StateSec: Stateful Monitoring for DDoS Protection in Software Defined Networks

Abstract : Software-Defined Networking (SDN) allows for fast reactions to security threats by dynamically enforcing simple forwarding rules as countermeasures. However, in classic SDN all the intelligence resides at the controller, with the switches only capable of performing stateless forwarding as ruled by the controller. It follows that the controller, in addition to network management and control duties, must collect and process any piece of information required to take advanced (stateful) forwarding decisions. This threatens both to overload the controller and to congest the control channel. On the other hand, stateful SDN represents a new concept, developed both to improve reactivity and to offload the controller and the control channel by delegating local treatments to the switches. In this paper, we adopt this stateful paradigm to protect end-hosts from Distributed Denial of Service (DDoS). We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate DDoS attacks. StateSec monitors packets matching configurable traffic features (e.g., IP src/dst, port src/dst) without resorting to the controller. By feeding an entropy-based algorithm with such monitoring features, StateSec detects and mitigates several threats such as (D)DoS and port scans with high accuracy. We implemented StateSec and compared it with a state-of-the-art approach to monitor traffic in SDN. We show that StateSec is more efficient: it achieves very accurate detection levels, limiting at the same time the control plane overhead.
Document type :
Conference papers
Complete list of metadatas

Cited literature [18 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-01511012
Contributor : Filippo Rebecchi <>
Submitted on : Monday, April 24, 2017 - 10:08:21 AM
Last modification on : Friday, July 7, 2017 - 10:38:43 AM
Long-term archiving on: Tuesday, July 25, 2017 - 12:33:45 PM

File

article_with_notice.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-01511012, version 1

Collections

Citation

Julien Boite, Pierre-Alexis Nardin, Filippo Rebecchi, Mathieu Bouet, Vania Conan. StateSec: Stateful Monitoring for DDoS Protection in Software Defined Networks. Proceedings of IEEE NetSoft 2017, Jul 2017, Bologna, Italy. ⟨hal-01511012⟩

Share

Metrics

Record views

266

Files downloads

1071