Software defined networking (SDN) has become widespread in the network research community and industry due to its characteristics such as scalability and flexibility. SDN creates a centralized control system to manage the overall network resources. In SDN, security has been the source of some concern [1] - [3]. Recent SDN-based security solutions are implemented at centralized controllers and their focus mostly are on increasing the control flexibility of SDN Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. instead of strengthening the controller [1] , [4]. Existing SDN solutions are mainly based on specific aspects of network security. Most of them do not satisfy the general network security requirements [12]. SDN is vulnerable to different types of attacks, such as spoofing, tampering, information disclosure, and distributed denial of service (DDoS) [6]. Among these attacks, DDoS has the most devastating effect as it can cause service degradation of the SDN performance and further a lunching a DDoS attack is extremely simple. Increasing latency and dropping legitimate packets and, very big losses can caused degradation of the SDN performance [7], [8]. Since in SDN, the switches have less intelligence they cannot detect the malicious flows. Therefore, it is more difficult to mitigate DDoS attack. In this case the controller cannot realize if the incoming packets are from attacker or from burst flows [3] - [8]. Many earlier solutions are based on defining rules for dropping malicious packets, blocking suspicious traffic, prioritizing scheduling and so on [12]. These solutions may require some additional hardware or extra control packet, etc. Also, they are not cost effective [3] [6]. In this work, first we implement a successful DDoS attack using Mininet emulator. Then, we show how adding some flows in the switches, reduce DDoS attack by 36%.
We use Python-based open source controller Ryu. Ryu supports various protocols. We simulate DDoS attack on SDN using Mininet emulator. Our topology consists four hosts, three switches and one controller (see Fig. 1). Mininet creates SDN elements such as controller, switches, and hosts and can share them with the other networks. Ryu provides software components with well defined API. It is easy for developers to create new network management and control applications. In this work, we use a machine learning method (SVM) to detect the DDoS attack. First, we collect traffic data from the packet-in messages and extract some values, such as source IP address, source port, and destination IP address, destination port. We use entropy to measure the distribution of these values and train the model by normal and abnormal traffic data. By comparing with some other machine learning algorithms [5]. We found that SVM is a better framework in terms of detecting the DDoS attack on Ryu SDN controller [5], [7].
In order to simulate the DDoS attack in realistic traffic we use two different hosts and simulate the attacks from them. We used Mininet emulated virtual network which is installed on a virtual machine and it is connected with remote RYU controller running on another virtual machine. We wrote a script to generate normal traffic from 2 different hosts at random durations. To simulate malicious traffic, we use another script with randomly spoofed IPs with a high packet rate of 25 packets per second. Then, we use a machine learning technique to identify normal traffic and malicious traffic [9], [10]. SVM is a learning algorithm that classifies incoming traffic patterns as normal or malicious. SVM supports multi-class classification. The idea is a multi-class problem is broken-down into binary problems. Then these classifiers are trained [9], [11].
We used SVM as a classifier to detect DDoS attacks. SVM has low false positive rates and it tries to maximize the margins by discovering a suitable hyperplane. It generates a precise classification and has a good accuracy [3] - [5]. Some existing research on DDoS attacks has been analyzed by extracting the flow status information [10], [11]. In order to classify two different types of data (normal and malicious) some parameters such as "Speed of source IP", "Standard deviation of flow packets", "Standard deviation of flow bytes", "Speed of flow entries", "Ratio of pair flow entries" are used [11], [10]. Figure 2 shows the throughput comparison for the cases with DDoS attack detection and without DDoS attack detection.
When the number of malicious packets start to increase exponentially in a certain time, then flow collector will notify the Ryu controller. In this case, the Ryu controller adds new rules to all forwarding devices. Based on these rules, all the forwarding devices send back all the malicious packets to the flow collector. Also we use time pattern of DDoS attack to prevent the DDoS attack.
In this work, we implemented a SVM based solution for attack detection. We highlighted the important attributes that can be used in effectively detecting the DDoS attack in its early stages like the number of packets and time in seconds. Experiments with our prototype implementation showed the effect of attack detection. In the future, we plan to extend our work in improving feature correlation, traffic generation, and real-time performance.
This material is based upon work supported by the National Science Foundation under Grant No. CNS-1817105.