Slow Denial-of-Service Attacks on Software Defined Networks

ContentslistsavailableatScienceDirect

Computer Networks

journalhomepage:www.elsevier.com/locate/comnet

Slow denial-of-service attacks on software defined networks

Túlio A. Pascoal

, Iguatemi E. Fonseca

, Vivek Nigam

a Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg, Luxembourg

b Informatics Centre, Federal University of Paraiba, Joao Pessoa, Brazil

c fortiss GmbH, Munich, Germany

a r t i c le i n f o

MSC:

00-01 99-00 Keywords:

Distributed denial-of-service attacks (DDoS) Software defined networking (SDN) Slow-rate attacks

High-rate attacks

a b s t r a ct

SoftwareDefinedNetworking(SDN)isanetworkparadigmthatdecouplesthenetwork’scontrolplane,delegated totheSDNcontroller,fromthedataplane,delegatedtoSDNswitches.

Forincreasedefficiency,SDNswitchesuseahigh-performanceTernaryContent-Addressablememory(TCAM)to installrules.However,duetotheTCAM’shighcostandpowerconsumption,switcheshavealimitedamountof TCAMmemory.Consequently,alimitednumberofrulescanbeinstalled.Thislimitationhasbeenexploitedto carryoutDistributedDenialofService(DDoS)attacks,suchasSaturationattacks,thatgeneratelargeamounts oftraffic.InspiredbyslowapplicationlayerDDoSattacks,thispaperpresentsandinvestigatesDDoSattackson SDNthatdonotrequirelargeamountsoftraffic,thusbypassingexistingdefensesthataretriggeredbytraffic volume.

Inparticular,weoffertwoslowattacksonSDN.Thefirstattack,calledSlowTCAMExhaustionattack(Slow- TCAM),isabletoconsumeallSDNswitch’sTCAMmemorybyforcingtheinstallationofnewforwardingrules andmaintainingthemindeterminatelyactive,thusdisallowingnewrulestobeinstalledtoservelegitimateclients.

Thesecondattack,calledSlowSaturationattack,combinesSlow-TCAMattackwithalowerrateinstanceof theSaturationattack.ASlowSaturationattackiscapableofdenyingserviceusingafractionofthetrafficof typicalSaturationattacks.Moreover,theSlowSaturationattackcanalsoimpactinstalledlegitimaterules,thus causingagreaterimpactthantheSlow-TCAMattack.Inaddition,italsoaffectstheavailabilityofothernetwork’s components,e.g.,switches,eventheonesnotbeingdirectlytargetedbytheattack,ashasbeenprovenbyour experiments.Weproposeanumberofvariationsoftheseattacksanddemonstratetheireffectivenessbymeansof anextensiveexperimentalevaluation.TheSlow-TCAMisabletodenyservicetolegitimateclientsrequiringonly 38sandsendinglessthan40packetspersecondwithoutabruptlychangingnetworkresources,suchasCPUand memory.Moreover,besidesdenyingserviceasaSlow-TCAMattack,theSlowSaturationattackcanalsodisrupt multipleSDNswitches(notonlythetargetedones)bysendingalower-ratetrafficwhencomparedtocurrent knownSaturationattacks.

1. Introduction

SoftwareDefinedNetworking(SDN)isanetworkparadigmthatpro- videseasiernetworkmanagement.Itallowsbetternetworkconfigura- tion,performance,monitoringandautomation.SDNfacilitatesnetwork managementbydecouplingthedataplanefromthecontrolplane.While enablingnewfeatures,SDNalsohasitsownsecurityconcerns,which maybeexploitedbyattackerstocarryoutDistributedDenialofService Attacks(DDoS).

AlogicallycentralizedcontrollerattheSDNcontrolplaneisrespon- siblefortakingthedecisionofwherepacketsshouldbeforwarded,i.e., definingroutingactions,whilethetaskofforwardingpacketsisleftto

∗Correspondingauthor.

E-mailaddresses:tulio.pascoal@uni.lu(T.A.Pascoal),iguatemi@ci.ufpb.br(I.E.Fonseca),nigam@fortiss.org(V.Nigam).

1 ThisworkwasdonewhileattheUniversityofParaiba.

SDNswitchesatthedataplane.Notably,thecontrollerisasinglepoint offailure.

AsecondvulnerabilityregardsthelimitedamountofmemorySDN switcheshavetostoreforwardingrules.Wheneverapacketarrivesto aswitch,itsearcheswhetherthereisamatchingruleinstalledforthat packet.This searchisefficientbecauseofdedicatedmemoriescalled TernaryContent-AddressableMemory(TCAM),whereforwardingrules arestored.Ifnoruleisapplicable,theswitchqueriesthecontrollerfor adecisionaboutcurrentpacket.Thecontrollermayinstallanewrule ordropthepacket.

However,TCAMisexpensiveresourceandhashighpowercomsump- tion[1].Therefore,mostcurrentcommercialSDNswitcheshavealim- itedTCAMspace[1–3]andcanstoreonlyalimitednumberofrules

https://doi.org/10.1016/j.comnet.2020.107223

Received14October2019;Receivedinrevisedform15February2020;Accepted15March2020 Availableonline19March2020

1389-1286/© 2020ElsevierB.V.Allrightsreserved.

(typically1500to8000rules)[1,3–6].Thelimitedamount ofTCAM memoryinSDN-switcheshasbeenexploitedtocarryoutDDoSattacks, calledSaturationattacks[1,3,5,7,8,8–14].ASaturationattackforcesthe targetSDNswitchtoinstallagreatnumberofnewrules,thusconsum- ingswitch’sTCAMcapacity.Thisnotonlydisallowstheinstallationof newflowsforlegitimateclients,butalsocausesthenetworkcontroller tocrashbecauseofincreasedtrafficbetweentheswitchandthecon- troller.

Anumberof defenseshavebeenproposed tomitigateSaturation attacks.Themainunderlyingassumptionofthesemeasuresisthatat- tackerswillsenduniquepacketsinaveryhighrateby,forexample, spoofingIPs.Thiscausesabruptchangesofnetworkparameters,which easilytriggerdefensecountermeasures.

However,the assumption that DDoS attacks can be launched by necessarily generating hightraffic is not necessarily true.Indeed as witnessedby the classof slow-rate ApplicationLayer DDoS attacks, suchasSlowloris[15],attackerscandenyserviceofaweb-serveror aVoIPserverbysendingaverylowrateofrequeststothetargetserver [16–18].Attackerscanalsocarryoutlow-rateattacksusingcomputa- tionallyweakdevices[19,20] andexploit newvulnerabilitiesonap- plicationlayerprotocolsinordertoevadedetectionmechanisms,e.g., SlowNext[21].

Inspiredbyslow-rateApplicationDDoSAttacks[15,16,20,22],this paperinvestigateslowDDoSattacksonSDN,whichdonotrequirevery largeamountoftraffic.Sinceexistingdefensearetriggeredbymonitor- ingtrafficvolume,theseslowattackscanbypasssuchdefenses.

WeofferandinvestigatethefollowingtypesofSlowattacks:

• ASlowTCAMExhaustionattack(Slow-TCAM)deniesservicebysend- ingunique-craftedpacketstoprovokeanewflowruleinstallationin atargetSDNswitch.Theattackfollowsbyrecruitingandcoordinat- ingalarge enoughbotnet(typicallyof 1500to4000bots).Each botsends,inadisguisedmanner,anuniquepacketcausingthetar- getswitchtoinstallaforwardingrulethusexhaustingtheswitch’s TCAManddenyingservicetonewlegitimateclients.Finally,inorder toavoidthattheinstalledrulesaredroppedduetoruletimeouts,the botnetperiodicallyresendspackets,thusreactivatingeachinstalled rule.Asourexperimentsdemonstrate,theSlow-TCAMattackcanbe carriedoutbygeneratingaverylowamountoftraffic,upto4pack- etspersecondasopposedtomorethan1000packetspersecondin existingSaturationattacks[3,5,13,23].Thismeansthatitcanbypass existingdefenseswhichassumehigh-rateattacks.

• ASlow Saturation attack combinesthe Slow-TCAMattack with a lowerrateSaturationattack.Itisabletodenyserviceusingafrac- tionoftrafficofanusualSaturationAttack.WhereasSaturationat- tacksrequiretrafficofmorethan200packetspersecond[24],the SlowSaturationaffectsserviceusingonly100packetspersecond.In contrasttotheSlow-TCAM,whichdoesnotaffectalreadyinstalled rules,theSlowSaturationattacksalsoleadstothedroppingofal- readyinstalledrulesbyforcingtheirrespectivetimeoutexpiration.

Thismeansthatanattackercanalsodenyservicetoclientsusingflows installedbeforetheattack(existingrulesinTCAM).

WeinvestigatetwovariantsoftheSlowSaturationattack.Thefirst variationgeneratescontinuous traffic,while thesecondvariation generatesburstsofhightraffic.Wealsomeasuretheeffectsofthe attackintheSDNnetworkasawhole,i.e.,theeffectoftheattack inothernetwork’scomponents,butthetargetedswitch.Giventhe factthattheattackstressthenetwork’scontroller,italsointerferes andhamperstheexpectedbehaviorofotherdeviceslinkedtothe affectedcontroller.

