WiP: Control Plane Saturation Attack Mitigation in Software Defined Networks

Abstract

Recent works have shown that the interaction between control and data plane in the Software Defined Networks can be chocked by an adversary with saturation attack. This attack is generated by sending large number of new flows to a switch exploiting the switch-controller communication. A switch sends a packet-in message to the controller if a new flow is seen. A flux of new flows results in a large number of packet-in messages at the controller. In this paper, we present SaturationGuard which mitigates this attack by adopting an early attack detection method. An anomaly detection method deployed at the controller observes the patterns of packet-in messages and identifies the attack. In particular, we capture normal interaction between switch and controller using the arrival rate of packet-in messages with a probability distribution. To mitigate the attack, we propose to throttle the bandwidth of the affected switch port in proportion to the arrival rate of new flows. We implement a proof of concept solution with Mininet and an external controller and show that SaturationGuard is effective in handling the saturation attacks with early stage detection. © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.