DTGuard: A Lightweight Defence Mechanism Against a New DoS Attack on SDN

The decoupling of the control plane and the data plane in Software-Defined Networking (SDN) enables the flexible and centralized control of networks. The two planes communicate via the southbound interface. However, the limited communication bandwidth on the southbound interface is exposed to potential denial of services (DoS) threats that may compromise the functions of southbound interface and even affect the whole SDN network. Some research has already focused on DoS attacks on the southbound interface and explored some countermeasures. Most of them are primarily concerned with the risk of malicious uplink traffic from the data plane to the control plane while few work expresses concern about downlink traffic from the control plane to the data plane. However, the threat of downlink traffic is also severe. In this paper, we reveal a DoS threat of amplified downlink traffic and implement a novel DoS attack, called control-to-data plane saturation attack, to demonstrate the threat. To mitigate such threats, we propose a lightweight defence mechanism called DTGuard that can monitor and identify abnormal ports based on a random forest classifier and migrate abnormal traffic along with a low-load link timely. The design of DTGuard conforms to the OpenFlow protocol without introducing additional modifications on the devices. The experimental results show that DTGuard can effectively mitigate the control-to-data plane saturation attack with a minor overhead on the controller.