ABSTRACT
SDN from data-to-control plane saturation attack. When saturation attack is detected, FloodGuard redirects the table-miss packets, i.e. the new arriving packets for which there are no matching rules installed in the switch, to the data plane cache. It generates proactive flow rules by reasoning the runtime logic of the controller and installs them into the switches. Then the cache slowly sends other table-miss packets as packet-in message, i.e. a type of openflow message that is sent from switch to controller when the arriving packet is table-miss or the action of the matching rule is sending the packet to controller, to protect the controller from being overloaded. The solution in first considers every source IP in the table-miss packet as DDoS source. It assigns short timeouts for their forwarding rules in the switches. It records the amount of connections of IPi as ci. When ci ≥ k, where k is a preset threshold, it checks si, i.e. the average amount of packets of all connections of IPi. If si ≤ n, where n is also a preset threshold, IPi is considered as a normal user. Long timeouts will be reassigned to the forwarding rules associating with IPi. When ci < k, nothing happens. Packets of IPi will be blocked if and only if ci ≥ k, si > n. However, the solution is not effective when the destination IPs are not spoofed. It may cause si ≤ n for most source IPs and the system will do nothing. (N. Gde Dharma, 2015) proposes a time-based method to detect the controller-targeting DDoS. The controller checks the destination address of every packet.
