DoS Attack Detection using Packet Statistics in SDN

Goksel N., Demirci M.

International Symposium on Networks, Computers and Communications (ISNCC), İstanbul, Turkey, 18 - 20 June 2019 identifier identifier


Denial-of-service (DoS) attacks targeting the controller in software-defined networks (SDN) are dangerous due to the importance of the controller. In this paper, we characterize the effects of flooding attacks in SDN and discuss potential countermeasures. We concentrate on the controller-side effects of flooding attacks and present our experimental results on how packet-in message counts change in a simulation scenario. Our results imply that differentiating hosts based on only packet-in counts may be misleading for detecting attackers. Instead, packet-in to transmitted packet count ratio is better for distinguishing attackers from normal users. In addition, we measure fairness values with different attacker counts. Our results show that Jain's index is better than entropy in terms of detecting anomaly in our simulation environment. We leave utilizing fairness values to better handle packet-in requests as a future study.