Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges
TL;DR: This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoSDoS attacks, which are important for the smooth evolution ofSDN-based cloud without the distraction ofDDoS attacks.
Abstract: Distributed denial of service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.
Citations
More filters
TL;DR: This paper provides a comprehensive survey on the literature involving machine learning algorithms applied to SDN, from the perspective of traffic classification, routing optimization, quality of service/quality of experience prediction, resource management and security.
Abstract: In recent years, with the rapid development of current Internet and mobile communication technologies, the infrastructure, devices and resources in networking systems are becoming more complex and heterogeneous. In order to efficiently organize, manage, maintain and optimize networking systems, more intelligence needs to be deployed. However, due to the inherently distributed feature of traditional networks, machine learning techniques are hard to be applied and deployed to control and operate networks. Software defined networking (SDN) brings us new chances to provide intelligence inside the networks. The capabilities of SDN (e.g., logically centralized control, global view of the network, software-based traffic analysis, and dynamic updating of forwarding rules) make it easier to apply machine learning techniques. In this paper, we provide a comprehensive survey on the literature involving machine learning algorithms applied to SDN. First, the related works and background knowledge are introduced. Then, we present an overview of machine learning algorithms. In addition, we review how machine learning algorithms are applied in the realm of SDN, from the perspective of traffic classification, routing optimization, quality of service/quality of experience prediction, resource management and security. Finally, challenges and broader perspectives are discussed.
436 citations
Cites background from "Software-Defined Networking (SDN) a..."
...[50] have researched on Distributed Denial of Service (DDoS) attacks in SDN-based cloud computing systems, and discussed future research challenges....
[...]
TL;DR: This survey evaluated the techniques of deep learning in developing SDN-based Network Intrusion Detection Systems (NIDS) and covered tools that can be used to develop NIDS models in SDN environment.
Abstract: Software Defined Networking Technology (SDN) provides a prospect to effectively detect and monitor network security problems ascribing to the emergence of the programmable features. Recently, Machine Learning (ML) approaches have been implemented in the SDN-based Network Intrusion Detection Systems (NIDS) to protect computer networks and to overcome network security issues. A stream of advanced machine learning approaches – the deep learning technology (DL) commences to emerge in the SDN context. In this survey, we reviewed various recent works on machine learning (ML) methods that leverage SDN to implement NIDS. More specifically, we evaluated the techniques of deep learning in developing SDN-based NIDS. In the meantime, in this survey, we covered tools that can be used to develop NIDS models in SDN environment. This survey is concluded with a discussion of ongoing challenges in implementing NIDS using ML/DL and future works.
341 citations
TL;DR: A comprehensive analysis of security features introduced by NFV and SDN, describing the manifold strategies able to monitor, protect, and react to IoT security threats and the open challenges related to emerging SDN- and NFV-based security mechanisms.
Abstract: The explosive rise of Internet of Things (IoT) systems have notably increased the potential attack surfaces for cybercriminals. Accounting for the features and constraints of IoT devices, traditional security countermeasures can be inefficient in dynamic IoT environments. In this vein, the advantages introduced by software defined networking (SDN) and network function virtualization (NFV) have the potential to reshape the landscape of cybersecurity for IoT systems. To this aim, we provide a comprehensive analysis of security features introduced by NFV and SDN, describing the manifold strategies able to monitor, protect, and react to IoT security threats. We also present lessons learned in the adoption of SDN/NFV-based protection approaches in IoT environments, comparing them with conventional security countermeasures. Finally, we deeply discuss the open challenges related to emerging SDN- and NFV-based security mechanisms, aiming to provide promising directives to conduct future research in this fervent area.
311 citations
Cites background from "Software-Defined Networking (SDN) a..."
...For example, several SDN-based strategies have been implemented to timely detect DDoS attacks [119], [120]....
[...]
TL;DR: A comprehensive detail is presented on the core and enabling technologies, which are used to build the 5G security model; network softwarization security, PHY (Physical) layer security and 5G privacy concerns, among others.
Abstract: Security has become the primary concern in many telecommunications industries today as risks can have high consequences. Especially, as the core and enable technologies will be associated with 5G network, the confidential information will move at all layers in future wireless systems. Several incidents revealed that the hazard encountered by an infected wireless network, not only affects the security and privacy concerns, but also impedes the complex dynamics of the communications ecosystem. Consequently, the complexity and strength of security attacks have increased in the recent past making the detection or prevention of sabotage a global challenge. From the security and privacy perspectives, this paper presents a comprehensive detail on the core and enabling technologies, which are used to build the 5G security model; network softwarization security, PHY (Physical) layer security and 5G privacy concerns, among others. Additionally, the paper includes discussion on security monitoring and management of 5G networks. This paper also evaluates the related security measures and standards of core 5G technologies by resorting to different standardization bodies and provide a brief overview of 5G standardization security forces. Furthermore, the key projects of international significance, in line with the security concerns of 5G and beyond are also presented. Finally, a future directions and open challenges section has included to encourage future research.
304 citations
TL;DR: It is shown that SDN can manage the network efficiently for improving the performance of big data applications, and big data can benefit SDN as well, including traffic engineering, cross-layer design, defeating security attacks, and SDN-based intra and inter data center networks.
