, Some solutions act to discover
the illegal traffics to be blocked or restricted. it can be classified in two
groups: statistical solutions category and machine-learning-based solutions
proposed In 14, Scotch  presented
proposed model  to mitigation attacks ,that
scaling- up control plane by virtual-Switch-based overlay.in their experimental
they found that the bottleneck can be caused by switch to controller communication
in the DDoS attacks. Thus, in their solution when a real switch is overloaded, any
newer traffic will be tunneled to number of vSwitches without ability to detect
the source of attack. It acts identically DDoS attacks. Besides, it drops
packets when they reach to the predefined threshold value all packets will dropped
even The  legal packets.in 15 Kokila et
al. propose machine-learning-based solution use machine learning algorithm to
detect attacks using a support vector machine (SVM) classifier. Foucing on
controller-based attacks, this solution limited to detect attack without any
act to mitigate,thus it can be presented as a apart of intelligent solution. Managed
switch solutions:These
solutions dedicated only to be work on the newer technology smart switches which
support manageability features the References 11–14 employ statistical
models, which present roadmap profiles acquiring statistical information during
a normal period. Subsequently, these profiles can be used later to compare with
the incoming packets and eliminate the profile-deferent packets (attack
Packets) .FlowFence mechanism proposed in 11, propose that the switches
monitor traffic and detect congestion based on bandwidth details and when
congestion occurs, the switch send alarm to the controller  witch will collect analysis data  network switches act with the congested link.
Detecting illegal traffic ,then controller commanding switches to limiting bandwidth.
 Avoiding  starvation case,this solution as many other
solutions discussed before didn’t block the attack it just mitigate it’s impact.
Avant Guard in 12 is a complex model proposed to ensure security and improve resiliency
against DDoS attacks.this solution based on using to modules on switches:
connection migration (CM) to mitigate DoS requests and actuating triggers (ATs).
If SYN or TCP request proved as legal requests, they will be authorized and forwarded
to their destination.it provides protection against SYN Flood attacks. There
are several proposed solutions utilize entropy for conventional networks, but for
SDN architectures there are few. One of them is the presented model in 13, proposed
an entropy-based simple DDoS flooding attack detection mechanism can be
included in the OpenFlow application on the edge switch. In this model, entropy
determined  for target IP address . If
entropy is lower than  the predefined threshold
value, DDoS attack is detected enables to determining the target of attack, but
it can’t differ the legal packets from the attack packets. This model perform
distributed detection alerts in the network and reduces traffic monitoring
overload on the controller requiring extra cost for additional switches.

  Discussion (defense
functionalities And switch Intelligence):Proposed
solutions have been summarized on table no.1 .on these table we classified them
into subgroups based on the supported switches,some solutions can work with the
common type of switches where others only can act on the smart switches,the
other evaluating factor represented by the style of solution functions some of
them can only detect DDoS attacks,others can mitigate attack effect ,finally
few solutions have dual functionality enabling to detecting attacks and
reducing it’s impact by various polices to provide better security solution compared
with others .we propose to design hybrid solution exploit techniques to detect
,mitigate and prevent attaks ,furthermore exploit methodologies can work on
traditional switches and it can work on the intelligent managed switches to
provide full DDoS security defense. Table 1

Solution property








Detection and



  References .Al-musawi, F., Al-badi, A. H., & Ali, S. (2015).
2015 International Conference on Intelligent Networking and Collaborative
Systems A Road Map to Risk Management Framework for Successful Implementation
of Cloud Computing in Oman, 417–422. https://doi.org/10.1109/INCoS.2015.80El-kafrawy, P. M., Abdo, A. A., & Shawish, A.
F. (2015). Security Issues Over Some Cloud Models. Procedia – Procedia
Computer Science, 65(Iccmit), 853–858.
https://doi.org/10.1016/j.procs.2015.09.041Kdq, D., Df, D. Q. J., Zdqjoh, N. U., Dqj, K. D.
Q., Nu, D. F., Kdq, F., … Qrw, R. U. (2016). 4lqj /l /h?:dqj 7dh*xhq .lp (xo
*x ,p, 6, 5–8.Trapero, R., Modic, J., Stopar, M., Taha, A.,
& Suri, N. (2017). A novel approach to manage cloud security SLA incidents.
Future Generation Computer Systems, 72, 193–205.