Weexperimentallyevaluateanddiscussthefeaturesandtheimpact oftheseattacksassumingareasonablesystemandthreatmodel.

PaperStructure:AfterbrieflyrevisitingtheOpenFlowprotocolused bySDNanditsmainworkflowsinSection2,anintroductiontoexist- ingattacksonSDNispresentedinSection3.Posteriorly,inSection4, weintroduceourproposedslowattacks, namelytheSlow-TCAMEx-

haustionandtheSlowSaturationattacks,followedbySection5,which extensivelyevaluatesanddiscussesaboutexistingdefensemechanisms andpossiblecounter-measuresforthenovelpresentedattacks.Thenin Section6,wedescribeourexperimentalsetup,resultsanddiscussion.

Finally,relatedworkis discussedinSection7beforeconcluding the workinSection8.

ConferencePaper:Thisextendsandimprovesontheconferencepa- per[25],whichintroducestheSlow-TCAMattack.Forthismanuscript, wehaveextendedandimprovedtheexperimentalresultsin[25]byus- ingamorerealisticclienttrafficmodelfortheSlow-TCAMexperiments.

Furthermore,weproposeandinvestigateanovelattack,calledSlowSat- urationattack,whichwasnotpresentintheconferencepaper.Wealso addednewexperimentalevaluationsetupbyassemblingannewnet- worktopologyconsistingofmorethanoneswitchinordertomeasure theeffectsoftheattackonothernetwork’sassets.Finally,weevalu- atedexistingdefenseapproachesagainstSDN-aimedattacksandtheir effectivenessagainstourproposedattacks.Inaddition,wealsodiscuss possiblecountermeasures.

2. SDNfundamentals

WhileweassumethatthereaderisfamiliarwiththeOpenFlowpro- tocol[26],thewidelyusedSDNsouthboundprotocol,whichenables acontrollertocoordinateSDNswitchesforwardingprocess,wereview someofthemessagesexchangedbetweenaSDNswitchandthecon- troller.TheinstallationofrulesinSDNarebasedontwoapproaches:

proactiveandreactive.Intheformer,theSDNswitchstartswithsome pre-definedrules,whileinthelatternewrulesareinstalledaccording toqueries(PACKET_INmessages)sentbytheswitch,inadynamicway.

Inthereactive mode,which is themostcommonapproach[27], wheneverapacketisreceivedbyaSDNswitch,itcheckswhetherthere isamatchingforwardingrule.Ifso,itappliestheruledefinedforthat packet.However,ifnoruleisapplicable,atable-missisoccurringand thentheswitchexchangesthefollowingmessageswiththecontroller:

Switch→ Controller ∶ PACKET_IN(𝑝𝑎𝑐𝑘𝑒𝑡^′𝑠ℎ𝑒𝑎𝑑𝑒𝑟) Controller→ Switch ∶ FLOW_MOD(𝑖𝑑𝑙𝑒_𝑡𝑖𝑚𝑒𝑜𝑢𝑡)

The PACKET_IN message contains the incoming packet’s header, with its buffer_id, in_port, payload and other main information.

FLOW_MODmessagescontaintherulethatshouldbeinstalledbythe switchandisalwayssentbythenetwork’scontroller.Thecontrollercan specifyaruleidletimeout.GivenaruletimeoutofT_o,aruleisunin- stalledbytheswitchifitisnottriggeredforT_otimeunits.Theuseof timeoutsisamechanismtoremovelessusedrules,thusfreeingTCAM memoryforotherrulestobeinstalled.Typically,thetimeoutT_oisa valuebetween9and11s[10].

OncethemessageFLOW_MODisreceivedbytheswitch,itchecks whetherthereisenoughspaceinitsTCAMmemoryforinstallinganew rule.Ifthisisthecase,theruleisinstalledandthepacketisforwarded usingit.Otherwise,theswitchdropsthepacketandinformsthecon- trollerthatitsTCAMmemoryisfull(seeFig.1)bysendingthefollowing message:

Switch(dropspacket)→ Controller ∶ TABLE_FULL

IncaseaPACKET_INissenttocontrollerandtheswitch’sincoming bufferisfull²,thewholepacketcontentwillbesentinsteadofpacket’s headeronly.Thisfactstressestheswitch-to-controllercommunication channel,whichcanleadtodenialofservice,consideringthataflood- ingof newuniquepacketscanoverload thecontrollerandasaresult compromiseentirenetworkproperfunctioning.

Switch→ Controller ∶ PACKET_IN(𝑝𝑎𝑐𝑘𝑒𝑡^′𝑠𝑤ℎ𝑜𝑙𝑒𝑐𝑜𝑛𝑡𝑒𝑛𝑡) Controller→ Switch ∶ FLOW_MOD(𝑖𝑑𝑙𝑒_𝑡𝑖𝑚𝑒𝑜𝑢𝑡)

2Nottoconfusetheincomingpacketbuffer,whichstorespackets,withthe TCAMthatstoresrules.

Fig.1. Switch-controllerbehaviorwhenTCAMtableisfull.

Additionally,alwaysaruleisuninstalledduetoitsinactivetime,the switchsendsaOFPT_FLOW_REMOVED(OFPRR_IDLE_TIMEOUT)tothe controller.

Switch→ Controller ∶ FLOW_REMOVED(𝐼𝐷𝐿𝐸_𝑇𝐼𝑀𝐸𝑂𝑈𝑇) Similarly,whenaruleisdeletedbyacontrollerdecision(bysend- ingaOFPC_DELETEmessage),theruleisuninstalledinTCAMandthe switch sendsaOFPT_FLOW_REMOVED (OFPRR_DELETE) messageto thenetworkcontroller.

Controller→ Switch ∶ OFPC_DELETE(𝑟𝑢𝑙𝑒)

Switch→ Controller ∶ FLOW_REMOVED(𝐷𝐸𝐿𝐸𝑇𝐸)

Moreover, we pointout that thecommunication between a SDN switchandthecontrollerisexpensiveasitbuildsasecurechannelfor theircommunication.Typically,theOpenFlowprotocolisimplemented ontopofSecureSocketsLayer(SSL)orTransportLayerSecurity(TLS).

Therefore,adefenseshouldavoidswitch-to-controllercommunication overhead.

Lastly,asmentionedintheOpenFlowspecification[28],incaseof connection’sinterruptionsbetweenaswitch andcontroller,thereare twopossiblemodesinwhichtheswitchenters:

• FailSecureMode:Inthismode,allfollowingpacketsandmessages destinedtothecontrolleraredropped.Theremaininginstalledflow rulesintheswitchTCAMcontinuetoexpireaccordingtotheirtime- outs.

• FailStandaloneMode:Inthismodel,theswitchstartstoworkasa legacyEthernetswitchorrouter,processingpacketsbyitsreserved port.Thismodeisonlyapplicableforhybridswitches,whichare switchesthatjointlysupportnormalEthernetswitchingandOpen- Flowoperations.This isnot thecase ofvirtualswitches, e.g.,the OpenvSwitch,whichisoneofthemostpopularimplementationsof OpenFlowswitches[29].

3. Attackingsoftwaredefinednetworks

SDNhasbeenincreasinglyadoptedbynetworkmanagersandindus- trythankstoitsbetterprogrammabilityandautomation.SDNhasalso beenusedfordenialofserviceattacksdetection[30].However,oneof itsmainconcernsisaboutitsownsecurityandvulnerabilities.Forex- ample,its centralizedcontrolleris apotentialexploit vectorthatcan compromisetheentirenetwork,forcingthemtobewell-configuredin ordertoachievescalability,highresponsivenessandsecurity.Another SDN’sdrawbackisthatSDNswitcheshavealimitedTCAMspacethat canbesteadilyoverflowed.

Tothebestofourknowledge,withtheexceptionoftheSlow-TCAM attack[25],existingdenialofserviceattacksonSDNarebasedonthe sendingoffloodingtraffic.Therefore,exploitingthelimitedTCAMspace availability in SDNswitches andoverloading its switch-to-controller communication (thus,stressingSDNdata andcontrolplanes).Recall that SDN switches are able to store between 1500 and8000 rules [1,3–6]andalsohaveafinitepacket’sincomingbuffer.Therefore,there areattacksonSDNwhichattemptto(1)consumetheTCAMmemory of switchesand(2)overloadtheswitch-to-controllercommunication, theseattacksareknownbySaturationattacks[3,5,13,23].

Theseattacksarecarriedoutbysendinguniquepacketsatahigh trafficrate(typicallygreaterthan500uniquepacketspersecond),nor- mallybyspoofingIPs.Thisfloodingbehaviortriggerstheinstallation ofahugenumberofrulesinswitches’TCAM.OncetheTCAMisex- hausted,thetargetedswitch startstodroppackets leadingtodenial ofservice.Moreover,aSaturationattackgoesevenfurtherbysending uniquepacketsatanevenhigherrateconsumingnotonlytheswitch’s TCAMmemory,butalsotheswitch’sincomingbuffer.Theswitch,then, startssendingtothecontrollerthewholepacketinsteadofthepacket’s headeronly.Thus,overloadingthecontrollerandleadingittocrash.

Eventually,acontrollercrashormalfunctioningaffectsthewholenet- work.

