Reference : Slow Denial-of-Service Attacks on Software Defined Networks
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
Slow Denial-of-Service Attacks on Software Defined Networks
Pascoal, Tulio mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
E. Fonseca, Iguatemi [University of Paraiba > Informatics Center]
Nigam, Vivek [fortiss]
Computer Networks
Yes (verified by ORBilu)
[en] Distributed Denial-of-Service attacks (DDoS) ; oftware Defined Networking (SDN) ; Slow- and High-Rate Attacks
[en] Software Defined Networking (SDN) is a network paradigm that decouples the network’s control plane, delegated to the SDN controller, from the data plane, delegated to SDN switches.

For increased efficiency, SDN switches use a high-performance Ternary Content-Addressable memory (TCAM) to install rules. However, due to the TCAM’s high cost and power consumption, switches have a limited amount of TCAM memory. Consequently, a limited number of rules can be installed. This limitation has been exploited to carry out Distributed Denial of Service (DDoS) attacks, such as Saturation attacks, that generate large amounts of traffic. Inspired by slow application layer DDoS attacks, this paper presents and investigates DDoS attacks on SDN that do not require large amounts of traffic, thus bypassing existing defenses that are triggered by traffic volume.

In particular, we offer two slow attacks on SDN. The first attack, called Slow TCAM Exhaustion attack (Slow-TCAM), is able to consume all SDN switch’s TCAM memory by forcing the installation of new forwarding rules and maintaining them indeterminately active, thus disallowing new rules to be installed to serve legitimate clients.

The second attack, called Slow Saturation attack, combines Slow-TCAM attack with a lower rate instance of the Saturation attack. A Slow Saturation attack is capable of denying service using a fraction of the traffic of typical Saturation attacks. Moreover, the Slow Saturation attack can also impact installed legitimate rules, thus causing a greater impact than the Slow-TCAM attack. In addition, it also affects the availability of other network’s components, e.g., switches, even the ones not being directly targeted by the attack, as has been proven by our experiments. We propose a number of variations of these attacks and demonstrate their effectiveness by means of an extensive experimental evaluation. The Slow-TCAM is able to deny service to legitimate clients requiring only 38 seconds and sending less than 40 packets per second without abruptly changing network resources, such as CPU and memory. Moreover, besides denying service as a Slow-TCAM attack, the Slow Saturation attack can also disrupt multiple SDN switches (not only the targeted ones) by sending a lower-rate traffic when compared to current known Saturation attacks.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Critical and Extreme Security and Dependability Research Group (CritiX)
Fonds National de la Recherche - FnR ; CNPq ; H2020
Researchers ; Professionals ; Students ; General public
FnR ; FNR8149128 > Paulo Esteves-Veríssimo > IISD > Strategic RTnD Program on Information Infrastructure Security and Dependability > 01/01/2015 > 31/12/2019 > 2014

File(s) associated to this reference

Fulltext file(s):

Open access
pascoal2020.pdfPublisher postprint1.18 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.