Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment

摘要

In recent time, software defined networking (SDN) has evolved into a new and promising networking paradigm. In the SDN-based cloud, the essential features of SDN, including global view of the whole network, software-based traffic analysis, centralized control over the network, etc. can greatly improve the DDoS attack detection and mitigation capabilities of the cloud. However, integration of SDN in the cloud itself introduces new DDoS attack vulnerabilities. Limited flow-table size is a vulnerability that can be exploited by the adversaries to perform DDoS attacks on the SDN-based cloud. In this paper, we first discuss various essential features of SDN that makes it a suitable networking technology for cloud computing. In addition, we represent the flow table-space of a switch by using a queuing theory based mathematical model. Further, we propose a novel flow-table sharing approach to protect the SDN-based cloud from flow table overloading DDoS attacks. This approach utilizes idle flow-table of other OpenFlow switches in the network to protect the switch's flow-table from overloading. Our approach increases the resistance of the cloud system against DDoS attacks with minimal involvement of the SDN controller. Thus, it has very low communication overhead. Our claims are well supported by the extensive simulation-based experiments.