Forpurposeofillustrationandcomparison,wecarriedoutSaturation attackswithdifferenttrafficratesonaswitchwithcapacityofinstalling 1500rules.(ThedetailedexperimentalsetupisdescribedinSection6).

Table1summarizesthedifferentattacks.Forlowerrates(100packets persecond),theserviceisavailabletoalllegitimateclients.Inaddition, [24]showsthattheperformanceofmostcommercialswitches,suchas Pica8andHPProcurve,onlystartstodeterioratewhenreceiving200 uniquepacketspersecond.Thisisinaccordancetoourownexperiments depictedinTable1.

AsdescribedinSection7,defensesfortheTCAMExhaustionattack andtheSaturationattack assume thattheattackernecessarilysends a greatnumber of uniquepackets, i.e., floodingtheswitch.Existing defensesmonitorparametersthatareaffectedwhenreceivingalarge numberofuniquepackets,e.g.,ruleinstallationrate,CPUandmemory consumptionandnumberofunpairedrules,forexample.

However,thisassumptionisnotnecessarilytrue.Weidentifythat SDNisvulnerabletotwonewattackswhichuselowertrafficrates:the SlowTCAMExhaustionattack(Slow-TCAM)andtheSlowSaturation attack.Inthefollowingsections,wedescribethesetwoattacks.Then inSection5,wediscusshowonecouldmitigatethesesattackandin Section6,wedemonstratebysimulationtheeffectivenessoftheseat- tacks.

4. SlowDoSattacksonSDN 4.1. Systemandthreatmodel

Oursystemandthreatmodelconsiderascenariowheretherearea numberoflegitimateclienthosts.Inaddition,thereisalsoanattacker thathasorcontrolssomeotherhosts(bots),whicharealllinkedtothe targetedswitch.WealsoassumethattheOpenFlowprotocolisoperated

Table1

Saturationattack:availability,controller’sCPUandmemoryusagewhenunder attacksofdifferentintensities.

Attack traffic Regular controller

Availability (%) CPU (%) Memory usage (MB) Continuous (100 pkts/s) 100 24.7 40.5

Continuous (200 pkts/s) 24.2 45.4 214.1 Continuous (400 pkts/s) 13.4 50.7 266.1 Continuous (600 pkts/s) 10.8 50.6 269.6 Continuous (800 pkts/s) 10.3 51.8 265.6

Table2

SlowDoSattacks’parametersandtheirrespectivedescription.

Attack parameter Description

T o The inferred flow rules’ timeout of the network.

N r The inferred number of the targeted TCAM table of the switch.

N ps The rate in which the attacker is sending new unique packets.

N _pr The rate in which the attacker is re-sending packets.

usingthemostcommonlyappliedruleinstallationmode,thereactive mode[27].

Apartfrombeingconnectedtothetargetedswitch,theattackerdoes notneedanypriorknowledgeaboutnetworktopologyorswitchesand controllerconfigurations.TheattackercanfirstinfertheSDNtimeout usingexistingSDNtimeoutprobingapproaches[31,32],suchasSDN SCANNER[4],andthencraftsitspacketsusingthegatheredinformation accordingly.Oursystemmodelassumptionshavebeenreplicatedfrom previousexistingworksonattackingSDNnetworks[3,5,13,23,25,33].

ASlow-TCAMattackfinalgoalistooverflowtheTCAMtableofthe targetswitchesbycraftingandsendingthepacketsinadisguisedway.

Oncetheswitches’flowtablesarefull,nonewrulecanbeinstalledand newpacketswillbedroppedbytheswitches,i.e.,disruptingtheSDN dataplane.Ontheotherhand,theSlowSaturationapartfromsending Slow-TCAMtraffic,italsodisruptstheSDNcontrolplanebylaunching saturationtrafficatcertainintervals,thusstressingandconsequentlyin- terruptingswitch-to-controllerconnection.Whensuchcommunication failurestakeplace,weassumethattheswitchwillentertheFailSecure ModeaccordingtoOpenFlowspecificationsanddescribedattheendof Section2.

4.1.1. Slowattacks’principles

Ourproposedattacksarecomposedoftwophases,namely(i)Probing phaseand(2)Launchingphase.Theformerallowstheattackertoinfer andidentifynetwork’ssettings,suchasT_o,N_r,N_psandN_pr described in Table2. Theseparameters enableattackerstodecide theoptimal numberofpacketsandminimalpacketsendingrateinordertotrigger newflowrules’installationandrefreshtheirtimeouts,thuskeepingthe targetswitch’sflowtablecontinuouslyfull.Oncegatheringnetwork’s configurationanadversaryisreadytocraftpacket’spayloadandrate accordingly,thereforestartingthelatterphasethatconsistsofsending thehushedtraffic.

4.1.2. Probingphase

ThemainrationalebehindtheProbingphase isbased onthefact thatinanySDNnetworkwhenanewpacketthatcausesatable-miss intheswitcharrives,itperceivesalongerresponsetime.Thishappens becauseasintroducedinSection2,theswitchneedstoquerythenet- work’scontrollerforitsdecisionontherulesthatwillbecreatedtothat specificpacket.Allnextpacketsthatmatchthatrule,willexperiencea shorterresponsivetimebecausenowtheswitchonlyneedstoapplythe forwardingrulesetbythecontrollerbefore.

Notably,anadversarycansmartlycreateandsendpacketstothenet- work,andmonitorthepacket’sresponsetime.Asaresult,byapplying statisticaltestsonthecollecteddata,suchast-tests[4],theattackercan inferthenetwork’stimeouts.Similarly,attackercanalsocraftpackets inordertofindpacket’smatchfieldsthattriggerflowruleinstallation [33].Astheparticularitiesandintuitionoftheseapproachesarenot novel,weopttoreferthereadersto[4,31–33]foramoredetailedex- planationandreasoningofsuchapproachesinSDN.

4.1.3. Launchingphase

Oncegatheringnetwork’sinformationfrompreviousphase,theat- tackerisnowabletodefinetheN_psandN_prmetricrates,suchthatthey notonlycauseminimalimpactonthenetwork’sbandwidth,butalso continuouslykeepmaliciousrulesinstalledinthetargetedflowtable

[25].Aftersettingallparametersfortheattack,theattackerplotsthe attackbycraftingandsendingthepacketsaccordingly.

Aseachattackhasitsparticularfeatures,weexplaintheirrespective Launchingphaseseparatelyinthefollowingsections.

4.2. SlowTCAMexhaustionattack(slow-TCAM)

TheLaunchingphaseoftheSlowTCAMattackiscarriedoutasby followingthesteps:

1. Recruitalargeenoughnumberofbots,typicallyanumberabit greater thanahalf therulecapacityof thetargetswitch (N_r).

Anumberbetween1500and4000isenoughconsideringexist- ingSDN-enabledcommercialswitches[1–3].Thisisfeasibleas theattackercanrecruita botnetusing standardmethods,e.g., phishing orpurchasing such botnet service. Forexample, the

”0x-booter” isatypeof Crime-as-A-ServicethatoffersDoS-for- hireconsistedof20,000bots[34].Noticethattheattackerisnot spoofingIPaddresses.

2. Eachbotsendsauniquepackettothetargetswitch.Wheneverthe switchreceivesthefirstpacket,anewruleisinstalled.Moreover, sincethereisnoIPspoofing,twoflows,anincomingandoutgoing flow,areeventuallyinstalled.

3. Theuniquepacketgenerationrate(N_ps)iscontrolledsothatthe ratethatnew rulesareinstalled isnot toohigh.The N_ps rate defineshowfastanattackerisabletooverflowthetargetswitch flowtable.Inourexperiments,theattackergeneratesatrafficof upto40packetspersecond,whiletypicalfloodingandSaturation attacksgenerateatrafficgreaterthan1000packetspersecond [3,5,13,23].

4. Meanwhile,eachbotkeepsre-sending,ataN_prlowrate,packets totheswitchwithinitsruleidletimeoutT_o.RecallthattheT_ocan beinferredbytheattackerbytrialanderrorusingSDNSCANNER [4].Consequently,oncetheswitch’sTCAMisfullofbotrulesand noneoftheirruleisuninstalled,theTCAMwillbealwaysfull.

Thus,notbeingabletomanagetheinstallationofnewrules.

5. Finally,bykeepingthebotnetbehavingcoordinated,theattacker isabletokeepthetargetswitchintheTABLE_FULLstateindefi- nitely.

When aSlow-TCAM attackis carried out, thecontrollerand the switchoperatenormally,buttheyareforcedtoserveonlytheflowrules installedbeforetheattackandtheflowrulesinstalledbytheattacker,thus denyingservicetonewlegitimateclients.

4.2.1. Slow-TCAMbyexample

InordertobetterunderstandhowtheSlow-TCAMattackworks,we illustrateitbyexample.Assume atargetswitchwith𝑁𝑟=5andthe ruletimeout 𝑇_𝑜=10. Moreoverassumethattheattackerhasalready recruitedalargeenoughbotnet.Inthiscase,abotnetof3botsisenough.

