Abstract

Software Defined Networking (SDN) has recently emerged as a new networking technology offering an unprecedented programmability that allows network operators to dynamically configure and manage their infrastructures. The main idea of SDN is to move the control plane into a central controller that is in charge of taking all routing decisions in the network. However, despite all the advantages offered by this technology, Deny-of-Service (DoS) attacks are considered a major threat to such networks as they can easily overload the controller processing and communication capacity and flood switch CAM tables, resulting in a critical degradation of the overall network performance. To address this issue, we propose in this paper SDN-Guard, a novel scheme able to efficiently protect SDN networks against DoS attacks by dynamically (1) rerouting potential malicious traffic, (2) adjusting flow timeouts and (3) aggregating flow rules. Realistic experiments using Mininet show that the proposed solution succeeds in minimizing by up to 32% the impact of DoS attacks on~the controller performance, switch memory usage and control plane bandwidth and thereby maintaining acceptable network performance during such attacks.