SDNScore: A Statistical Defense Mechanism Against DDoS Attacks in SDN Environment

Software Defined Networking (SDN) is a promising solution for addressing challenges of future networks. Despite its advantages such as flexibility, simplification and low costs, it has several drawbacks that are largely induced by the centralized control paradigm. Security is one of the most significant challenges related to centralization. In that regard, Distributed Denial of Service (DDoS) attacks pose crucial security questions in software-defined networks. In SDN architecture, switches send all packets to the controller if they do not have any applicable rules in their flow tables. Basically, controller is the key place that can take initiative in decisions. However, this characteristic results in large communication overhead and delay until a DDoS attack is detected and an appropriate action is activated against attack packets. Therefore, in this work we propose a hybrid mechanism, namely SDNScore, where switches are not simply data forwarders. Instead, they can collect statistics and decide if DDoS attack is in action. Then they coordinate with the controller and act on attack packets in cooperation. SDNScore is a statistical and packet-based defense mechanism against DDoS attacks in SDN environment. Since it has a statistical scoring method, it can detect not only known but also unknown attacks entailing packets that are alike in terms of TCP and IP layer properties. In addition, it does not drop all packets in a flow which includes both attack and legal packets, but rather filters out attack packets using packet-based analysis.