Assumeforsimplicitythataruleisrepresentedbythefollowingtu- ple:

⟨𝗋𝗎𝗅𝖾_𝑖,𝑛⟩

where𝗋𝗎𝗅𝖾𝑖standsfortheruleidentifierandnistheremainingseconds fortimeoutoftheruletobeactivated.

Onceacontrolleris connectedtotheswitch,aspecialrulerepre- sentingtheircommunicationiscreated.Theresultingswitchflowtable stateisasfollows:

𝖥𝗅𝗈𝗐_𝖳𝖺𝖻𝗅𝖾=⟨𝖼𝗈𝗇𝗍𝗋𝗈𝗅𝗅𝖾𝗋_𝗋𝗎𝗅𝖾,∞⟩

Now,suppose abot attackersendsapackettotheswitch.Afterthe OpenFlow messages areexchanged and receivingthe correspondent FLOW_MODmessage,theswitchinstallsthenewflowrules.Moreover, sincethebotisnotspoofingitsIP,thequeriedservicewillrespondlead- ingtotheinstallationofanoutgoingrule.Therefore,theswitch’sflow tablehasthefollowingstate:

𝖥𝗅𝗈𝗐_𝖳𝖺𝖻𝗅𝖾=⟨𝖼𝗈𝗇𝗍𝗋𝗈𝗅𝗅𝖾𝗋_𝗋𝗎𝗅𝖾1,∞⟩,⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾1,10⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾1,10⟩

Fig.2.TCAMtableconsumption:ComparisonbetweenaSaturationattackwithintensityof100packetspersecondandaSlowSaturationattack(i.e.,aSlow-TCAM attackwithintensityof5.8packetspersecondandaSaturationattackwithintensityof100packetspersecond).ThetargetSDNswitchiscapableofstoring1500 rulesandtheruletimeoutissetto10s.

Assumetwosecondselapse.Anotherbotalsosenditspacketcausingad- ditionalincoming(𝗂𝗇𝖼_𝗋𝗎𝗅𝖾)andoutgoing(𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾)rulestobeinstalled.

Atthispoint,theswitch’sTCAMisfullwiththefollowingrules:

𝖥𝗅𝗈𝗐_𝖳𝖺𝖻𝗅𝖾=⟨𝖼𝗈𝗇𝗍𝗋𝗈𝗅𝗅𝖾𝗋_𝗋𝗎𝗅𝖾1,∞⟩,⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾1,8⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾1,8⟩,

⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾2,10⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾2,10⟩

Anynewflowscannotbeinstalledasswitch’sTCAMdoesnothavemore roomlefttostorenewones. Ifthis happens,aTABLE_FULLmessage willbesentbytheswitchtothecontrollerandthepacketstryingtobe installedaredroppedfromthenetwork,leadingtothedenialofservice.

Additionally,during7s,theattacker’sbotsdonotneedtosendany packetsasthetimeoutoftheirruleswillnotexpirebeforethat.Thestate oftheswitchafter7sisasfollows:

𝖥𝗅𝗈𝗐_𝖳𝖺𝖻𝗅𝖾=⟨𝖼𝗈𝗇𝗍𝗋𝗈𝗅𝗅𝖾𝗋_𝗋𝗎𝗅𝖾1,∞⟩,⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾1,1⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾1,1⟩,

⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾2,3⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾2,3⟩

Atthismoment,inordertokeeptheirrulesinstalled,thebotsthat generatedtherules𝗂𝗇𝖼_𝗋𝗎𝗅𝖾1and𝗂𝗇𝖼_𝗋𝗎𝗅𝖾2willre-sendapacketsotore- newthetimeoutoftheirrules,respectively,asillustratedbelow:

𝖥𝗅𝗈𝗐_𝖳𝖺𝖻𝗅𝖾=⟨𝖼𝗈𝗇𝗍𝗋𝗈𝗅𝗅𝖾𝗋_𝗋𝗎𝗅𝖾1,∞⟩,⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾1,10⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾1,10⟩,

⟨𝗂𝗇𝖼_𝗋𝗎𝗅𝖾2,10⟩,⟨𝗈𝗎𝗍𝗀_𝗋𝗎𝗅𝖾2,10⟩

Noticethatthebotsdonotneedtoresendthesameexactpacket,but anypacketthatactivatestheseruleswilldothework.Indeed,inorder toavoidsimplemonitoringdefenses,thebotmaychoosepacketswith differentpayloadorrequests.

4.3. Slowsaturationattack

TheLaunchingphaseoftheSlowSaturationattackiscarriedoutby combiningaSlow-TCAMattackandaSaturationattackwithalower trafficrate.TheSlowSaturationcombinesthepoweroftheSlow-TCAM andtheSaturationattack,i.e.,itdeniesservicebyusinglesstrafficthan usualSaturationattacks,anditallowstodenyservicetoclientsthatare servedbyrulespreviouslyinstalledintheSDNswitch.

WeillustrateanddiscussthesefeaturesintheFig.2aandb.

• LowerTrafficRate:Fig.2illustratesthedifferencebetweenaSat- urationandaSlowSaturationattackusingthesametrafficrateof 100packetsper second,onatarget SDNswitchwith 𝑁_𝑟=1,500

rulesand𝑇𝑜=10s.AsshowninFig.2a,theSaturationattackisnot abletosuccessfullydenyservice(asalsoshowninTable1).Itdoes occupy1000ofthe1500oftheavailabletablerules.

Ontheotherhand,asshowninFig.2b,theSlowSaturationsuc- cessfullydisruptsservicebyusingthesametrafficrateNpsof100 packetspersecond.ThisisbecausetheSlow-TCAMcomponentofthe attackisabletokeeptheirrulesaliveandinstalledforlongerperi- ods,inconjunctionwiththerulesfromthesaturationcomponentof theattack.Itisimportantnoticingthatsaturationtrafficisnotable torenewtheirrule’stimeoutsasitalwayssenduniquepackets.

• DroppingPreviouslyInstalledRules:Furthermore,asalsoillus- tratedbyFig.2b,theSlowSaturationattackisabletodisruptthetar- getswitch,thusleadingtoadroppingofactiverules.Around480s aftertheattackstarts,theswitchbeginstosufferfromcommuni- cationfailureswiththecontroller,thusdroppingstoredrules(due totheirtimeoutexpirations-recallthefailsecuremodedefinition fromSection2).Notethattherearemomentsduringtheexperiment inwhichthereisnoruleinstalled.Thisisduetothefactoflonger (above10s)periodsofswitch-to-controllercommunicationfailure, leadingtoacompletedroppingofinstalledrules.

Inaddition,therearesituationsinwhichtheswitchkeepsaround 800to1000rulesinstalled,thekeyinsightofthisevidenceisthat whiletherulesinstalledbythesaturationcomponentoftheattack aredroppedbytheruletimeout,therulesinstalledbytheSlow- TCAMcomponentoftheattackarekeptalivemoreeasily(asthey arerejuvenatedbytheattacker).Hence, thiseffectturnspossible fortheattacktoconsumealltheswitch’sTCAMatcertainpointsin time.

ASlowSaturationattackaffects,therefore,notonlynewlegitimate clients(bydisruptingSDNdataplanewiththeSlow-TCAMcomponent of theattack),butalsolegitimate clientsthatareservedbyprevious existingSDNrules(bytheSaturationcomponentoftheattack,which slightlyandpunctuallystresstheSDNcontrolplane,causingswitch- to-controllercommunicationfailuresthatleadstoflowrule’stimeout expiration).

Weconsidertwovariantsofthisattack:

• Continuous: IntheContinuous SlowSaturation attack,boththe Slow-TCAMandtheSaturationattackarecarriedoutsimultaneously andduringthedurationoftheattack,e.g.,Fig.2b.

Fig.3. SlowSaturation:NumberofinstalledrulesinthetargetSDNswitchduringaSlowSaturationattackwithpunctualburst(s)of1000packetspersecondand Slow-TCAMintensityof5.8uniquepacketspersecond.

• Bursts:IntheBurstSlowSaturationattack,theSlow-TCAMattackis carriedoutduringthewholedurationoftheattack,buttheSatura- tionattackalternatesbetweentwoactiveperiods(thebursts),when boththeSlow-TCAMandtheSaturationtrafficsaresent;andsleeping periods,inwhichtheattackisonlysendingSlow-TCAMtraffic.

ThegoaloftheBurstSlowSaturationattackistoreducetheaverage rateofpackets,henceincreasingthechancesofbypassingdefensesthat monitortheaveragetrafficload.

Fig.3aandbillustratehowBurstSlowSaturationattacksdenyser- vice.Inthisexperiment,wefirstpopulatetheswitch’sTCAMtablewith 500flowrulesinstalledbylegitimateclients.Then,westarstwodif- ferentvariationsoftheSaturationattack,onewithonlyoneburst,and anotheronewithtwobursts.

InFig.3a,theswitch’sTCAMisfirstpopulatedwith500flowrules installedbylegitimateclients.Atthe75thsecond,anSaturationattack withonlyoneburststarts(redsquareinthefigure).Fromthatmoment on,severalswitch-to-controllerconnectioninterruptionstakeplacedue tothestresscausedbytheattack.Theseinterruptionsleadtotheunin- stallingofflowrulesduetotheirtimeoutexpiration.Forexample,atthe 135thsecond,alltheinstalledflowruleshavebeenexpired(redcircle inthefigure).Thus,denyingservicetoallpreviouslyservedlegitimate client’sflowrules.Finally,onlyatthe150ththecommunicationisre- initiated,enablinganattackertolaunchaSlow-TCAMtraffic,therefore beingabletoloadtheTCAMtablewithmaliciousrules.

