International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I

Research Article

Defending Blind DDoS Attack on SDN Based on Moving Target Defense

Download
386 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-23829-6_32,
        author={Duohe Ma and Zhen Xu and Dongdai Lin},
        title={Defending Blind DDoS Attack on SDN Based on Moving Target Defense},
        proceedings={International Conference on Security and Privacy in Communication Networks. 10th International ICST Conference, SecureComm 2014, Beijing, China, September 24-26, 2014, Revised Selected Papers, Part I},
        proceedings_a={SECURECOMM},
        year={2015},
        month={11},
        keywords={Blind DDoS attack Software defined networking Moving target defense},
        doi={10.1007/978-3-319-23829-6_32}
    }
    
  • Duohe Ma
    Zhen Xu
    Dongdai Lin
    Year: 2015
    Defending Blind DDoS Attack on SDN Based on Moving Target Defense
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-23829-6_32
Duohe Ma,*, Zhen Xu1,*, Dongdai Lin1,*
  • 1: Institute of Information Engineering
*Contact email: maduohe@iie.ac.cn, xuzhen@iie.ac.cn, ddlin@iie.ac.cn

Abstract

Software Defined Networking (SDN) provides a new network solution by decoupling control plane and data plane from the closed and proprietary implementations of traditional network devices. With its promisingly advanced architecture, SDN represents the future development trend of network. In its typical structure, collaborative interaction between one controller and multiple switches forms a centralized network topology. As playing a key role in this network architecture, the controller in SDN is very vulnerable to single point of failure. What is worse, the emergence of Blind DDoS attack against SDN’s special structure increases its risks. To address this challenge, we introduce a Moving Target Defense(MTD) system to defend Blind DDoS attack. The approach adopts a multi-controller pool to solve the saturation problem, and it can dynamically shift controllers connecting to switches according to the density of flood flow. By randomly delaying the scanning packets and filtering the flood with route-map, this MTD system can effectively resist the Blind DDoS attack and protect the availability and reliability of SDN.