Abstract: Both big data and software-defined networking (SDN) have attracted great interests from both academia and industry. These two important areas have traditionally been addressed separately in the most of previous works. However, on the one hand, the good features of SDN can greatly facilitate big data acquisition, transmission, storage, and processing. On the other hand, big data will have profound impacts on the design and operation of SDN. In this paper, we present the good features of SDN in solving several issues prevailing with big data applications, including big data processing in cloud data centers, data delivery, joint optimization, scientific big data architectures and scheduling issues. We show that SDN can manage the network efficiently for improving the performance of big data applications. In addition, we show that big data can benefit SDN as well, including traffic engineering, cross-layer design, defeating security attacks, and SDN-based intra and inter data center networks. Moreover, we discuss a number of open issues that need to be addressed to jointly consider big data and SDN in future research.
280 citations
Additional excerpts
...4 [13]....
[...]
References
More filters
TL;DR: The SDN architecture and the OpenFlow standard in particular are presented, current alternatives for implementation and testing of SDN-based protocols and services are discussed, current and future SDN applications are examined, and promising research directions based on the SDN paradigm are explored.
Abstract: The idea of programmable networks has recently re-gained considerable momentum due to the emergence of the Software-Defined Networking (SDN) paradigm. SDN, often referred to as a ''radical new idea in networking'', promises to dramatically simplify network management and enable innovation through network programmability. This paper surveys the state-of-the-art in programmable networks with an emphasis on SDN. We provide a historic perspective of programmable networks from early ideas to recent developments. Then we present the SDN architecture and the OpenFlow standard in particular, discuss current alternatives for implementation and testing of SDN-based protocols and services, examine current and future SDN applications, and explore promising research directions based on the SDN paradigm.
2,013 citations
"Software-Defined Networking (SDN) a..." refers background or methods in this paper
...forwarding in ICN is aligned with the decoupling of the data plane and control plane in SDN [18]....
[...]
...Current Internet is information-driven, yet networking technology is still focused on the idea of location-based addressing and host-to-host communications [18]....
[...]
...OpenFlow provides optional support for encrypted Transport Layer Security (TLS) communication and a certificate exchange between the switches and the controller(s) [18]....
[...]
...ONF presents a high-level architecture for SDN that is vertically split into three main functional layers including infrastructure layer, control layer and application layer [9], [11], [18]–[20], as shown in Fig....
[...]
01 Jan 1998
TL;DR: A simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point is discussed.
Abstract: Recent occurrences of various Denial of Service (DoS) attacks which have employed forged source addresses have proven to be a troublesome issue for Internet Service Providers and the Internet community overall. This paper discusses a simple, effective, and straightforward method for using ingress traffic filtering to prohibit DoS attacks which use forged IP addresses to be propagated from 'behind' an Internet Service Provider's (ISP) aggregation point.
1,596 citations
"Software-Defined Networking (SDN) a..." refers background in this paper
...Some examples of source-based mechanisms include ingress/egress filtering, which filters packets with spoofed IP addresses at the source’s edge routers based on the valid IP address range internal to the network [55], and Source Address Validity Enforcement (SAVE) Protocol [56]....
[...]
04 Oct 2010
TL;DR: Onix provides a general API for control plane implementations, while allowing them to make their own trade-offs among consistency, durability, and scalability.
Abstract: Computer networks lack a general control paradigm, as traditional networks do not provide any network-wide management abstractions. As a result, each new function (such as routing) must provide its own state distribution, element discovery, and failure recovery mechanisms. We believe this lack of a common control platform has significantly hindered the development of flexible, reliable and feature-rich network control planes.To address this, we present Onix, a platform on top of which a network control plane can be implemented as a distributed system. Control planes written within Onix operate on a global view of the network, and use basic state distribution primitives provided by the platform. Thus Onix provides a general API for control plane implementations, while allowing them to make their own trade-offs among consistency, durability, and scalability.
1,463 citations
"Software-Defined Networking (SDN) a..." refers background in this paper
...Onix provides a general API for control plane implementations, while allowing them to make their own trade-offs among consistency, durability, and scalability [96]....
[...]
...A platform called Onix is presented in [96], in which a network control plane can be implemented as a distributed system....
[...]
28 Aug 2000
TL;DR: A general purpose traceback mechanism based on probabilistic packet marking in the network that allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs).
Abstract: This paper describes a technique for tracing anonymous packet flooding attacks in the Internet back towards their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or ``spoofed'', source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by attack traffic without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed ``post-mortem'' -- after an attack has completed. We present an implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology.
1,251 citations
"Software-Defined Networking (SDN) a..." refers background in this paper
...Some examples of destination-based mechanisms include input debugging [59], probabilistic packet marking [60], and hash-based IP traceback [61]....
[...]
TL;DR: The primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
Abstract: Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.
1,153 citations
"Software-Defined Networking (SDN) a..." refers background or methods in this paper
...every packet passing through the router using Bloom Filter, which is a hash structure to reduce the memory requirement to store packet records [35]....
[...]
...They generally consume less bandwidth and are stealthier in nature compared to volumetric attacks, since they are very similar to benign traffic [35]....
[...]
...1) Network/transport-level DDoS flooding attacks: These attacks have been mostly launched using TCP, UDP, ICMP and DNS protocol packets and focus on disrupting legitimate user’s connectivity by exhausting victim network’s bandwidth [35]....
[...]
...HTTP sessions and employs rate-limiting as the primary defense mechanism [35], [63])....
[...]
...Since attackers cooperate to perform successful attacks, defenders must also form alliances and collaborate with each other to defeat DDoS attacks [35]....
[...]