Similarly,Fig.3billustratesasequenceoftwoburstsofSaturation attacks.Thefirstburstwasabletodisruptswitch-to-controllercommu- nicationuntilthe185thsecond.Fromthatmoment,aSlow-TCAMtraffic launchedbyanattackercouldreachtheTCAMtablefullcapacityatthe 427thsecond.Then,atthe430thasecondsaturationburstisstarted (representedbyabluesquareinthefigure)leadingtotheremovalof allcurrentlyinstalledrulesat485th.Atthismoment,anattackercould havestartedlaunchingaSlow-TCAMtraffictofulfilltheswitch flow tableoncemore.

Inaddition,itisimportantnoticingthatanattackercanfreelychoose whentostartorreleaseburstsofsaturationtraffic.Thiscanbeperceived andusedasameanstonotonlydropallcurrentinstalledrulesinatarget switch,butalsotoensurethatwhentheswitch-to-controllercommuni- cationisbackalive,themostnumberofnewinstalledrulescomefrom theSlow-TCAM’strafficpartoftheattack.

Insummary,thisexperimentshowsthepracticabilityofaSaturation attackwhennotonlydroppingpreviouslyinstalledrules(withthesat-

urationpartoftheattack)butalsowhenoverflowing switch’sTCAM tablecapacitywithitsSlow-TCAMcomponent.

5. MitigatingTCAM-aimedattacks

TheexistingapproachesagainstTCAM-aimedattacksimplythatat- tackers send unique packets ata veryhigh rate,mixingIPspoofing andfloodingtechniques.Thisbehaviorcausesabruptlychangesinthe networkthateasilytriggerscountermeasures.Themainapproachesto avoid these attack arebasedon:(1)setting ruletimeouts (idletime- out)embeddedintheOpenFlow,whichisthestandardmechanismfor removingobsoleterules;(2)monitoringunpaired rules,i.e.,rulesfor whichthereisanincomingflow,butnooutgoingflow.Whenspoofing IPs,attackerrulesarenotabletohaveoutgoingflowrulesasthespoofed IPmaybenotachievable;(3)monitoringofruleinstallationrate,which isusedtotriggercountermeasureswhentherateofnewrulesarehigh, suchacaseofaSaturationattack,and(4)CPUandmemorymonitor- ingofSDNcontrollersandswitches,inwhichwhenunderstressthey increasinglystarttoconsumemorecomputationalresourcesinorderto dealwiththeaugmentedtraffic.

ConsideringthenoveltyoftheSlow-TCAMattack,tothebestofour knowledge,onlySelectIvedeFenseforTCAM(SIFT)[25]hasbeenpro- posedasadefenseagainstSlow-TCAMattacksuntilnowadays.Simi- larly,suchasanovelattack,nodefensehasbeenproposedtodirectly mitigatetheherebypresentedSlowSaturationattack.Table3summa- rizesthemaincurrentdefensesusedtomitigateSaturationattacks.We discusswhytheyarenotcapableofmitigatingTCAM-aimedattacks.

AlthoughSIFTmitigatestheSlow-TCAMattack,itisnotabletomit- igatealonetheSlowSaturationattack.Thereasonistherelativelyhigh rateofpacketsgeneratedbytheSlowSaturationattack.Wereplayedall experimentspresentedinthisworkandweobservedthatSIFTcannot handlehigh-ratetraffic.WebelievethatinordertomitigatetheSlow Saturationattack,SIFTwouldhavetoworkwithotherparameters,such asswitch’sCPU/memoryconsumption.Therearealsosomeapproaches andalternativedefensemechanismsthatcouldbeimplementedinthe networkalongwithSIFTtoeffectivelyceaseaSlowSaturationattack.

ItisalsopossibletomergesomeexistingapproachesthatmitigateSat- urationattacks(suchastheonespresentedinTable3)withSIFT.

6. Experimentalresults

WeimplementedtheSlow-TCAMandSlowSaturationattacksand carriedout anumberofexperiments.Weusedtwovirtualmachines,

Table3

ExistingdefenseapproachesagainstTCAM-aimedattacks.

Approach Short description Vulnerability against Slow-TCAM and Slow Saturation attacks Yu et al. [35] ; Katta

et al. [2]

Propose architectural changes to TCAM and OpenFlow protocol in order to increase rule storage.

Their main goal is to enhance SDN perfomace, nevertheless their changes will only demand a larger botnet by the attacker. Their approaches are not also able to mitigate the Slow Saturation attack as they do not protect the switch-to-controller

communication.

AVANT GUARD [23] Validates TCP Handshake before installing rules.

As Slow-TCAM bots have legitimate IP, connection and so forth, they trespass the TCP Handshake testing. Furthermore, it has a vulnerability in its cache module , which can be exploited by attackers, leading to denial of service, as presented by [14] .

SPHINX [3] Monitors rule installing and creation rate. As Slow-TCAM sends packets in a slow and ”legitimate ” way in addition to being configurable, the attacker can circumvent the limiars set in the defense. As during a Slow Saturation attack the adversary can control the rate and the interval of Saturation attack, the attacker can bypass the triggers of this defense.

Shin et al. [4] ; Kandoi et al. [5]

Applies OpenFlow mechanisms, such as Optimal Timeout and textitFlow Aggregation in a dinamic way.

The traffic sent by a Slow-TCAM attack is very similar to client traffic, then hampering and increasing false positive matches during the detection. It is true that Flow Aggregation can maximize rule storage, however they need to be used very carefully as they can facilitate the incoming of malicious traffic to the network. Aside that, it is not capable of mitigating Saturation attacks, as mentioned in [36] , consequently, they cannot mitigate the Slow Saturation attack.

FLOOD GUARD [13] Monitors switch’s CPU and memory usage. Slow-TCAM has a little impact in these parameters while attacking, hence the defense is not to detect and start countermeasures against the attack. The attacker can perform a minimalist Slow Saturation attack, reducing the traffic rate and interval time. Thus, avoiding to consume switch’s resources, trespassing the defense.

Wang et al. [8] Applies traffic analysis along with neural networks and entropy techniques in order to decide about rule installation.

Slow-TCAM has a traffic similar to legitimate clients, therefore the defenses suffer from false positive detection. As the Slow Saturation mixes slow a flooding traffic it can difficult even more the accuracy of the defenses’ analysis. In addition, it also has cache vulnerabilities as found in AVANT GUARD [14] .

Jinan S. [9] Applies a peer support strategy along switches in the network, where they share their idle storage TCAM space.

This defense is not able to detect the presence of the Slow-TCAM attack but it can retard the beginning of the denial of service, forcing the attacker to recruit a larger botnet . Furthermore, it is only concerned about the TCAM overflow, therefore, no countermeasures is taken against the flooding traffic of the Slow Saturation attack.

Xu et al. [37] Uses the Tocken Bucket model to control

PACKET_IN messages sent to the controller. As Slow-TCAM attack traffic is slow and its rules are always reinstalled, it does not generate a high traffic of PACKET_INs in the network, consequently less

switch-to-controller communication are performed. In addition, the Slow Saturation only send high traffic in certain intervals of time. Thus, the defense is not capable of detecting and mitigating the attack as it will never be triggered.

Shang et al. [27] Uses a cache system to keep rules not found in the flow table ( ”table-miss ” entries), thus sending PACKET_INs to the controller in a controlled way.

Slow-TCAM does not send a high traffic, running silently. Thus, not activating the approach countermeasures. In relation to the Slow Saturation attack, the adversary can model the attack in a way that it will not surpass traffic rate specified by the defense.

Ma et al. [38] Propose a Moving Target Defense (MTD) approach, which posses a pool of interchangeable controllers that are shifted dynamically according to their stress level (due to flooding attacks). They also offer MTD approaches for reducing the success rate of attackers scanning the SDN network.

Their approach can only mitigates flooding-based attack, i.e. , Saturation attacks.

Therefore, they cannot mitigate the Slow-TCAM component of our proposed attack.

Although their MTD scheme of dynamic delays hinders the chances of attackers fingerprinting the network easier, an attacker still can carry out a Slow-TCAM or Slow Saturation attack using smaller interval periods.

SDN-Anti-DDoS [39] Its mitigation module is responsible for detecting anomalies in PACKET_IN messages, such as unpaired rules (derived from IP spoofing-based attacks) as well as the rate of new incoming PACKET_INs.

As this approach is threshold-based, an attacker can adapt the traffic rates of both components of the Slow Saturation attack. In addition, the Slow-TCAM traffic component of the attack not only does not spoof IPs, but also generates a low rate packet sending, thus surpassing mitigation techniques proposed by this defense.

ReCON [40] Applies MTD techniques in order to minimize and re-use under-utilized critical SDN network’s resources, i.e. , OpenFlow Agent (OFA).

