PoTiA: A Popularity and Timeout Analysis Based SDN Controller Protection Approach

Software-defined networking (SDN) is a novel and promising network architecture, which decouples the controlling function from the forwarding plane. SDN provides the flexibility to program the network through centralized control. However, security issues of SDN should arouse our attention. In this paper, we mainly discuss a specific vulnerability of the centralized control mechanism in SDN, which is likely to suffer denial-of-service (DoS) flooding attack. We propose a popularity and timeout analysis-based controller protection approach to protect the controller from the flooding attack. We develop a controller protection application on the SDN controller in which a popularity table is maintained. When the arriving rate of the packets to the controller exceeds the pre-defined threshold, the selected proactive flow table entries will be installed on the data plane switches to ensure that the requests to the most popular destination addresses can be served with higher priority. Furthermore, we mitigate the unpopular requests to a low priority queue, which can send Packet_In requests to the controller with rate limiting. The timeout analysis module in the application can identify the malicious host by analyzing the lifetime of the flows according to the flow-removed messages. Blocking entries will be added to the blacklist table on the switch. Our controller protection approach can effectively alleviate the impact of the SDN controller-oriented flooding attack. The detection rate is 99.90%, and the false alarm rate is 0.41%.