Similarly, this approach does not monitor TCAM table occupancy, as a consequence, it is not able to treat the Slow-TCAM component of our attack.

onerunningMininet[41]alongwithOpenvSwitch2.5.0[29],which areawell-knownnetworkemulatorandopen-sourcevirtualswitch,re- spectively.AnothervirtualmachineexecutedtheSDNcontrollerRyu [42]usingOpenFlow1.3[26].FortheattackgenerationweusedHping [43]andScapypythonlibrary[44].

The Mininet machine was a Ubuntu 14.04 LTS, Intel i7-5500U CPU@2,40GHzwith3GBof RAMmemory,whiletheRyumachine wasaUbuntu16.04.1LTS,Inteli7-5500UCPU@2,40GHzwith1GB ofRAMmemory.ThehostmachinewasaWindows10-64bit,Intel i7-5500UCPU@2,40GHzwith8GBofRAMmemory.

Inordertoavoidresourcelimitation interference,wecarriedout theSaturationandSlowSaturationattacksonaDellPowerEdgeT430 serverwithdual8-coreXeonE5-2620CPU@2,10GHzand64GBRAM, runningthesamevirtualmachinesimages(MininetandRyu)informed above.WesettheSDNswitchrulecapacityto1500ruleswithruletime- outT_oof10sasrecommendedintheliterature[10].

Fig.4ashowstheset-upofourexperimentsfortheSlow-TCAMand SlowSaturationfirstexperiments.Wealsoperformedadditionalexperi- mentswiththeSlowSaturationattackinascenariowheretherearetwo switchesintheSDNtopology.Thegoalofthelatterexperimentsisto evaluatehowaSlowSaturationattackaffectsotherexistingswitchesint thenetwork,evenwhenanontargetedswitchbelongstothetopology, butyetisnottargetedbytheattacker.

6.1. Slow-TCAMresults

Legitimateclient traffic(Host2) consistedof 375uniqueconnec- tions,whichmeanstheinstallationof750rules(incomingandoutgoing rules)inaswitch,i.e.,halftheswitchrulecapacity.Weimplemented theSlow-TCAMattackwheretheattacker(Host3)possessesabotnet withmorethan760botsandnomorethan800bots.Bothlegitimate andattacker’sbotsaccessedtheweb-server(Host1).

Fig.4. Experimentalset-ups.

Fig.5. Slow-TCAMattackwithintensityof5.8uniquepacketspersecond.

Table4

Slow-TCAM:attackrate,availability,timetoservice,timetoDoS,CPUandmemoryconsumption.The valueonAvailabilitycorrespondstothenumberofclientsthatareabletoobtainaresponseafterthe attackerhascarriedouttheattackandoccupiedalltheTCAMmemory.

Average attack rate Availability (%) TTS (ms) Time to DoS (s) CPU (%) Memory usage (MB)

No Attack 100 12.6 – 1.1 36.9

3.2 unique pkts/s 0.0 ∞ 478 2.5 42.3

4.6 unique pkts/s 0.0 ∞ 324 3.8 43.0

5.8 unique pkts/s 0.0 ∞ 258 4.7 42.3

9.2 unique pkts/s 0.0 ∞ 162 4.9 42.5

13.6 unique pkts/s 0.0 ∞ 110 6.4 42.2

15.6 unique pkts/s 0.0 ∞ 96 7.2 41.9

23.6 unique pkts/s 0.0 ∞ 63 10.4 41.8

39.5 unique pkts/s 0.0 ∞ 38 10.9 42.3

Incontrastto[25],wereproducedanewandmorerealisticlegiti- mateclienttrafficbyusingthetoolScapy[44].Clientsnowareableto renewtheirflowrulesbyaccessingtheweb-servermorethanonce,thus bettersimulatingarealweb-clienttraffic.Wesimulated200clientsthat arerandomlycreatedwithinperiodsof5and10s,sending10requests totheweb-server(onHost1)each.

Table4summarizesourexperimentalresultsfortheSlow-TCAMat- tack.Wemeasuredthelegitimateclientavailabilityaftertheattacker hasoccupiedalltheTCAMmemory,timetoservice(TTS),thetimefor

theattackertodenyservice,thecontroller’saverageCPUandmemory usage.

Our experimentsshowthatSlow-TCAMattackcan beeffectivein denyingservicetolegitimateclientsaccessingthenetworkusingaSDN switch.Wecarriedoutanumberofexperimentswithdifferentattack intensitiesfrom3.2uniquepacketspersecondto39.5uniquepackets persecond.Incomparisontypicalfloodingattackshasaruleinstallation rategreaterthan500uniquepacketspersecond[3,5,13,23].Oncethe attackersuccessfullyoccupiedalltheTCAMmemory,everyoneofits

Table5

Slowsaturation:attackrate,availability,CPUandmemoryusagewhenunderanattackofa varietyofintensity.Theslowpartoftheattackhadaintensityof5.8uniquepacketspersecond.

Attack rate Regular controller (no defense approaches embedded) Availability (%) CPU (%) Memory usage (MB)

Continuous (100 pkts/s) 12.8 36.1 147.5

Continuous (200 pkts/s) 2.8 45.4 157.5

Continuous (400 pkts/s) 3.6 46.3 165.9

Continuous (800 pkts/s) 2.7 47.3 176.3

Bursts (100 pkts/s during 20 s every 20 s) 27.5 17.6 123.5 Bursts (100 pkts/s during 40 s every 40 s) 29.9 17.7 129.2 Bursts (100 pkts/s during 60 s every 60 s) 17.1 16.4 121.3 Bursts (200 pkts/s during 20 s every 20 s) 16.3 25.0 135.1 Bursts (200 pkts/s during 40 s every 40 s) 18.8 26.0 130.8 Bursts (200 pkts/s during 60 s every 60 s) 15.8 29.7 122.7 Bursts (400 pkts/s during 20 s every 20 s) 12.2 32.0 141.0 Bursts (400 pkts/s during 40 s every 40 s) 15.7 33.3 122.7 Bursts (400 pkts/s during 60 s every 60 s) 13.2 29.7 124.3 Bursts (800 pkts/s during 20 s every 20 s) 8.52 35.6 151.1 Bursts (800 pkts/s during 40 s every 40 s) 5.4 33.6 159.4 Bursts (800 pkts/s during 60 s every 60 s) 10.4 29.6 129.0

botssendswithperiodicityof3sapackettokeepitscorrespondingrule activeintheSDNswitch.

Fig.5aillustratestheTCAMconsumptionbytheSlow-TCAMattack withintensityof5.8uniquepacketspersecond.Ittakesabitmorethan 4mintooccupyalltherulecapacitybyinstalling1500rules.There- mainingscenarioswithdifferentattackintensitieshadthesamebehav- ior.Forourslowestattack,withintensityof3.2uniquepacketspersec- ond,theattackercandenyserviceevenmoresilentlyinaround8min withpracticallynoimpactonthecontroller’sCPUusage.Ontheother hand,theattackercanalsodenyservicemorequicklyin,38s,bycar- ryingoutaSlow-TCAMattackwithintensityof39.5uniquepacketsper secondwithstillaverylowimpactonthecontroller’sCPUusage.No- ticethattheattackerisabletokeeptherulesinstalledintheswitch byavoidingtheirtimeouttobefired.Thiscanbeobservedbythefact thatnorulesareuninstalled.Onceall1500rulesareinstalled,thereis nomoreroomfornewrulesthusdenyingservicetolegitimateclients whichrequirenewrulestobeinstalled.

WemeasuredthenumberofFLOW_MODmessagessentbythecon- troller(illustratedinFig.5b).Astheattackisslow,itcausesthecon- trollertosendalowamountofFLOW_MODmessages(lessthan40per second)andoncetheTCAMisoccupiedthenumberofFLOW_MODmes- sagesreducesevenfurther.Forexample,itweregeneratedlessthan 1750FLOW_MODmessagesin300sofSlow-TCAMattack.Incompari- son,theSaturationattacksdescribedinSection3,6000messageswere generatedin35s.Moreover,therateofruleinstalledwhencarryingout aSlow-TCAMattackis10timeslowerthanwhencarryingoutaSatu- rationattack.Noticeaswellthatthisnumbercanalsobereducedifthe attackeriswillingtocarryoutanattackwithanevenlowerrate,e.g., 3.2uniquepacketspersecond.Finally,astheattackerisnotspoofing IPs,allrulesinstalledintheswitchtohandlehispacketsarepaired,i.e., haveanincomingandoutgoingrules.

Morerecently,asimilarlow-rateattackagainstSDNhavebeenpro- posedin[33].Theyevaluatedtheirattackconsideringsametopology asin ourwork, with the exceptionof thatthey used a commercial hardware-basedswitch EdgeCoreAS4610-54Twitha1800flow rule capacity, i.e., a real SDN testbedwas considered. As expected, they havefoundsamefindingsanddrawnsameconclusionsasencountered in ourwork. Forthis reason, we areconfidentthat theSlow-TCAM attack has same efficiency when launched against TCAM-embedded switches.

6.2. Slowsaturationexperimentalresults

WecarriedoutexperimentswithbothversionsoftheSlowSatura- tionAttack,namelyContinuousandBursts.Sincetheseattacksgener-

ateagreateramountoftraffic,weusedfortheseexperimentstheDELL PowerEdgeserverintroducedinthissectioninordertoavoidnegative interferencebylackofresources.

Table5summarizesourSlowSaturationexperiments.TheContinu- ousSlowSaturationattackwaspromptlyabletoconsiderablyaffectser- vice(12.8%)whensendingonly100packetspersecond.Incomparison, Saturationattackswiththesameintensitywasnotabletodenyservice (seeTable1).ContinuousSaturationattackswithgreaterintensityalso deniedservice(web-serverhadalowerthan4%serviceavailability).On theotherhand,thecontroller’smemoryandCPUconsumptionduring aContinuousSlowSaturationattackweresimilartoSaturationattacks.

Ontheotherside,BurstSlowSaturationattacksconsiderablydis- ruptedserviceavailability,albeitlessthansimilar-intensityContinuous SlowSaturationattacks.Notethatduringburstattacks,thereisnosatu- rationtrafficforsomeintervalsoftime(20,40and60s-dependingon thetypeoftheexperiment),thusmakingroomforsomelegitimateclient rules.However,theimpactofBurstSlowSaturationtocontroller’sCPU andmemorywasconsiderablylower,thusbeingmorelikelytobypass defensesthatmonitorsuchparameters.

6.2.1. Additionaleffectsoftheslowsaturationattack

InordertomeasuretheeffectsoftheSlowSaturationattackinthe networkasawhole,wecreatedatopologyinwhichtwoswitchesare connectedtothesamenetwork’s controllerandclientsandattackers usedifferentswitchestoaccesstheweb-serveronHost1(seeFig.4b).

Wemeasuredtheparametersfor200clients(sending10requestseach oneof them)using thenon targetedswitchtoaccesstheweb-server on Host1.Notethattheonly attackedswitchis theSwitch2,while Switch1onlyreceiveslegitimateclienttraffic.However,asshownin Table6,evennotgoingthroughthetargetedswitch,theavailabilityof theweb-serverforthelegitimateclientsdecreased(availabilityvaried from78.9%to90.4%).Inaddition,someofclientpacketshasnotbeen successfullyansweredbythenonattackedswitchduetothenetwork instabilitycausedbytheattack.

Thisbehaviorisexplainedbythefactthatthesaturationcomponent oftheSlowSaturationattackiscapabletodisruptthenetwork’scon- troller,consequently,bothswitch(eventhenot attackedone)suffers thedenialofserviceeffects.Therefore,aSlowSaturationattackisalso abletodisruptothernetwork‘sdevicecomponents,i.e.,switches,and thentheentirenetwork.Thus,anattackeriscapable ofdisruptinga targetSDN-networkevennothavingfullknowledgeaboutitstopology.

Theseexperimentalresultsdemonstratethattheattackerhasanum- berofoptionswhencarryingoutSlowSaturationattack,eachwithits ownfeatures:thetypeof Saturationattack(ContinuousorBurst),its

Table6

Slowsaturation:attackrate,totalsentvs.totalunansweredpacketsbylegitimateclientsandavail- abilitywhenunderanattackofavarietyofintensity.Theslowpartoftheattackhadaintensityof 5.8uniquepacketspersecond.

Attack rate Non targeted switch (no defense approaches embedded) Total sent / Unanswered packets Availability (%)

Continuous (200 pkts/s) 1984 / 397 79.9

Continuous (500 pkts/s) 2000 / 373 81.4

Continuous (800 pkts/s) 1976 / 415 78.9

Bursts (200 pkts/s during 60 s every 60 s) 1976 / 189 90.4 Bursts (800 pkts/s during 20 s every 15 s) 1990 / 266 86.7 Bursts (800 pkts/s during 60 s every 60 s) 1989 / 230 88.4

intensity,intervalsbetweenbursts,andtheintensityoftheSlow-TCAM attack.

6.3. Possiblecountermeasures

Asithavebeenshownin[25],thedefenseSIFTiscapableofmit- igatingSlow-TCAMattacks(whichonlytargetstheSDNdataplane).

Nevertheless,giventhenumberofitsfeatures,itischallengingtomiti- gateaSlowSaturationattack.Forexample,SIFTisnotabletomitigate SlowSaturationattacksbecauseitisnotabletohandletheattack’ssat- urationcomponent,whichaffectsnotonlytheSDNcontrolplane,but alsoitsdataplane.

Therefore,asthereisalreadyavarietyofdefensesthatmitigatesatu- rationattacks,wespeculatethatcombiningSIFTwithexistingdefenses forSaturationattacks(suchtheonesinTable3)maybeeffective.In addition,wealsothinkthatapplyingMovingTargetDefense(MTD)- basedapproaches[38,40,45–47]wouldofferaeffectivewayofmitigat- ingSlowSaturationattacks.ThemainrationalebehindaMTDapproach isthatitrandomlychangessomenetworkssettings,parametersoreven topology,therefore,dynamicallychangingtheattackersurface.Thus, imposingsomeadvantagesonthedefenderside.

Forexample,Maetal.[38]appliesaMTDtechniquethatrandomly changespackets’delayssothatattackerscannotcorrectlyinferSDN’s timeouts.Besidesthat,theykeeppoolofhealthySDNcontrollersthat replacecontrollersincriticalstages(i.e.,beingattacked).Ontheother hand,Gillanietal.[40]presentedReCON,adefensemechanismthatof- fersacontrolagentthatdynamicallymanagesunder-utilizedresources withintheSDNnetwork’scontrolplaneandthenincreasesresourcesca- pabilitiesofcontrolplane’sdevicesincriticalsituation,thus,minimizing damagesontheSDNcontrolplane.Moreover,Kampanakisetal.[45]of- ferIPrandomizationtechniquesinordertofrustrateattackerslaunch- ingscanningattacks.Similarly,Jafarianetal.[46]offerthesamefea- ture,howeverfocusingoncreatingamoreeffectiveapproachinterms ofspeed.Equivalently,MacFarlandandShue[47]notonlyaimsatran- domizingIPaddresses,butalsoMACaddress.Hence,decreasingchances ofsuccessfulattacks,asattackershavetoconstantlyfindtheirproper targets.

Therefore,wearguethatbyapplyingMTD-basedmethods,suchas replacingfaultycontrollerswithhealthyones,whicharekeptsparein acontrollerpoolreserve,andrandomlysettingtimeoutsofflowrulesis enoughtomitigatetheattacksproposedinthiswork.Asaresult,weplan tocombineourpreviouswork[25]withseveralanti-saturationattack defensesandMTDtechniques,andexperimentallyevaluateitconsid- eringavarietyofscenariostoeffectivelymeasuretheeffectivenessof suchhybriddefensemechanism.However,amoredetailedinvestigation isleftforfuturework.

7. Relatedwork

Forthebestuse of SDNprogrammability,SDNswitches utilizea specialtypeofmemory:TernaryContentAddressableMemory(TCAM).A

memorywhichhasafasterandwidequerypowerthanContentAddress- ableMemory(CAM)andRandomAccessMemory(RAM).However,allits benefitscomewithhighpricesandpowerconsumption.CurrentSDN switcheshaveapproximately1Mbitto2MbitofTCAM,whereeach1 MbitchipcostsU$350andconsumes15Watt/1MBitinaverage[1]. Duetothesefactors,SDNswitcheshavealimitedTCAMandcanstore onlyanarrownumberofflowrules[1–3],typicallybetween1500and 8000rules.

Someproposals[2,35]suggestmodificationstotheOpenFlowpro- tocolusedin SDNandinthestructureofTCAMmemoryin orderto improvememorymanagement.Likely,ataggingapproachisproposed byBanerjjeetal.[48].Intheirmechanism,TCAMentriesutilizelessbits torepresentflowrules.Forexample,thetaggedflowsuseonly24bits whileregularflowentrieshave356bits.Thus,increasingTCAMstoring capacity.

KandoiandAntikainen[5]andShinandGu[4]commentandpro- posethepossibilityofusingOptimalTimeouttechniquetoflowrules, seekingforbetterTCAMusage.Inotherwords,theirmechanisminstall rulessettingtheiridle_timeoutaccordingtoflowtrafficofthenetwork.

Thisavoidsthatruleskeepinstalledwithoutbeingused,oruninstalled whilebeingused.Consequently,improvingTCAMusage.Theyalsoof- fertheFlowAggregationmechanismwhichisatechniquethatgenerates moregeneralrulesdefiningmacroflows,insteadofusingmorespecific rules,definingmicroflows.Thisstrategycan increasethequantityof rulesinstalledinaTCAM,butattheexpenseofleavingthenetwork morevulnerabletootherattacks,e.g.,Get-Flooding,allowingmalicious traffictousethenetwork.Moreover,aspointedoutbyWangetal.[13], FlowAggregationisnotcapableofmitigatingSaturationattackssuch astheonesproposedbyCurtisetal.[36].

ThemaingoaloftheseproposalsistoenhanceSDNgeneralperfor- mance,whereasweexposetheTCAMlimitedspaceSDNvulnerability asameantodenyitsservice.Thismeansthatwiththeseapproachesthe attackermayneedtorequiresomemorebotstodenyservice.

Theaimof Saturationattacksistoforcetheswitchtoconstantly install newrules.Intheliterature,this isaccomplishedbysendinga highrateofuniquepackets,e.g.,usingspoofingandsendingUDPpack- ets[3,5,7].Furthermore,theSaturationattack[1,8,10–14]hasasmain objectivetocrashthecontrollerbysendingalargeamountof traffic toaSDNswitchoccupyingitsincomingbuffer.Thiscausestheswitchto sendtothecontrollerthewholepacketinsteadofonlysendingthepacket header.

Dhawanetal.[3]proposethedetectionofDoSattacksbymonitoring therateofrulecreationbytheSDNcontroller.Ifthisratesurpassesa certainthreshold,thenmitigationactionsaretaken.Similarly,Xuetal.

[37]usetokenbucketmodelinordertolimittheattackrate.Onthe otherhand,Shangetal.[27]proposeFLOODDEFENDER.Itremodels thedataplaneflowtableinordertomaximizeswitchesTCAMusage andutilizesdeviationmechanismstodetourpacketsin ordertosave controllerresources.SincetheSlow-TCAMattackcanbeconfiguredto setaparticularrateofrulecreation,thesedefensesarenoteffective inmitigatingtheSlow-TCAMattack.ItistruethatFLOODDEFENDER

allowstostoremoreflowrules;howevertheattackerwillonlyneeda larger,butstillrelativelysmallbotnet.

ThestrategyAVANTGUARD[23]detectswhenaTCP-handshake iscompletedbeforecreatingrulesinthenetwork.Ithasbeenrecently shown[14]thatthisdefenseisvulnerabletoamodificationoftheSat- urationattackcapabletoconsumeallAVANTGUARD’sresources.Asin aSlow-TCAMattack,theattacker’sbotscompletetheTCP-handshake, AVANTGUARD’sstrategycannotdetectSlow-TCAMattacks.

Wangetal.[13]proposetomonitorswitch’sbuffer,controller’sCPU andmemoryusagetomitigateSaturationattacks.AstheSlow-TCAM attackhaslittleimpacttotheseparameters, thedefenseproposedby Wangetal.isnoteffectiveindetectingSlow-TCAMattacks.

Similarly,Wangetal.[8]recentlyproposedtouseneuralnetworks, entropy,andmore sophisticatedtrafficanalysis methodstohelpthe controllertomakethedecisionofaddingaruleornot.However,their approachsuffersthesamedeficienciesastheAVANTGUARDbystoring acacheofrules.Moreover,sinceSlow-TCAMisanewattackandhas similarcharacteristicoflegitimateclients,itis notclearwhetherthe trainedneuralnetworkproposedbyWangetal.willbeabletoidentify aSlow-TCAMattack.

Yuan et al. [9] proposes a peer support strategy in which SDN switchessharetheirunusedTCAMmemoryspaceamongthemwhen theyarereachingitsTCAMlimit.Thisisdonebyinstallingflowrules intheattackedswitch(theykeepareservedspaceinTCAMforthat) inordertodivertflowstootherpeerswitchesaccordingtoparameters suchasTCAMusage,howclosetotheattackedswitch,howbusyisa switch,andhowaswitchconnectstootherswitches.Howevertheycan onlyretardtheattackandhastheproblemthatwhenthemajorityor manyswitchesarefulltheywilldiverttrafficbetweenthemendingup inaviciousloop.

Morerecently,MovingTargetDefense(MTD)approacheshavebeen proposedasameanstomitigatingandavoidingDDoSattacksonSDN networks[38,40,45–47].Themaingoal ofMTDistofrequentlyshift theattacksurface,sothatdemandinghighereffortsfromattackers.For example,randomlysettingdifferenttimeoutvaluestoseveralflowrules [45,46],keepingapoolofhealthycontrollerstobereplacedwithfaulty ones[38],anddynamicallychangingnotonlynetwork’scontrollerIP addresses,butalsoMACaddresses[47].Consequently,increasingover- allSDNsecurity.

OneofmostdisguisedDDoSattacksavailablearethesocalledLow- RateApplicationLayerDDoSattacks, suchasSlowloris[15].Attack- ers can denyserviceof a web-serveror aVoIP server by sendinga verylowrateof requeststothetargetserver [16–18].Attackerscan also carry out Low-Rate attacks using rather weak devices such as mobilephones[19,20]andexploitnewvulnerabilitiesonapplication layerprotocolsinordertoevadedetectionmechanisms,e.g.,SlowNext [21].

Aftertheproposal of the Slow-TCAMby Pascoal etal. [25], an- otherindependentandsimilarslowattackwasproposedin[33].Both approach aimstofirstly infersome SDN configuration settings,e.g., flowruletimeoutsforassemblingthestrategyoftheattack.Posteriorly, launchingtheattackinadisguisedway,avoidingabruptnetwork’spa- rameterschangesandthenevadingexistingcountermeasures.There- sultsin[33]shows theeffectivenessoftheattackin hardware-based SDNswitches,whichvalidatesandconsentswithourresultspresented in[25]andinthis paper.Basedonourandtheirfindings,weclaim thatour proposed attacksarefeasible not onlyin laboratory-crafted scenarios,butalsoinreal-wordscenariosconsideringcommercialSDN switches.Inaddition,wehaveextendedbothworks[25,33]byoffering anovelSlowSaturationattackandevaluatingtheattacks’effectiveness underothernetwork’stopology,suchasinthemultiple-switchessce- nario.

Tothebestofourknowledge,duetothenoveltyoftheSlow-TCAM andSlowSaturationattacks,therearenoproposedmitigationinthe literatureforthem.Nevertheless,wehaveprovidedpossiblecounter- measuresandguidanceinSection6.3.

8. Conclusion

ThispaperproposesandinvestigatesslowattacksonSoftwareDe- finedNetworks,namelytheSlowTCAMExhaustionattack(Slow-TCAM) and the Slow Saturation attack. These attacks exploit the fact that SDNswitchescanonlystorealimitednumberofforwardingrules.We demonstratetheireffectivenessbyperforminganextensiveexperimen- talevaluation.

WeshowthatSlow-TCAMattackcandenyservicebysendingpack- etsataverylowrate(3.2packetspersecond),incontrasttoexisting attacks.Itisalsoabletoevadeexistingdefensemechanismsduetoits disguisedtrafficrateandsimilaritytolegitimateclientsbehavior.The secondproposedattack,SlowSaturation,isabletodenyserviceusing onlyafractionofthetrafficrequiredbyexistingSaturationattacks.Ad- ditionally, itis alsoabletodenyservicetopreviousclient (installed rules).Moreover,SlowSaturationattackscanaffectanddisrupttheSDN networkasawhole,giventhefactthatitstressthenetwork’scontroller, italsodisruptthewellfunctioningofothernetwork’scomponentscon- nectedtoit.Asaresult,itaffectsothernetwork’scomponents,e.g.,non- targetedswitches,asshownbyourresults.

SinceexistingdefensesforDDoSattacksonSDNassumethatanat- tacknecessarilyfloodsthenetwork,thesedefensesarenotsuitablefor mitigatingsuchourofferedslowattacks.Webelievethatsuchdefense canbeconstructedbycombiningSIFT[25]withexistingapproachesfor themitigationofSaturationattacksalongwithMTD-basedtechniques.

Asfuturework,weaimatdeployingourattacksconsideringatest- bedwithSDNcommercialswitches,andassemblinganefficientdefense mechanismabletotackletheparticularitiesandintrinsicalitiesofsuch SlowDoSattacks,byusingthepresentedguidelines.

DeclarationofCompetingInterest

Theauthorsdeclarethattheyhavenoknowncompetingfinancial interestsorpersonalrelationshipsthatcouldhaveappearedtoinfluence theworkreportedinthispaper.

CRediTauthorshipcontributionstatement

TúlioA.Pascoal:Conceptualization,Methodology,Software,Vali- dation,Investigation,Resources,Datacuration,Writing-originaldraft, Writing-review&editing,Visualization.IguatemiE.Fonseca:Fund- ingacquisition,Projectadministration,Supervision,Writing-review&

editing.VivekNigam:Supervision,Investigation,Writing-review&

editing,Visualization, Conceptualization,Formal analysis,Validation, Fundingacquisition.

Acknowledgments

This workwas supportedbytheFonds National delaRecherche Luxembourg (FNR) through PEARL grant FNR/P14/8149128, and partiallysupportedbyCNPqprojects425870/2016-2,303909/2018- 8andFAPESPproject15/24516-1.Thisprojectreceivedfundingfrom theEUsHorizon2020researchandinnovationprogrammeundergrant agreementNo.830892.

References

[1] K. Kannan , S. Banerjee , Compact TCAM: flow entry compaction in TCAM for power aware SDN, in: International Conference on Distributed Computing and Networking, Springer, 2013, pp. 439–444 .

[2] N. Katta , O. Alipourfard , J. Rexford , D. Walker , Infinite cacheflow in software-de- fined networks, in: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, ACM, 2014, pp. 175–180 .

[3] M. Dhawan , R. Poddar , K. Mahajan , V. Mann , SPHINX: detecting security attacks in software-defined networks., NDSS, 2015 .

[4] S. Shin , G. Gu , Attacking software-defined networks: a first feasibility study, in: Pro- ceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, ACM, 2013, pp. 165–166 .